Allow Specific Subnet from Geo-Blocked Country

Forum|Forum|1 year ago
June 9, 2025
1 reply
636 views

We have an issue allowing a specific subnet from a blocked country. We have a geo-block country firewall policy placed at the top. We have also created an IPsec tunnel with inbound and outbound policies for tunnel communication. However, the remote IP address is a public IPv4 address that belongs to one of the blocked countries.
So how can we allow this subnet. Please suggest the all possible ways.

FortiGate

funkylicious

SuperUser

create an object with that ip/subnet/range and then create a firewall rule allowing access by placing it above the deny rule.

"jack of all trades, master of none"

AzarudeenAuthor

Explorer

If I’m correct, a new policy needs to be created above the existing deny policy.

I have a couple of questions:

How should I define the source interface (srcintf) and destination interface (dstintf), as well as the source and destination addresses in the new policy
I already have a customized policy for the IPsec VPN connection, but it is placed below the deny policy.

If I make these changes, will the traffic flow through the new policy? or the existing vpn policy?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded