Skip to main content
kp1512
kp1512
New Member
October 31, 2020
Question

Geo Location Restriction Issue

  • October 31, 2020
  • 1 reply
  • 8219 views

Hi

We want to enable Geolocation based blocking

So we follows the guides from the FN site

a) Create Address objects of each country b) Put each address object in to a group c) Create a policy so that anything on the WAN interface to LAN that arrives from the Geolocation Address Group is Denied

We then test this from a IP that is in the "banned" country but we are still able to, for example, get to the SSLVPN webpage.

We would expect the SSL VPN page from the FW to not display from that country. We can also ping the FW from the said country as well.

 

I saw that adding set match-vip enable may be the reason but we have no VIPS on the FW

Any ideas?

    1 reply

    lobstercreed
    lobstercreed
    New Member
    October 31, 2020

    Access to the SSL-VPN is not controlled by firewall policy unless you're using a loopback for the VPN to listen on or something.  Pinging the firewall is controlled by local-in policy and/or administrative access settings on the various interfaces.  Again, nothing under Firewall Policy affects it.

     

    You may want to check out this guide (talks about IPSEC VPN, but the principles would apply to SSL as well):

    https://kb.fortinet.com/kb/documentLink.do?externalID=FD45208

     

     

    kp1512
    kp1512Author
    New Member
    October 31, 2020

    Very helpful thank you!

     

    So as it stands in the config I have deployed - any access outside of SSL and PING etc -will be blocked right? Im just trying to get a view on what else is excluded as standard from Firewall Policies

    lobstercreed
    lobstercreed
    New Member
    October 31, 2020

    The bottom line is traffic initiated BY or terminated BY the firewall is completely unaffected by firewall policy.  Firewall policy is for traffic traversing the firewall.

     

    Your config would block anyone from those countries accessing servers hosted on your LAN.  However, if you use VIPs for those WAN to LAN rules (most common), you will also need to use "set match-vip enable" on the deny policy (you could alternatively list all of your VIPs, but that doesn't scale as well).  Check out this article about that specific scenario:

    https://kb.fortinet.com/kb/documentLink.do?externalID=FD36750

     

    Terms & ConditionsAccessibility statement