Hello, i’m new in fortigate (I have FG VM version 7.4). Can I create rule/policy for limitation access to VPN by the states? I’m see in policy only forward rules.
No
Edit: can only scope by country, even then VPNs exist which can get around even country-based restrictions. Also you should know that many cellular providers backhaul their traffic to a main office, which is often outside of the subscribers home state.
Honestly this is unrealisticrin today’s network and I’ll explain why… I live in Ohio, but if you geolocate my IP it says I’m in Chicago, IL… why? Because I’m a starlink user and that’s where the pop is…
Doing any kind of blocking is becoming more and more difficult now since it’s very easy to mask where you’re actually located.
Have your users setup a free DNS like no-ip.com and then whitelist only their DNS names.
Thank you, everyone. I think it was a good decision to ask here.
We’re in Canada; the moment we remote USA from the Sslvpn allow list and only leave it to only Canada, 99% of attempts disappear,
If you can, send the auth to entra and use conditional access policies to restrict on risky sign ins and risky users. You can also set it to require the device to be marked as compliant, and require mfa every sign in.
The one time we were breached, the attacker used a jump box in a hosted provider and geolocated their IP to a city nearby.
What business problem are you trying to solve?
Can’t filter by state and you wouldn’t want to anyways. You’ll run into issues with fixed wireless, mobile devices, and Starlink because although a user may be in say Texas, their geolocation could be Illinois…
I think there is translation error. I think by states he means country.
You can go to feature visibility - enable local in policy
Then, create a local in policy that blocks by location
Might do the trick
You can set up SSL-VPN to terminate at a loopback and then use standard rules to only allow that access from different geo locations you want/need.
Hm, thank you for answer, short, but says everything. This isn’t good feature.
When i turn over it - for me is/was necessary block subnets from russia and belarus. That is everything what i want.
Putting two and two together to get five, but my guess something related to recent election, and something that’s illegal in certain states.
Yes but you can’t geolocate to the state level
Sounds good, i will test it. Thank you.
The problem is not the feature, it is the nature of the request vs how networking resources are allocated.
There is no granularity of geo-restriction avaliable below the country level. You can no more successfully restrict internet traffic by specific US state, than you could by specific zip code or street.
OK, I assumed you wanted to restrict it via state, like to say Only allow VPN connections from Ohio… But if you want to geo block via country it’s not difficult.
Here are a couple of options, you don’t NEED to have your SSLVPN terminated to a Loopback to make this work (even though it’s recommended to term to a loopback.)
Correct not at the state level itself, but for “states” I assume that means the entirety of the US.