Technical Tip: Updating FortiGate IP Geography Database
| Description | This article describes how to update FortiGate's Geo-IP Database and how to utilize it in blocking/permitting traffic from specific Geographic location(s). To block or permit traffic based on their Geographic location(s), this is when the FortiGate Geo-IP Database needs to be as accurate as it can, and one way to ensure this is by making sure the unit Geo-IP Database is up-to-date. |
| Scope | FortiGate. |
| Solution |
diagnose autoupdate versions | grep "IP Geography" -A 6 IP Geography DB
Note: The latest IP Geolocation Database version can be verified from the FortiGuard site.
execute update-geo-ip
To use the Geo-based Firewall Address in the Policy:
In this example, traffic is set to DENY from a specific country (CZ) to FortiGate dmz from Internet (wan1), and from dmz to Internet (wan1).
Go to Policy & Objects -> Firewall Policy -> Create New and set the Source or Destination to the geography-based firewall address.
If the traffic needed to be allowed or blocked from specific geographic location(s) is bound to one of the FortiGate interfaces, configure a local-in-policy instead of a firewall policy.
Note: This feature needs to be enabled under System -> Feature Visibility -> Local In Policy. Custom local-in policies can be configured from the GUI starting v7.6.0. For lower firmware versions, local-in-policies are only configurable via CLI.
Refer to the example below where traffic is denied from Geo-IP address 'CZ' from the wan1 interface to all:
Related article: |
