New Member

Question

How to Block Multiple Countries?

Forum|Forum|9 years ago
December 13, 2016
4 replies
47936 views

I am trying to block a large list of countries by creating an address group and adding the countries into the group via the geography type. The problem I am running into is that I have to create a new entry for every single country I want to block in the web interface and it will be incredibly time consuming to sit for hours to add every single country into the address group. Is there a faster way - maybe via the command line - that I can add countries into the address group?

Since we only do business in the US, I want to block a good portion of other countries in my rule sets. Thanks in advance.

Scott

SCSIraidGURU

New Member

Source: Blocked Countries Create address list by country name, geography, country is on the list. I had to do 198 of them and add them to address group Block Countries.

smccarthy945Author

New Member

While I appreciate the reply, I am not sure what it means? It looks like you tried to post an image but unfortunately, I can't see it.

SCSIraidGURU

New Member

Name: Geographical Blocking Incoming: Wan-Load_balance (both WAN1 and WAN2) Outgoing: Any Source: Blocked_Countries (Address group) Destination: all Schedule: Always Services: All Action Deny Blocks 120,000+ a day.

smccarthy945Author

New Member

Thank you!

smccarthy945Author

New Member

Just so you know, I also was able to add it as a ACL in the IP4 Policies and it dropped a bunch of packets as well so it seems you can do it both ways. Thanks for the help on this.

SCSIraidGURU

New Member

I asked Cisco to do it. They would not.

Fortinet gave me Two WAN port link balanced and Geographical based blocking. I just block all IP traffic from those countries, 120,000+ a day.

ede_pfau

SuperUser

Specify this source to block all countries: ALL

I can't see why the explicit allow and implicit deny would not work - as a principle, anything that is not explicitely allowed is denied. No need to gather 198 country address ranges in an address group...

Policy order is important:

1- allow these few countries: from WAN/allowed_countries to LAN/my_LAN, ACCEPT

2- no further policies following!

If you need to you may enable logging of denied traffic, just to be sure it works. Then, cancel logging.

SCSIraidGURU

New Member

It is a short coming on the Fortinet IOS. It would be nice if you could do just an allow of the US and then a deny of every other country. You can't do it without listing all of them first in a group. Geography is a address sub-object. You can have one to one in this object. Only an address-group can do many to one object. In these cases, you just do implicit deny only.

Anand_Prabhu

New Member

I noticed that you were looking for CLI commands but none of the replies quoted it. Here are the CLI commands to reduce your time creating bunch of address objects.

Create Address Objects for each Country

FG#config firewall address (address) # edit Japan new entry ‘Japan’ added (Japan)# set type geography (Japan)# set country JP (Japan)# set associated-interface wan1 (Japan)# next (address) # edit China new entry ‘China’ added (Japan)# set type geography (Japan)# set country CN (Japan)# set associated-interface wan1 (Japan)# next (address)# end

“set associated-interface” command is optional and if not configured, then FortiGate considers “any” interface.

Create Address Group

FG# config firewall addrgrp (addrgrp)# edit CountryGroup (CountryGroup)# set member Japan China (CountryGroup)# next (CountryGroup)# end

You find here the full list of FortiGate Country Codes - http://itadminguide.com/f...ns-using-cli-commands/

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded