Script To Create Geo Block Group

Forum|Forum|1 year ago
July 4, 2024
5 replies
5382 views

We have a number of FortiGate firewalls that we want to create the same Geo Block Group holding a fairly long list of countries to block. We don’t have a FortiManager. Does someone have a script to generate this geo block group on the firewalls from a list of countries? I have found scripts to create a group of IP address but not geo group lists.

FortiGate

heyyo

Explorer III

Hi,

I am looking at this KB: How to block by country or geolocation - Fortinet Community

Are you after creating a group for these countries that needs to be blocked same as in the link?

1. Go to Policy&Object -> addresses and then select 'create' and 'new address'.

Name: Choose a name.
Type: Select 'Geography'.
Country: Select the country to block.

---- Do this for all the countries to block ----

2. Create a group for these countries that need to be blocked.

Select 'create' and 'new address group'

SecurityPlusAuthor

Explorer III

Thank you both for your posts. We have previously created geo block lists using these steps successfully. We would like to find a more efficient way to create these lists. If we have say 50 countries that we would like to include in these lists, and we need to do this on a dozen different firewalls, we are concerned that it may take 30 minutes per firewall, or a total of 6 hours to accomplish this on all firewalls. We would like to be able to create a script that would take a text based list of countries (either the complete country name or the 2 digit country code) and add this in one step to a firewall saving a considerable amount of time.

Our input could look like:

Afghanistan

Aland Islands

Albania

Or it might could instead list the country 2 digit codes:

AF

AX

AL

If this works, we would then possibly later modify the block list group by rerunning the script replacing the previous block list group with the newly modified block list group.

hbac

Staff

Hi @SecurityPlus,

You can copy the configuration from the CLI of one FortiGate to another. You can configure it on one FortiGate and copy the CLI configuration. You need to copy address objects before the address group. For example:

config firewall address
edit "Angola"
set type geography
set country "AO"
next
end

config firewall addrgrp
edit "Blocked_countries"
set member "Angola"
next
end

Regards,

Zhuo

Explorer

Hi SecurityPlus

ede_pfau

SuperUser

To make things easier, I've created batch files for all countries and offer them on my website:

https://www.beneicke-edv.de/support/tools/#all_countries_addressgroup

You can either go 'white listing' (allow some, block all others) or 'blacklisting' (block some, allow all others). The batch files are plain text and can be edited easily, so that you can start with the full set and cut out some country codes to your liking.