FortiGate IPSec VPN restricts IP connections from specific countries

Attendance 2025 After the Information Security Conference,I feel that the protection policy of restricting the source of IP still has a certain effect,Therefore, we are evaluating adding relevant settings to the existing FortiGate VPN。First, it has been confirmed that FortiGate can set up address objects with Country/Geographic Address as recognition,Therefore, the follow-up is left with the setting and application of relevant policies。

Originally, AI suggested that you could set the WAN → IPSec in the Firewall Policy to filter,But the actual test did not stand in the way,Guess it's because when an IPSec VPN is built,FortiGate will provide a statement in the Incoming Native Traffic Policy (Local-In)to add a policy,Allowing any IP to connect via IPSec invalidates the Firewall Policy,Therefore, if you want to block it,It's time to start with this Local In Policy。

My firmware version is 7.4.7,in the graphical interface,Local In Policy can only be viewed,It cannot be moved,Therefore, after establishing the address object of the relevant country,The next step is to go to the CLI Console,Perform Local In Policy changes by command。
(According to the official instructions,7.6.0 It can then be set up via the GUI。)

【FortiGate Environment】

  • Firmware version:7.4.7
  • VPN connection method:IPSec
  • Set a purpose:Only certain country IPs are allowed to connect to IPSec VPN。

CLI Console
Let's start with that,In terms of priority,Often, you may set the rules that allow you first,Then set to reject All,But because I want to make sure that Deny All has a validity first,So I'll set the rules for Deny first,Wait until everything is set up and then use move to adjust the order of the policies。

1. All IP connections are denied to IPSec VPN

config firewall local-in-policy
    edit 1
        set intf "virtual-wan-link" # virtual-wan-link 為 Interface 的名稱
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set service "IKE" "ESP"
        set schedule "always"
    next
end

2. Allow specific country IPs to connect to IPSec VPN

config firewall local-in-policy
    edit 2
        set intf "virtual-wan-link"
        set srcaddr "Country-Allow"
        set dstaddr "all"
        set action accept
        set service "IKE" "ESP"
        set schedule "always"
    next
end

3. Adjust the local-in-policy order

config firewall local-in-policy
move 2 before 1
end

4. Check the results of the last settings

show firewall local-in-policy

 

【Fan Wai Pian】
in the process of testing,If you want to observe the traffic status,This can be done by following instructions。

1. Observe any entry with a sniffer 500, 4500 port

diag sniffer packet any 'port 500 or port 4500' 4 # 4 最詳細,1 最簡單

// 按 CTRL + C 結束

2. Observe the source with debug mode 123.123.123.123 before 100 Pen traffic

diag debug reset
diag debug flow filter addr 123.123.123.123
diag debug flow trace start 100
diag debug enable

diag debug disable
diag debug reset

3. Observe IKE traffic in debug mode

diag debug reset
diag debug console timestamp enable
diag debug application ike -1 # 等級從 1 ~ 15,-1 代表最詳細
diag debug enable

diag debug disable
diag debug reset

 

"Related Links"

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.