Can FortiGate+FortiAuthenticator VPN restrict client IP address, but not apply to all VPN users, only apply to some VPN users?

We are using a FortiGate appliance as VPN gateway, which rely on a FortiAuthenticator to store account information. The accounts are created and stored on the FortiAuthenticator, not on any other LDAP or AD thing.

FortiOS 7.0.13 + FortiAuthenticator 6.5.1.

​

Now we need to create a temporary VPN account for some specific user to do some specific operations, for a period of time only. Since this is a very specific use case scenario, we hope to restrict that, this temp VPN account can only be connected from pre-defined Internet client IP addresses, like a IP white list.

​

We did found some IP restriction features:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-Allowing-access-to-the-FortiGate-SSL/ta-p/222845

But they seem to be global restriction that apply to all VPN user accounts.

Can we apply this IP restriction to specific VPN accounts only? i.e. other VPN accounts can still be connected from any IP address.

Make a user group on the firewall referencing the user/group on FAC. In SSL-VPN settings, create a separate authentication rules for that user group. Then, in CLI, under ssl VPN settings, find the new authentication rule. You can apply a source address object there.

Yes possible by cli add based on MAC address list or you can use by cli authentication group for specific users to specific list of IPs as well in color elation.

1. create new SSL-VPN portal for specific user. You can include only the specific routes they need.

2. creat the user account needed in authenticicator

3. assign group to SSL-VPN VPN portal

4. Create new Firewall rule and add the new specific users in the source. (Reference your previous FW rule for SSL-VPN as a guide).

5. test the account to ensure it has the required restricted access.

You’ll need to configure sslvpn listening on a loopback interface where you can then add geo restrictions to this policy. You could enable this firewall policies during specific time frames etc.

Sorry for late reply due to Christmas holidays.

Sounds like these are the solutions I need :

>>Make a user group on the firewall referencing the user/group on FAC. In SSL-VPN settings, create a separate authentication rules for that user group. Then, in CLI, under ssl VPN settings, find the new authentication rule. You can apply a source address object there.

>>Yes possible by cli add based on MAC address list or you can use by cli authentication group for specific users to specific list of IPs as well in color elation.

Nonetheless, thanks all of you for answering, and (belated) Merry Christmas

This is not what OP wants. OP wants to restrict the connections from that user to a specific source. Authentication rules are needed here as the other poster mentioned.