Is it possible to restrict SSL VPN logon page (https://address/sslvpn_logon.shtml) accessibility to a certain number of IP addresses?
You can turn the page completely off in v 12.5.4 + by issuing the following command on the Fireware CLI:
"no sslvpn web-download enable"
It can't be set to specific IPs, but you can point the users to software.watchguard.com to download the client directly from our website. (It'll be listed as Mobile VPN w/SSL under each firewall for Windows and MacOS.)
WatchGuard Customer Support
Reference page 309 here if you'd like to see more:https://www.watchguard.com/help/docs/fireware/12/en-US/CLI/CLI_Reference_v12_6.pdf
Thanks for your prompt reply.
Would running "no sslvpn web-download enable" command affect users' Mobile VPN?
No, it just disables the download page itself.
The "WatchGuard SSLVPN" and "Allow SSLVPN_Users" policies are what govern user's access in and out of the firewall.
Note that the firewall still listens on the SSLVPN port (443 by default) since that's the socket the vpn users connect to. If a user tries to surf to that page after running that command, they won't get a page back.
You can also revert the command by issuing "sslvpn web-download enable"