Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pmudgal
Staff
Staff

Created on ‎08-08-2024 06:51 AM

Article Id 331556

Technical Tip: Blocking AnyCast Addresses using geo-ip anycast feature

Description

This article describes how to block anycast address in Geo-IP blocking using a deny policy.
Scope FortiGate.
Solution
  • Anycast IP is shared between multiple servers and they can be in different locations as well.
  • The objective is to block all anycast IPs irrespective of them mentioned under destination address or location.

 

Steps:

 

Make a deny policy in which we have just added the country Afghanistan as a destination, but also enabled the feature geoip-anycast.

 

pmudgal_0-1723124494155.png

 

  • geoip-anycast enabled in policy means that if the IP is an anycast IP, the packet will hit the policy even if the IP is not in the countries list of GeoIP in the policy, so in that case, if pinging 1.1.1.1/8.8.8.8, will match the policy and packet is blocked.

 

To check the geo-location of the anycast IP:

 

pmudgal_1-1723124494156.png

 

Logs:

 

pmudgal_2-1723124494159.png
Labels:
430
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.