Skip to main content
AdrianR
AdrianR
Explorer II
May 31, 2023
Solved

Geo Blocking with SD-Wan enable

  • May 31, 2023
  • 5 replies
  • 6125 views

Hello, I want to make a policy with Geo Blocking in my wan port that's inside an SD-Wan interface, I tried to configure the policy with income interface SD-Wan but it doesn’t work, If I take out my wan from the SD-Wan and configure the policy with income interface wan it works correctly, how can I configure the policy using SD-Wan?

I tried looking online for the answer but couldn’t find anything with SD-Wan, thank for the help!

Best answer by ezhupa

Hi Adrian, 

You can also configure local-in policies following the below documentation. You just need to adjust it to your own case:
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/363127/local-in-policy

5 replies

scan888
scan888
New Member
May 31, 2023

Hi Adrian

 

Acctually, it sould work.

After you add interface to the SD-WAN Interface you need to creat Firewall policies with the matching SD-WAN Interface.

For example:

config firewall policy     edit 0         set name "Internet to local System"         set srcintf "virtual-wan-link" <!-- Your SD-WAN Interface -->         set dstintf "<Dst. Interface>"         set action accept         set srcaddr "<your allowed GEO Object>"         set dstaddr "<your VIP Object"         set schedule "always"         set service "ALL"     next end
AdrianR
AdrianRAuthor
Explorer II
May 31, 2023

Thanks for the quick replay scan888, I have my policy configure like this: 

Screenshot 2023-05-31 102403.png

When I have the Deny option enable I cant assign a VIP 

scan888
scan888
New Member
May 31, 2023

Hi @AdrianR 

Your Rule block any connections comming from your selected country to any hosts behind the "lan"-Switch.

 

I'm not sure, what exectly you would like to achive. Because this rule only helps if you have any VIP-Rules below that rule. If you have no forwardings from the Internet to your "lan"-Switch the implicit deny rule block the connections anyway.

AEK
SuperUser
AEK
SuperUser
May 31, 2023

Try put your interface in sd-wan again but keep the policy with the original wan interface (not sd-wan).

AEK
AdrianR
AdrianRAuthor
Explorer II
May 31, 2023

Hello AEK the SD-WAN configuration won’t let me add the wan interface back in because it’s been use by the original policy with wan interface as incoming interface.

AEK
SuperUser
AEK
SuperUser
May 31, 2023

Hello Adrian

Which FOS version?

AEK
AdrianR
AdrianRAuthor
Explorer II
May 31, 2023

Hello AEK it's a Fortigate 40F OS 7.0.11

 

AEK
SuperUser
AEK
SuperUser
June 1, 2023

Hi Adrian

Try check and share the related traffic logs. They must show the source & destination interfaces and the policy that allowed them.

AEK
ezhupa
Staff
ezhupaAnswer
Staff
June 1, 2023

Hi Adrian, 

You can also configure local-in policies following the below documentation. You just need to adjust it to your own case:
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/363127/local-in-policy

    Terms & ConditionsAccessibility statement