Technical Tip: FortiWeb CLI does not support 'config waf geo-block-list'
Description
This article describes why the CLI does not support 'config waf geo-block-list'.
FortiWeb has a function to protect Web servers against access from clients in certain countries based on the GEO IP profiles. The function can be configured from the Web GUI using Web Protection -> Access -> GEO IP. However, the CLI does not support the configuration of a list in 'waf geo-block-list'.
Scope
FortiWeb.
Solution
'waf geo-block-list' holds multiple country-lists where it is possible to configure countries to be blocked based upon GEOIP, but the CLI fails to configure an entry for a country in a list when saving as follows.
Configuring an entry in a country-list is disabled by design because the CLI is unable to validate the legitimacy of the user input.
Configuring an entry in a country-list is disabled by design because the CLI is unable to validate the legitimacy of the user input.
(geo-block-list) # edit GEOIP-Example
(GEOIP-Example) # config country-list
(country-list) # edit 0
Add new entry '1' for node 5204
(1) # set country-name Afghanistan
(1) # end
Command fail. cmdb dont't save <----Here
(GEOIP-Example) #
(GEOIP-Example) # config country-list
(country-list) # edit 0
Add new entry '1' for node 5204
(1) # set country-name Afghanistan
(1) # end
Command fail. cmdb dont't save <----Here
(GEOIP-Example) #
The GOIP block policy must be configured from the Web GUI.
Related document:
GEO IP - Blocklisting & whitelisting countries & regions
Related document:
GEO IP - Blocklisting & whitelisting countries & regions