Since 5.2 firmware there are a lot of changes in sslvpn (i.e. lack of WAN --> ssl.root polices for web-portal).
I use sslvpn very seldom - but now one of my customer upgraded from 5.0 to 5.2.
There are 2 tunnel (sslvpn) configurations and 5 web-portal configurations (for some partners).
In one particular web-portal we want to restrict access to few (or even one) public IPs but it doesn't work.
I've build policy :
Incoming interface - ssl.root
src addr - only_public_IP
src users - partnerX_group_users
Outgoing interface - lan
dst addr - Internal_Server_X
schedule - always
service - any
action - accept
Everything works OK but I can login as partnerX and access Internal_Server_X from any public IP !!!!
Since there is no wan-to-ssl.root policy I understand that I can login to portal - but IMHO I shouldn't access Internal_Server_X. This is some kind of security issue.
Is it possible to restrict it ?
Dominik Weglarz, IT System Engineer
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.