Technical Tip: Blocking Geolocations for SSL VPN and management access with a local in policy

1. Create a geolocation-based address object to block. Navigate to Policy & Objects -> Addresses and create a new address.
                                                                

2. Go to the CLI and configure a local policy as shown in the picture below. For srcaddr, supply the name of the address created in step 1.
   
   

The name of the address created above is 'china', so the following configuration is used in this example:

config firewall local-in-policy
    edit 1
        set intf "any"
        set srcaddr "china"
        set dstaddr "all"
        set action "deny"
        set service ALL
        set schedule "always"
        set status "enable"
end

Notes:

• Starting from FortiGate v7.6.0, the Local-in-Policy can also be configured in the GUI. Refer to this document for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI.
• After connecting to VPN, cannot restrict based on geo restrictions in firewall policy, as traffic will reach to firewall with a private IP.

Related documents:
Technical Tip: Restricting/Allowing access to the FortiGate SSL-VPN from specific countries or IP addresses with local-in-policy
Technical Tip: Restricting SSL VPN connectivity from certain countries using firewall geography addresses
Technical Tip: Debug flow tool
Local-in policies
Technical Tip: Restrict unauthorized access on the SSL VPN service