How to restricting access to VPN and “Access Portal” using Geo Location?

We want to use WatchGuard's Geo Location to restrict access to our "Access Portal" and "Mobile VPN" connections, but see no options and the corresponding "Firewall Policies" don't seem to honour the Geo Location configuration.

I'm struggling to find resources on the scenario either via Google or WG documentation. Surely, this should be possible? Does anyone have any success with doing something similar?

What we've tried

  • For the "Access Portal" it generates a Firewall policy called "WatchGuard SSLVPN" (not very meaningful in the context of the Access Portal it is for), but changing the Geo Location for that has no effect and clients can connect to the Access Portal regardless of their IP location

  • For the "Mobile VPN" it generates an "Allow IKEv2-Users" firewall policy but changing the Geo Location for that policy has no effect and clients can establish VPN connections regardless of IP location. In my mind this rule is for when the VPN tunnel has already been established and 'feels' like it is too late in the pipeline and would need to be blocked sooner/upstream

Would really appreciate any insights you might have.

Best Answer

  • edited April 2021 Answer ✓

    Once you disable the default IPSec policy, you can add as many specific IPSec policies as needed.
    For example, you could add one for each of or for all BOVPNs - From: specific IP addrs or FQDNs of the other ends of the BOVPN sites, and have a lower priority policy for client IPSec VPN access.

    Again, as I have no ability to use the Access Portal, I have no idea how to the Access Portal really works related to client VPN connections, but I assume that it is just a variation of an authentication method, and thus I assume that the above policy setups will work for you.

Answers

  • There are a number of "hidden" polices in the WG software.
    So for IPSec user VPN connections, the policies are for connections by authenticated users, well after the IPSec connection attempts.

    You can disable the built in IPSEC policy and add you own, which should control this access.
    Note that this will also potentially affect BOVPN connections.

    You can see some details about this here:
    Implications of disabling the built-in IPSec policy
    https://community.watchguard.com/watchguard-community/discussion/comment/7116

    I can't comment about the Access Portal, as I don't use it. Not supported on my firewall desktop model -:(

  • Thanks for your reply.
    So basically, we disable built-in IPSec policy and manually define it. OK - that could work - hopefully there aren't other hidden functions attached to that.

    We do however use multiple BOVPN connections. I'm less clear about what the mitigation is for that. Would we also create firewall policies for that and what would that look like? What about rekeying?

    On the surface, it doesn't seem great, and I couldn't find anything on the Access Portal side either.

    Thanks again.

  • OK, so we've disabled the built-in IPSec policy and created a manual Firewall Policy for the IKEv2 Mobile VPN connections (note, be sure to use the built-in "IPSec" policy type when creating it).

    The geolocation and other functions (Traffic Management and Scheduling) now seem to take effect.

    Interestingly we did not need to create additional IPSec Firewall Policies for each BOVPN interface. Maybe because they are Point-to-Point (Static IP to Static IP).

    Thanks for your help @Bruce_Briggs

Sign In to comment.