Hi
I have configured ipsec remote access vpn and I want to allow only IPs from united kingdom to be able to connect to my FGT. how can i do that?
Solved! Go to Solution.
Created on 01-03-2024 08:23 AM Edited on 01-03-2024 08:23 AM
Yes correct. You can not use multiple interfaces on the same local policy and there is no implicit deny preconfigured: "Unlike IPv4 policies, there is no default implicit deny policy."
For the deny rule you can use one entry: set intf "any"
config firewall local-in-policy
edit 2
set intf "any"
set srcaddr "all"
set dstaddr "eth1" "eth0"
set service "IKE"
set schedule "always"
Hi Reza,
You can create a new address object under Policy & Objects → Addresses, with type Geography, and select United Kingdom as the country.
After creating the address object, you can restrict sources under VPN → SSL-VPN Settings using the object you created.
Hi
Thanks. But I want a solution for ipsec remote access vpn.
Created on 01-03-2024 01:51 AM Edited on 01-03-2024 01:51 AM
For IPSec you have to limit access using "local in" policies, as explained in this article.
Thanks. How can i see the blocked logs in logs and reports?
The logs should be available under Local Traffic. You can also enable debugging as shown in the guide to check that the local policy is applied correctly.
I have 2 wan interfaces for ipsec remote access. Do i need to create 2 allow policirs first and then 2 deny policies?
Created on 01-03-2024 08:23 AM Edited on 01-03-2024 08:23 AM
Yes correct. You can not use multiple interfaces on the same local policy and there is no implicit deny preconfigured: "Unlike IPv4 policies, there is no default implicit deny policy."
For the deny rule you can use one entry: set intf "any"
config firewall local-in-policy
edit 2
set intf "any"
set srcaddr "all"
set dstaddr "eth1" "eth0"
set service "IKE"
set schedule "always"
Hi,
You can use this link and achieve what you are trying.
Create the geo address for UK and use it in the local-in policy to permit IKE/ESP and then another rule which will deny everything else.
Hi, thanks. can I achieve this by using firewall policy instead of local-in policy?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.