2022/03/18

Forti SSLVPN 禁止特定IP連線

 Forti 防火牆上的SSLVPN連線功能,在GUI的設定介面裡,可以設定只允許特定IP連線,屬於白名單的方式。



可是公司的人會去其他國家出差,所以也無法確定到底哪些外部IP會連進來做SSLVPN的連線。 禁止特定IP連線。

然後又發現有特定的IP一直試著用不同帳密在TRY SSLVPN連線,實在有點擔心。

後來發現是有設定可以把白名單的限制方式,改成黑名單,但這要用指令來開啟

#config vpn ssl settings

     set source-address-negate enable

設定好之後,原本在GUI上啟用的白名單連線,就會變成是黑名單的效果了,只是在GUI的畫面上,上面還是一樣是寫允許清單,而不是禁止清單。



Forti SSLVPN Blocking Specific IP Connections

The SSLVPN connection feature on the Forti firewall allows you to set up a whitelist of specific IP addresses that are allowed to connect through the GUI configuration interface.

However, in our company, employees often travel to different countries, making it difficult to determine which external IP addresses will be used for SSLVPN connections. Therefore, we want to block specific IP connections.

We also noticed that there were certain IP addresses continuously attempting to connect through SSLVPN using different credentials, which raised some concerns.

Eventually, we discovered a configuration option that allows us to change the whitelist restriction to a blacklist, but it requires using commands.

#config vpn ssl settings

 set source-address-negate enable

After setting this up, the whitelist connections that were previously enabled in the GUI will effectively become a blacklist. However, in the GUI interface, it will still indicate "Allow List" instead of "Block List."


沒有留言:

張貼留言