Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexHelloworld
New Contributor

Allow access to SSL VPN for specified user from specified ip address

Fortigate 100E

How can i allow access to SSL VPN for one specified user from one specified ip address only? What is the best practise to that?

Thanks!

8 REPLIES 8
orani
Contributor II

do you mean allow a user from specific ip inside your network to connect to an external vpn server?

Orestis Nikolaidis

Network Engineer/IT Administrator

orani
Contributor II

In any case this is not relevant to web filtering.

 

In case you want to allow a user from internal network to access a vpn gateway:

 

Define a static ip for the specific user's pc.

Create a rule from your internal network to internet with source the user's ip and destination the vpn gateway ip, use vpn port at the service tab and allow this traffic with NAT.

Place this rule above your global rule for accessing the internet

 

 

In case you want a remote user to access your infrastructure:

 

Create a local firewall user which will be used at your VPN settings.

Create a rule with:

From: sslvpn virtual interface

To: any internal or external interface

Source: your ip range from vpn settings AND your localy created user

Destination: all or any specific ip you want the user to have access to

Enable NAT.

 

Orestis Nikolaidis

Network Engineer/IT Administrator

AlexHelloworld

I want remote user can connect to VPN SSL from specified ip address only, if  connection not from this ip, drop it, what kind firewall rule suitable for that?

Toshi_Esumi
Esteemed Contributor

If you meant to limit the client IP where SSL VPN is coming from, you can use "set source-address <address_or_addrgrp_object>" under "config vpn ssl settings".

 

orani

Toshi is right.... forgot to write it...

Orestis Nikolaidis

Network Engineer/IT Administrator

AlexHelloworld

It will restrict access for all users on this VPN portal right? I want to restrict access for one user only.

beltskyy

yes, I have the same task now. for most users (based on user group) I allow access from anywhere, but for some users I want to allow access only from sepcified public IPs

what is the correct way to set such a policy?

AlexHelloworld wrote:

It will restrict access for all users on this VPN portal right? I want to restrict access for one user only.

have you found the way to do it?

boneyard
Valued Contributor

i dont believe there is a way. you can restrict the access in general. but you can't allow certain groups from everywhere and some from only specific IPs.

 

if you really want to you could consider two devices where you restrict access in general on the specific one.