Block internal IP from VPN

freber · ‎09-11-2021

Hi all!

We have a working SSL VPN that lets outside users access our internal LAN. But I want to restrict access to specific local addresse. Ie I dont want any VPN users to access 192.168.0.20.

How do I block a specific local IP?

Toshi_Esumi · ‎09-11-2021

You must have a ssl.root->[internal_interface] policy allowing all. Just put another policy blocking the host .20 right above the existing policy.

View solution in original post

Toshi_Esumi · ‎09-11-2021

You must have a ssl.root->[internal_interface] policy allowing all. Just put another policy blocking the host .20 right above the existing policy.

Yurisk · ‎09-12-2021

That's the beauty of Interface/Route-based VPNs - you treat your VPN users as located somewhere on the Internet and connected to your LANs via ssl.root interface, as the consequence, you allow/block this traffic in security policy as you do with any traffic passing the firewall from interface to interface.

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.

freber · ‎09-12-2021

I have a deny policy now which has destination .20 and when its not in effect the users can reach everything and when it is applied they cant connect at all.