Technical Tip: How to block traffic from an unlisted region in a country

The Geo location feature applies to countries only. Crimea does not appear in the country list as it is a region. IP addresses coming from this region are likely to be categorized as coming from 2 countries.

To block connections from the Crimea region, either block individual IPs directly (this is not realistically feasible as the IP list could be very large), or block the IP range belonging to the countries.

The list of IPs can be obtained with the following command:

diagnose geoip iprange Ukraine
diagnose geoip iprange 'Russian Federation'

If the IP falls under the required subnet, the country can be blocked as required.

Blocking an entire country IP range is not recommended unless necessary. The recommended solution is to use a threat feed.

To configure a threat feed, see Technical Tip: External threat list (threat feed) blocked via the firewall IPv4 policy.

The feed with a list of IPs can be obtained by selecting 'crimea_ip (FortiGuard filestore)'.

The URL obtained from the page can be used under the external resource field.