{"id":756,"date":"2020-04-24T17:12:43","date_gmt":"2020-04-24T21:12:43","guid":{"rendered":"https:\/\/increasec.com\/?p=756"},"modified":"2022-10-08T12:30:56","modified_gmt":"2022-10-08T16:30:56","slug":"fortigate-geofilter-on-dial-vpn","status":"publish","type":"post","link":"https:\/\/increasec.com\/?p=756","title":{"rendered":"Fortigate GeoFilter on Dial VPN"},"content":{"rendered":"\n<p>One of the standard methods of remote access is Dial VPN, which is usually only single factor authentication.  It uses username + password + PreShared Key which are all &#8220;something you know&#8221;.  Many copies of &#8220;something you know&#8221; is still just 1 factor.<\/p>\n\n\n\n<p>To mitigate this I looked up how to Geo-Filter inbound requests.  Except the Fortinet document is a little dated and some services have different names now.  So i present the slightly updated version with notes added.<\/p>\n\n\n\n<p>Step1; Create a named group, even if you only want to allow a single country now, you will inevitably need to add another in the future, and since we are using the command line this will cause some pain in your posterior.  I named mine GoodGeo<\/p>\n\n\n\n<p>Step2; we need a named address with the WAN IP in it.  If you have multiple WAN addresses this should be a group.  Hopefully you have a static IP address.  If not it is possible to use your Dynamic DNS address (something.fortiddns.com) in a URL address.  I named mine WAN_IP<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"795\" height=\"658\" src=\"https:\/\/increasec.com\/wp-content\/uploads\/2020\/04\/image-1.png\" alt=\"\" class=\"wp-image-759\" srcset=\"https:\/\/increasec.com\/wp-content\/uploads\/2020\/04\/image-1.png 795w, https:\/\/increasec.com\/wp-content\/uploads\/2020\/04\/image-1-300x248.png 300w, https:\/\/increasec.com\/wp-content\/uploads\/2020\/04\/image-1-768x636.png 768w, https:\/\/increasec.com\/wp-content\/uploads\/2020\/04\/image-1-710x588.png 710w\" sizes=\"auto, (max-width: 795px) 100vw, 795px\" \/><\/figure>\n\n\n\n<p>Step3; Start the CLI console and enter the following commands:<br><\/p>\n\n\n\n<p>config firewall local-in-policy<br>edit 1<br>set intf &#8220;wan1&#8221;<br>set srcaddr &#8220;GoodGeo&#8221;<br>set dstaddr &#8220;WAN_IP&#8221;<br>set action accept<br>set service &#8220;IKE&#8221;<br>set schedule &#8220;always&#8221;<br>next<br>end<\/p>\n\n\n\n<p>Step4 (Optional)  Enable viewing the Local-In-Policy but note that you cannot edit it in the GUI.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"525\" src=\"https:\/\/increasec.com\/wp-content\/uploads\/2020\/04\/image-1024x525.png\" alt=\"\" class=\"wp-image-757\" srcset=\"https:\/\/increasec.com\/wp-content\/uploads\/2020\/04\/image-1024x525.png 1024w, https:\/\/increasec.com\/wp-content\/uploads\/2020\/04\/image-300x154.png 300w, https:\/\/increasec.com\/wp-content\/uploads\/2020\/04\/image-768x394.png 768w, https:\/\/increasec.com\/wp-content\/uploads\/2020\/04\/image-710x364.png 710w, https:\/\/increasec.com\/wp-content\/uploads\/2020\/04\/image.png 1338w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Enable this and a new menu appears under Policy&amp;Objects named Local In Policy.<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"660\" height=\"316\" src=\"https:\/\/increasec.com\/wp-content\/uploads\/2022\/09\/image-1.png\" alt=\"\" class=\"wp-image-2211\" srcset=\"https:\/\/increasec.com\/wp-content\/uploads\/2022\/09\/image-1.png 660w, https:\/\/increasec.com\/wp-content\/uploads\/2022\/09\/image-1-300x144.png 300w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/figure>\n\n\n\n<p>Local-In-Policy is separate from normal policies and clicking on IPsec reveals no details, need to use GUI cmd line or SSH to see the details of the policy.<\/p>\n\n\n\n<p>Highly recommend this as if you have email alerts turned on, you will get an alert every time China scans your firewall<\/p>\n\n\n\n<p>Original https:\/\/kb.fortinet.com\/kb\/documentLink.do?externalID=FD45208<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of the standard methods of remote access is Dial VPN, which is usually only single factor authentication. It uses username + password + PreShared Key which are all &#8220;something&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[86,74,106],"class_list":["post-756","post","type-post","status-publish","format-standard","hentry","category-uncategorised","tag-fortinet","tag-geofilter","tag-vpn"],"_links":{"self":[{"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/posts\/756","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/increasec.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=756"}],"version-history":[{"count":6,"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/posts\/756\/revisions"}],"predecessor-version":[{"id":2216,"href":"https:\/\/increasec.com\/index.php?rest_route=\/wp\/v2\/posts\/756\/revisions\/2216"}],"wp:attachment":[{"href":"https:\/\/increasec.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=756"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/increasec.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=756"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/increasec.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=756"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}