Friday, November 17, 2017

locking down the SSLVPN based on geoip

Using the SSLVPN and portals,  you sometime want to banned certain locations by GEOIPs.

Example, let's says your a Enterprise-Org that has a presences in only one country/continent and your users based resides in just that continent.

By using a null group and  portal, you can easily locked down your fortinet forticlients to only that geo-ip-range thats allowed or even a  network-subnet or ip-range.

E.g  we are only allow US geoips to access our network, all others will be blocked.

By using  the cli-cmd  diag debug application sslvpn -1  we can validate what rules and groups

As you can see I matched rule-auth #2   was not allowed SSLVPN access  to any portal. So a client trying to come via a banned  geo-address will be delivered a non-existence portal named none

In the next example we are allowing our PBXeng team access but only from the firewall.address named PBX_vendors    network

 !!!!  Be cautious of  the ordering of the auth-rules  !!!!

Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment