Technical Tip: How to allow traffic from certain clients in the blocked country list to access VIP servers

In this scenario, a VIP configuration for internal servers is used.

A policy (test1) with source as specific countries and destination as VIPs configured to block traffic from specific countries to the server for which VIP is configured.

Now all traffic coming from a blocked country will hit the VIP policy first and get blocked.

If creating a policy (test2) for a specific source and destination is the IP address of the server, the traffic will still hit the VIP policy and will get blocked.

If there is a requirement to allow traffic from a client in the blocked county list to access the VIP servers, a policy (test3) has to be created with the source as the required IP, and the destination as the VIP server IP.

It should be placed above the block policy.

Note:
There are possibilities where some IPs are registered by a country and Fortiguard might show a different country. In such scenarios, it is possible to override Geo-IP database.

Related articles:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-override-Geo-IP-database/ta-p/19343...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Commands-to-verify-GeoIP-information-and/t...