SSL-VPN geo-ip Source filter not working

Hey guys.

I saw that for the last couple of hours, someone was trying every conceivable default username under the sun to try and login into my firewall via SSLVPN.

Since we only have employees who are local, I decided to simply geo-block the VPN to Israel.

These are the relevant config parts:

config vpn ssl settings
    set ssl-min-proto-ver tls1-1
    set servercert "acme-AJ"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set source-interface "port1"
    set source-address "Israel"
    set default-portal "web-access"
    next
end
config firewall address
    edit "Israel"
        set uuid 674230c8-aafa-51ed-9194-4baa5646c1f6
        set type geography
        set country "IL"
    next
end

and still, I see connections from that bad actor, even though Fortinet’s own GEO-IP test shows him to be in the Netherlands:

AllJobs_FGT1 $ diagnose geoip geoip-query 185.224.128.240
IP:185.224.128.240
{
  "city":{
    "geoname_id":2753240,
    "names":{
      "en":"Wormerland"
    }
  },
  "continent":{
    "code":"EU",
    "names":{
      "en":"Europe"
    }
  },
  "country":{
    "iso_code":"NL",
    "names":{
      "en":"Netherlands"
    }
  },
  "subdivisions":[
    {
      "names":{
        "en":"North Holland"
      }
    }
  ],
  "location":{
    "latitude":52.507271,
    "longitude":4.852800,
    "time_zone":"Europe\/Amsterdam"
  },
  "postal":{
    "code":"1509"
  }
}

What am I missing here?

Use local-in-policy.

Is the fist to be hit.

Geo-IP may be checked in a later phase of the VPN authentication process?

We have the VPN endpoint on a loopback IP on the Fortigate and do the Geo-IP filtering in a separate firewall policy from wan interface to loopback. This makes sure that the SSL-VPN port does not apear open from blocked countries.

diag sys session filter src 185.224.128.240
diag sys session clear

You may have to manually clear sessions if they are still active.

Since we only have employees who are local, I decided to simply geo-block the VPN to Israel.

Why not do the opposite? Like that you will have less work in the future. Let’s say you are in the USA, block every connexion not coming from that region (1), instead of blocking every single country (300+).

Less work

I can’t help you with cli, but here is some UI that should help. I’m not sure if this is considered a local in policy or just something to do in addition to one.

Restrict access. Limit access to specific hosts. Insert country/group of countries.

I really hope Fortinet does soemthing to help address this. I’m seeing these posts here 2-4 a week now. Seems to be some known attack vector.

I wonder if making a rule in the Local-In policies would be worth a try.

Interesting, can you send me a link or possibly share a sanitized config of your FW to show how I can configure the SSLVPN to work over a loopback interface?

I’ll give it a try, thanks

That’s what I mean:

config vpn ssl settings

set ssl-min-proto-ver tls1-1

set servercert “acme-AJ”

set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1”

set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1”

set source-interface “port1”

set source-address “Israel”

set default-portal “web-access”

next

end

This only allows Connections from Israel, or at least, supposed to… Doesn’t work for some reason

This is exactly what I did.

The CLI part you saw up top that refers to “set source-address” is the CLI equivalent of the “Restrict Access” in the link you sent me.

thanks for trying though

Hey there methos3000bc! If you agree with someone else’s comment, please leave an upvote instead of commenting “This”! By upvoting instead, the original comment will be pushed to the top and be more visible to others, which is even better! Thanks!

^(I am a bot! Visit) ^(r/InfinityBots) ^(to send your feedback! More info:) ^(Reddiquette)