SSL VPN avoid IP access

Fort-zender · ‎01-22-2024

Hi all,

Is there a way to restrict SSL-VPN access solely to the FQDN, disallowing users from accessing the web portal via the IP address? We prefer users to only use the FQDN for access.

OR

Can we use multiple server certificates that cover both IP and FQDN, eliminating certificate warnings?

Any lead?

hbac · ‎01-22-2024

Hi @Fort-zender,

There is no way to allow FQDN and deny IP address as FortiGate always see traffic coming from IP addresses. FQDN is resolved at the client side.

To avoid certificate warning, you can add FortiGates IP address to the SAN field of the certificate: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Adding-SAN-Subject-Alternative-Name-while/...

Regards,

View solution in original post

AEK · ‎01-22-2024

Hello

I don't think FGT can deny VPN by IP and allow with FQDN.

On the other hand you can have one single private or public certificate for both IP and FQDN.

AEK

mle2802 · ‎01-22-2024

Hi @Fort-zender,

You can use SAN certificate for both FQDN and IP.

hbac · ‎01-22-2024

Hi @Fort-zender,

There is no way to allow FQDN and deny IP address as FortiGate always see traffic coming from IP addresses. FQDN is resolved at the client side.

To avoid certificate warning, you can add FortiGates IP address to the SAN field of the certificate: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Adding-SAN-Subject-Alternative-Name-while/...

Regards,