Technical Tip : Local-in Policy not working due to different ip registered location or the physical location of IP addresses

Refer to the local-in policy configure below ;

config firewall local-in-policy
    edit 1
        set uuid c1326b62-ab02-51ee-ab9b-3751cf89892a
        set intf "port1"
        set srcaddr "Country RU"
        set dstaddr "all"
        set service "ALL"
        set schedule "always"
    next

Suppose the blocking should work, but due to differences in registration and physical address location, the access still working.

Example:

diagnose firewall ipgeo ip2country 62.233.39.35
62.233.39.35 is in country: NL, registered country is RU, is not anycast ip.

The registration address is Russia but the physical location is Netherlands. The respective address (Netherlands) also needs to be added to the source address since the GeoIP-match. It was only supported on normal firewall policy, not local-in-policy.

Related articles: 

Technical Tip: Commands to verify GeoIP information and troubleshoot GeoIP database 

Technical Tip: Registered location and physical location of IP addresses