Skip to main content
michaelleroy
michaelleroy
New Member
May 2, 2017
Question

Geo-Lock VPN traffic

  • May 2, 2017
  • 1 reply
  • 6494 views

We are wanting to restrict SSL tunnel, SSL web, and IPsec Dial up VPN connections to limited countries. 

 

I can't seem to find any specific documentation on this, other than the generic Geographic options available.

 

What would be the best practice to accomplish this?

1 reply

EMES
EMES
New Member
May 2, 2017

Local-In Policy would work for you. Its only copnfigured in the CLI. You would first create address objects for the countries you want to allow, setting the type to "Geography" and then the country to want to allow. Then in the CLI you would create a policy to allow that country and then create a deny all. 

 

config firewall address 
edit "US"
 
 set type geography
 set country "US"
 next
end
config firewall local-in-policy
 edit 1
 set intf "port2"
 set srcaddr "US"
 set dstaddr "all"
 set action accept
 set service "HTTPS"
 set schedule "always"
 next
 edit 2
 set intf "port2"
 set srcaddr "all"
 set dstaddr "all"
 set service "HTTPS"
 set schedule "always"
 next
end

 

Here is a link to a kb on how to configure it further. http://kb.fortinet.com/kb/documentLink.do?externalID=FD33649 

emnoc
emnoc
New Member
May 3, 2017

I agree geoip and local-policy will get you what you want.

 

Ken

 

Terms & ConditionsAccessibility statement