FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 264818

This article describes a practical approach to safeguarding the network by denying connections from IPs originating in China.
However, it is important to note that this method can be applied to block connections from any country, providing an additional layer of defense against potential threats. It is possible to effectively block or deny all connection attempts originating from undesired countries.

Scope FortiGate.
  1. Verify 'Local in Policy' Enablement:

Navigate to 'System' and access 'Feature Visibility'. Confirm whether 'Local in Policy' is enabled. 



  1. Proceed to 'Policy and Object' and select 'Addresses'. Choose to create a new address object to define the IP ranges for the specific country we wish to block.



  1. Create the Local-in Policy using the CLI:

Configure the local-in policy by setting the appropriate parameters:
Specify the previously created address object as the source for the policy.
Define the desired interface and services to be affected. For instance, if 'port1' serves as a WAN interface.

And in the service, it is all defined, because it is necessary to block all connections coming to the firewall in any port number.




By following these steps, it is possible to effectively block connections originating from specific country IP ranges, ensuring enhanced security for the FortiGate device.

Related document:
Local-in policy