|
Note:
For the purposes of this article, assuming that all other SSL VPN settings have been configured, access will restricted or allowed to the SSL VPN from users in Canada and the United States only.
GUI configuration:
- Create geo-ip addresses for Canada and the United States:
- In the GUI, go to Policy & Object -> Addresses and select 'Create New'.
- Once on the 'New Address' page, configure the below fields:
Category: Address
Name: geo-ip_Canada
Type: Geography
Country/Region: Canada
Note:
It is possible to change the 'Color' and 'Interface' fields to leave at defaults.
- Select 'OK' at the bottom of the page.
- Repeat the above steps for the United States geo-ip address.
- Once the geo-ip address objects have been created for Canada and the United States, they need to be referenced in the 'Restrict Access' section of the sslvpn settings page.
- In the GUI, go to VPN -> SSL-VPN Settings, ensure that 'Limit access to specific hosts' is selected in the 'Restrict Access' section and that the 'geo-ip_Canada' and 'geo-ip_UnitedStates' geo-ip address objects are selected in the 'Hosts' section.
- Select 'Apply' at the bottom of the page.
CLI configuration:
- Use the below CLI commands to create geo-ip addresses for Canada and the United States:
config firewall address
edit geo-ip_Canada
set type geography
set country CA
next
edit geo-ip_UnitedStates
set type geography
set country US
next
end
- Once the geo-ip address objects have been created for Canada and the United States, they need to be referenced in the SSL VPN settings using the below commands.
config vpn ssl settings
set source-address "geo-ip_Canada" "geo-ip_UnitedStates"
end
Note:
If there are SSL VPN authentication rules that have the source-address defined as 'all', the globally configured source-address will not work.
Make sure to remove source-address from the authentication rules, or configure appropriate source-addresses from allowed countries for each authentication rule.
|
