Hi, I have to look a Fortigate with firmware version 6.0.11 later today and prevent users from connecting with their Forticlient VPN while instead the network. I took a quick peak and couldn’t find the option to disable it and Fortigates aren’t my specialty. Suggestions?
We ran into a similar issue. I believe we simply disabled the service on internal interfaces (no need to VPN into the network if you’re already in the network), but I’d have to go back and double check.
I don’t think there’s a tick box to disable that.
Vpn only client or managed from EMS?
What you can do is build a local-in policy to deny connections to your sslvpn from inside.
config firewall local-in-policy
edit 1
set intf "interface your listening for sslvpn on"
set srcaddr "your address object for your lan "
set dstaddr "address object for wanIP"
set service "service object for whatever port you using for sslvpn"
set schedule always
Another option would be to create a firewall policy to block the same
config firewall policy
edit 31
set name "Block Internal SSLVPN"
set uuid 3eaed928-098e-51eb-1516-429a2c79b43f
set srcintf "Internal Zone"
set dstintf "virtual-wan-link"
set srcaddr "EvilData"
set dstaddr "Evil101F_CT_Public-xxxxxxxx"
set schedule "always"
set service "SSLVPN"
set logtraffic disable
next
end
I would probably do the firewall policy since it will stop it sooner in the flow.
How do you connect to the VPN, by FQDN? If so, just take that out of the internal DNS. They can’t resolve they can’t connect…
You can specific sources from which you want to allow connections, or the other way around (negate) which is what you’re after. It’s a setting under “config VPN SSL” You could add all RFC1918 ranges there.
Do you remember where, I looked at the spot i thought it would be and I couldn’t find one.
I’ll look at these, thanks.
IP address unfortunately
Is the negate command in 6.0? I didn’t think that showed up until 6.4
I think I was looking at this but it only shows WAN already, but it was in 6.0.11
In 6.2.3, go to VPN > SSL-VPN Settings. First option is “Listen on Interfaces” - include the ones you want to host on and all others will be excluded.
Edit - Excluded if you remove “all/any” as an interface object.
Block the ip by policy then. And I highly suggest moving to fqdn. It will solve headaches later.
FYI, it is definitely there in 6.4.2
config vpn ssl settings
set source-address-negate enable
set source-address "Lan address Object/Object group"
end
6.0 I’m not sure, - 6.2 also has this feature.
In 6.0.11 this setting doesn’t seem to work, I’d have to look again but there was something like that there I found and it was only enabled on WAN1 and 2 but still connected.