One of the standard methods of remote access is Dial VPN, which is usually only single factor authentication. It uses username + password + PreShared Key which are all “something you know”. Many copies of “something you know” is still just 1 factor.
To mitigate this I looked up how to Geo-Filter inbound requests. Except the Fortinet document is a little dated and some services have different names now. So i present the slightly updated version with notes added.
Step1; Create a named group, even if you only want to allow a single country now, you will inevitably need to add another in the future, and since we are using the command line this will cause some pain in your posterior. I named mine GoodGeo
Step2; we need a named address with the WAN IP in it. If you have multiple WAN addresses this should be a group. Hopefully you have a static IP address. If not it is possible to use your Dynamic DNS address (something.fortiddns.com) in a URL address. I named mine WAN_IP
Step3; Start the CLI console and enter the following commands:
config firewall local-in-policy
set intf “wan1”
set srcaddr “GoodGeo”
set dstaddr “WAN_IP”
set action accept
set service “IKE”
set schedule “always”
Step4 (Optional) Enable viewing the Local-In-Policy but note that you cannot edit it in the GUI.
Due to some lapse in Forti-Logic the rule created does not show up when you make the Local-In-Policy visible. :/ maybe after a reboot, maybe you need to use SSH. Who knows, I don’t have a Forti-brain.