Geo Blocking

Question

Im in the middle of setting up a policy to block all traffic outside of the US.    It appears I have to add each country to the Policy & Objects > Addresses section separately and then create a group and add the addresses to the group ...then create a policy to block the group.  I have started to do that and it appears to be working fine, but I was wondering if there is a way to create an allow list instead?  I thought if I setup a policy to Allow US, but no one else...will this block everyone else?  I didnt know if the data would be read through the security like...data from country b arrives....policy 1: its not US...go to policy 2-9...there are no other policies that "block" country B...allow data.... Or will it be...  data from country  b arrives...policy 1: its not US...blocked...dont care about other policies.  It seem like the default is ...if there is no policy...let it through.

ede_pfau · Accepted Answer

If I may indecently point you to this page where exactly this is laid out, with ready-to-use batch command files for the geo-objects and an example of how to allow incoming (towards the FGT) traffic from just one country.

I am not 100% sure if the list of geo-objects is identical to that in FortiOS v6.2 but it'll work. The correlation between country name and IP ranges is constantly updated online in FortiOS.

Toshi_Esumi · Answer

Simply put the allowed US polity at the top. Then deny all next, which includes all other countries.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded