Example, let's says your a Enterprise-Org that has a presences in only one country/continent and your users based resides in just that continent.
By using a null group and portal, you can easily locked down your fortinet forticlients to only that geo-ip-range thats allowed or even a network-subnet or ip-range.
E.g we are only allow US geoips to access our network, all others will be blocked.
By using the cli-cmd diag debug application sslvpn -1 we can validate what rules and groups
As you can see I matched rule-auth #2 was not allowed SSLVPN access to any portal. So a client trying to come via a banned geo-address will be delivered a non-existence portal named none
In the next example we are allowing our PBXeng team access but only from the firewall.address named PBX_vendors network
!!!! Be cautious of the ordering of the auth-rules !!!!
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment