Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

Restriction on Remote Connections.

Hello,

Is it possible to restrict the origin of Remote Access VPN connections by country?

I have tried to "restrict" connections so that only 1 country can connect to my VPN.

I tried this from the firewall rule, using an "UPDATABLE OBJETC", but when I then try to work with other rules that I have, which are also RA VPN, I start to have errors in the installation of policies.

AR1.png

The rule 90 that I have, which is the one that causes me conflict, goes something like this:

Source: GRP_VPN@Any
Peru
Destination: Red_00
Community: RemoteAccess
Action: Accept
Services: Any

I am working with local users.

When I "delete" the "Update Object", I can install the policies without problems, but what I am trying to do is to make the access to my VPN connection more "restrictive".

Thank you for your attention.

0 Kudos
22 Replies
the_rock
Legend
Legend

No bro, not possible. I even had case opened with TAC, went to escalation, they confirmed the same. Kind of sucks, because with Fortinet, its literally 4 clicks to get this done.

Andy

0 Kudos
Matlu
Advisor

Did you get to share any SK?
Or were they just "cold" and said "No way, bye bye"?
hahaha 😞

0 Kudos
the_rock
Legend
Legend

LOL @Matlu ...no bro, there is no sk lol

Anyway, they just said in the case its not possible. Customer very disappointed, to say the least, but if it cant be done, cant be done. Maybe in R82, I dont know...

Andy

0 Kudos
the_rock
Legend
Legend

I attached what they gave me, implied rule thing, we verified it would not have to do anything with this, maybe first person may have misunderstood...

Cheers,

Andy

0 Kudos
Matlu
Advisor

You seem to have been "misunderstood".
LOL. It happens ... ðŸ¤£

0 Kudos
the_rock
Legend
Legend

HAHAHAHAHA...it wont be first or last time bro 🤣🤣🤣🤣🤣

0 Kudos
Chris_Atkinson
Employee Employee
Employee

0 Kudos
the_rock
Legend
Legend

Okay, I will give that option to the customer, something to consider. Not as easy as setting it up on Fortigate gui, but at least it may work.

Thanks Chris,

Andy

0 Kudos
Matlu
Advisor

Treats traffic, as if it were "DoS", can negatively impact on GW?
Can it cause CPU and Memory saturation of GWs?

0 Kudos
the_rock
Legend
Legend

Thats exactly thought I have as well...I really wish there was a way to block this in the rule using updatable country object. I sure hope it becomes available in next release. We actually have more and more CP clients asking about it.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee

To maximize performance, the DoS/Rate Limiting policy is enforced as early as possible in the packet flow. For most features this means it is enforced in SecureXL.

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

Here is an important question, for me, at least...does that method from the link you gave ONLY blocks vpn access or any traffic?

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee

The syntax is an example, you can see the "service" parameter.

I know you will test it in your lab anyway as you should before trying it in the real world. 🙂

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

I think I sort of understand the syntax better now...as long as destination is external gateway IP, and source cc is actual country code, thats what matters. Not sure if cc syntax can be used multiple times in same command, but will try tomorrow in the lab...what I mean is say source cc:CN cc:EE ...multiple country codes like that.

Andy

0 Kudos
Matlu
Advisor

Please share with us the results of your tests, my friend. 🙌
And if you are successful, well, it could be nice to know what your procedure was. 🤙

0 Kudos
the_rock
Legend
Legend

See, the problem is, I dont have real external IP configured in my lab, so best I can do in the meantime is run the command and see if it takes it and let you know.

Andy

0 Kudos
the_rock
Legend
Legend

Okay, commands do work, which is awesome, BUT, only way to know 100% if its successful is to try it on real production fw with valid external IP address. By the way, multiple cc options dont work, see below. You simply use 2 letter country codes as per below link and what @PhoneBoy gave in his post.

Andy

Country Codes, Phone Codes, Dialing Codes, Telephone Codes, ISO Country Codes

 

[Expert@CP-TEST-FW:0]# fwaccel dos rate add -a b source cc:CA
uid="<65731a1c,00000000,e90a10ac,0000026b>"
[Expert@CP-TEST-FW:0]# fwaccel dos rate add -a d -l a service any source cc:CN cc:EE destination cidr:172.16.10.213/32 pkt-rate 0
ERROR: add quota: unknown key name 'cc:EE'
[Expert@CP-TEST-FW:0]# fwaccel dos rate add -a d -l a service any source cc:CN cc:FI destination cidr:172.16.10.213/32 pkt-rate 0
ERROR: add quota: unknown key name 'cc:FI'
[Expert@CP-TEST-FW:0]# fwaccel dos rate add -a d -l a service any source cc:CN destination cidr:172.16.10.213/32 pkt-rate 0
uid="<65731a7c,00000000,e90a10ac,00000414>"
[Expert@CP-TEST-FW:0]# fwaccel dos rate add -a d -l a service any source cc:FI destination cidr:172.16.10.213/32 pkt-rate 0
uid="<65731a84,00000000,e90a10ac,000004e5>"
[Expert@CP-TEST-FW:0]# fwaccel dos rate add -a d -l a service any source cc:EE destination cidr:172.16.10.213/32 pkt-rate 0
uid="<65731a8a,00000000,e90a10ac,00000504>"
[Expert@CP-TEST-FW:0]# ^C
[Expert@CP-TEST-FW:0]#

 

******************************************

 

[Expert@CP-TEST-FW:0]# fwaccel dos rate get
fwaccel dos rate add -i "<65731a1c,00000000,e90a10ac,0000026b>" -action bypass source cc:CA service any
fwaccel dos rate add -i "<65731a8a,00000000,e90a10ac,00000504>" -action drop -log alert service any source cc:EE destination cidr:172.16.10.213/32 pkt-rate 0
fwaccel dos rate add -i "<65731a7c,00000000,e90a10ac,00000414>" -action drop -log alert service any source cc:CN destination cidr:172.16.10.213/32 pkt-rate 0
fwaccel dos rate add -i "<65731a84,00000000,e90a10ac,000004e5>" -action drop -log alert service any source cc:FI destination cidr:172.16.10.213/32 pkt-rate 0
(4 rules found)
[Expert@CP-TEST-FW:0]#

 

 

0 Kudos
Matlu
Advisor

Does your lab have a real external IP?
Does Mobile Access or IPsec VPN work in your LAB for remote connections?

If not, I can try, from my location, to reach your LAB, to see if it works, HAHA. 😅

0 Kudos
the_rock
Legend
Legend

Ok, escribiré esto en español jajaja. Como ya dije dos veces, no, no tengo una IP externa en mi laboratorio, por lo que la única forma de confirmarlo es hacerlo en undispositivo que sí la tenga. Los comandos funcionan

0 Kudos
Matlu
Advisor

We will have to 'sacrifice' a customer, and give it a try. 

Let him be our 'trojan horse'. 🤣🫣 

0 Kudos
the_rock
Legend
Legend

lol...or guinea pig as they say 

Andy

0 Kudos
the_rock
Legend
Legend

I will see later of I can do some natting on our lab Fortigate firewall to get real external IP working, so this can be tested properly.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events