Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jhelder
Staff
Staff

Created on ‎07-19-2023 05:11 AM Edited on ‎11-18-2025 01:58 PM By Moderator

Article Id 264818

Technical Tip: Blocking inbound access from specific country IP ranges on FortiGate

Description

This article describes a practical approach to safeguarding the network by denying connections from IPs originating in China.


However, it is important to note that this method can be applied to block connections from any country, providing an additional layer of defense against potential threats. It is possible to effectively block or deny all connection attempts originating from undesired countries.
Scope FortiGate.
Solution
  1. Verify 'Local in Policy' Enablement:

Navigate to 'System' and access 'Feature Visibility'. Confirm whether 'Local in Policy' is enabled. 


k1.1.JPG

 

  1. Proceed to 'Policy and Object' and select 'Addresses'. Choose to create a new address object to define the IP ranges for the specific country to block.

 

k1.2.JPG

 

For guidance on adding all country address objects using a script, refer to this article: Technical Tip: Script to create Address objects and one address group for all geography countries on...

 

  1. Create the Local-in Policy using the CLI:

Configure the local-in policy by setting the appropriate parameters:
Specify the previously created address object as the source for the policy.
Define the desired interface and services to be affected. For instance, if 'port1' serves as a WAN interface.

And in the service, it is all defined, because it is necessary to block all connections coming to the firewall on any port number.

 

k1.3.JPG

 

By following these steps, it is possible to effectively block connections originating from specific country IP ranges, ensuring enhanced security for the FortiGate.

 

The next tip on the same topic is a bonus tip in case there is a need to allow only one country to connect to the firewall and all of the other countries to be blocked. In this example, all of the countries except China will be blocked:

 local in policy.png

 

The following is achieved with the use of 'set srcaddr-negate enable', which would block all of the addresses except the one configured in 'srcaddr'. One friendly reminder is that the default action in local policies is denied; therefore, there is no need to configure it.


Note:
From v7.6.x, local-in policy can be configured on the GUI under Policy & Objects -> Local-in Policy.

Screenshot 2024-10-14 155058.png

 

From v7.4.6, there is a behavior change in the interface selection in the Local-in policy. If the interface is a member of the SD-WAN Zone, then that individual interface cannot be selected in Local-in-policy.

The solution is to configure the Local-in policy with the interface as the SD-WAN zone instead of the individual interface.

 

This behavior also affects when FortiGate is upgraded from any previous version to v7.4.6. The Local-in policy, which is configured with an individual interface, will be deleted after the upgrade. It has to be manually configured again with the interface as the SD-WAN zone.

 

Related documents:

Local-in policy 

Troubleshooting Tip : Local In Policy not denying expected GEO IP addresses

Technical Tip: ESP Packets are not blocked by local-in policy

Technical Tip: How to block by country or geolocation
19779
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.