|
1) Use 'source-address-negate enable' and specify the denied IP address in SSL VPN settings.
The following example shows how to deny RFC1918 (All Private IPs) to use SSL VPN.
config firewall address
edit "10.0.0.0/8"
set subnet 10.0.0.0 255.0.0.0
next
edit "172.16.0.0/12"
set subnet 172.16.0.0 255.240.0.0
next
edit "192.168.0.0/16"
set subnet 192.168.0.0 255.255.0.0
next
end
config firewall addrgrp
edit "RFC1918_RANGES"
set member "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
next
end
config vpn ssl settings
set source-address "RFC1918_RANGES"
set source-address-negate enable
end
2) Deny SSL VPN service when using the firewall policy from LAN to WAN.
config firewall address
edit "WAN_IP"
set subnet <Public IP/32> -->> Public IP on SSL VPN listening interface(s)
next
end
config firewall service custom
edit "SSL_VPN"
set tcp-portrange <PORT> -->> SSL VPN TCP Port
next
end
config firewall policy
edit 0
set name "DENY_SSL_VPN_SERVICE"
set srcintf "LAN"
set dstintf "WAN"
set srcaddr "all"
set dstaddr "WAN_IP"
set schedule "always"
set service "SSL_VPN"
set logtraffic all
next
end
3) Deny SSL VPN service on the local-in-policy as it comes through the LAN interface.
config firewall address
edit "WAN_IP"
set subnet <Public IP/32> -->> Public IP on SSL VPN listening interface(s)
next
end
config firewall service custom
edit "SSL_VPN"
set tcp-portrange <PORT> -->> SSL VPN TCP Port
next
end
config firewall address
edit "10.0.0.0/8"
set subnet 10.0.0.0 255.0.0.0
next
edit "172.16.0.0/12"
set subnet 172.16.0.0 255.240.0.0
next
edit "192.168.0.0/16"
set subnet 192.168.0.0 255.255.0.0
next
end
config firewall addrgrp
edit "RFC1918_RANGES"
set member "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
next
end
config firewall local-in-policy
edit 0
set intf "WAN" >>> SSL VPN listening interface
set srcaddr "RFC1918_RANGES"
set dstaddr "WAN_IP"
set service "SSL_VPN"
set schedule "always"
next
end
|
