Fortigate GeoFilter on Dial VPN

24th April 2020

Uncategorised

One of the standard methods of remote access is Dial VPN, which is usually only single factor authentication. It uses username + password + PreShared Key which are all “something you know”. Many copies of “something you know” is still just 1 factor.

To mitigate this I looked up how to Geo-Filter inbound requests. Except the Fortinet document is a little dated and some services have different names now. So i present the slightly updated version with notes added.

Step1; Create a named group, even if you only want to allow a single country now, you will inevitably need to add another in the future, and since we are using the command line this will cause some pain in your posterior. I named mine GoodGeo

Step2; we need a named address with the WAN IP in it. If you have multiple WAN addresses this should be a group. Hopefully you have a static IP address. If not it is possible to use your Dynamic DNS address (something.fortiddns.com) in a URL address. I named mine WAN_IP

Step3; Start the CLI console and enter the following commands:

config firewall local-in-policy
edit 1
set intf “wan1”
set srcaddr “GoodGeo”
set dstaddr “WAN_IP”
set action accept
set service “IKE”
set schedule “always”
next
end

Step4 (Optional) Enable viewing the Local-In-Policy but note that you cannot edit it in the GUI.

Enable this and a new menu appears under Policy&Objects named Local In Policy.

Local-In-Policy is separate from normal policies and clicking on IPsec reveals no details, need to use GUI cmd line or SSH to see the details of the policy.

Highly recommend this as if you have email alerts turned on, you will get an alert every time China scans your firewall

Original https://kb.fortinet.com/kb/documentLink.do?externalID=FD45208