Fortigate GeoFilter on Dial VPN

One of the standard methods of remote access is Dial VPN, which is usually only single factor authentication. It uses username + password + PreShared Key which are all “something you know”. Many copies of “something you know” is still just 1 factor.

To mitigate this I looked up how to Geo-Filter inbound requests. Except the Fortinet document is a little dated and some services have different names now. So i present the slightly updated version with notes added.

Step1; Create a named group, even if you only want to allow a single country now, you will inevitably need to add another in the future, and since we are using the command line this will cause some pain in your posterior. I named mine GoodGeo

Step2; we need a named address with the WAN IP in it. If you have multiple WAN addresses this should be a group. Hopefully you have a static IP address. If not it is possible to use your Dynamic DNS address (something.fortiddns.com) in a URL address. I named mine WAN_IP

Step3; Start the CLI console and enter the following commands:

config firewall local-in-policy
edit 1
set intf “wan1”
set srcaddr “GoodGeo”
set dstaddr “WAN_IP”
set action accept
set service “IKE”
set schedule “always”

Step4 (Optional) Enable viewing the Local-In-Policy but note that you cannot edit it in the GUI.

Enable this and a new menu appears under Policy&Objects named Local In Policy.

Due to some lapse in Forti-Logic the rule created does not show up when you make the Local-In-Policy visible. :/ maybe after a reboot, maybe you need to use SSH. Who knows, I don’t have a Forti-brain.

Original https://kb.fortinet.com/kb/documentLink.do?externalID=FD45208