Description | The article explains how to restrict or disable SSL VPN connections to FortiGate from the same LAN segment connected to same FortiGate. |
Scope | FortiGate, SSL VPN. |
Solution |
1) Use 'source-address-negate enable' and specify the denied IP address in SSL VPN settings.
config firewall address edit "10.0.0.0/8" set subnet 10.0.0.0 255.0.0.0 next edit "172.16.0.0/12" set subnet 172.16.0.0 255.240.0.0 next edit "192.168.0.0/16" set subnet 192.168.0.0 255.255.0.0 next end config firewall addrgrp edit "RFC1918_RANGES" set member "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" next end config vpn ssl settings set source-address "RFC1918_RANGES" set source-address-negate enable end 2) Deny SSL VPN service when using the firewall policy from LAN to WAN.
edit "WAN_IP" set subnet <Public IP/32> -->> Public IP on SSL VPN listening interface(s) next end config firewall service custom edit "SSL_VPN" set tcp-portrange <PORT> -->> SSL VPN TCP Port next end config firewall policy edit 0 set name "DENY_SSL_VPN_SERVICE" set srcintf "LAN" set dstintf "WAN" set srcaddr "all" set dstaddr "WAN_IP" set schedule "always" set service "SSL_VPN" set logtraffic all next end 3) Deny SSL VPN service on the local-in-policy as it comes through the LAN interface.
edit "WAN_IP" set subnet <Public IP/32> -->> Public IP on SSL VPN listening interface(s) next end config firewall service custom edit "SSL_VPN" set tcp-portrange <PORT> -->> SSL VPN TCP Port next end config firewall address edit "10.0.0.0/8" set subnet 10.0.0.0 255.0.0.0 next edit "172.16.0.0/12" set subnet 172.16.0.0 255.240.0.0 next edit "192.168.0.0/16" set subnet 192.168.0.0 255.255.0.0 next end config firewall addrgrp edit "RFC1918_RANGES" set member "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" next end config firewall local-in-policy edit 0 set intf "WAN" >>> SSL VPN listening interface set srcaddr "RFC1918_RANGES" set dstaddr "WAN_IP" set service "SSL_VPN" set schedule "always" next end |
This is very informative and helpful. Kudos to the Author!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.