Technical Tip: How to block a particular country traffic
Description
This article provides the solution to block a traffic from particular country.
Scope
FortiGate.
Solution
- Create a geographical-based address object.
- Go to Policy and Objects -> Addresses, select 'Create New' and fill in as below:
Name: country name.Example: China.
Type: Geography.
Interface: wan1.
Enable Show in 'Address List' and select 'OK'.
- Create a WAN-to-LAN policy with the source address as the country for which the geo address object is created. In this case:
Source: China.
Destination: all.
In case any VIP policies exist, keep the policy above VIP policies.
- However, the incoming traffic will hit to normal VIP policies.
- Make the changes below in that policy in the CLI.
config firewall policy
edit <firewall policy number>
set match-vip enable
- Now, traffic from the Chinese country will be blocked.
The second solution is to create a local policy for the traffic coming from China. Select Local-in-policy from the GUI and create a new:
In CLI:
config firewall local-in-policy
edit 1
set uuid fb3ffa72-749c-51ef-9bec-48282427934a
set intf "port1"
set srcaddr "China"
set dstaddr "all"
set service "ALL"
set schedule "always"
next
end
To add more countries, create a Geography address for each one, include them in an address group, and then add the address group to the local-in-policy as shown below:
config firewall local-in-policy
edit 1
set uuid fb3ffa72-749c-51ef-9bec-48282427934a
set intf wan1
set srcaddr ?
*name Address name.
BLOCK_CHINA address
BLOCK_IRAQ address
BLOCKED_COUNTRIES addrgrp
set srcaddr BLOCKED_COUNTRIES
set dstaddr all
set service ALL
set schedule always
next
end
Related articles: