FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kvimaladevi
Staff
Staff
Article Id 252129
Description This article describes how to allow traffic from certain clients in the blocked country list to access VIP servers.
Scope FortiGate.
Solution

In this scenario, a VIP configuration for internal servers is used.

A policy (test1) with source as specific countries and destination as VIPs configured to block traffic from specific countries to the server for which VIP is configured.

final.PNG

 

Now all traffic coming from a blocked country will hit the VIP policy first and get blocked.

If creating a policy (test2) for a specific source and destination is the IP address of the server, the traffic will still hit the VIP policy and will get blocked.

new vip2.PNG

 

If there is a requirement to allow traffic from a client in the blocked county list to access the VIP servers, a policy (test3) has to be created with the source as the required IP, and the destination as the VIP server IP.

It should be placed above the block policy.

 

new vip.PNG


Note:
There are possibilities where some IPs are registered by a country and Fortiguard might show a different country. In such scenarios, it is possible to override Geo-IP database.

 

Related articles:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-override-Geo-IP-database/ta-p/19343...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Commands-to-verify-GeoIP-information-and/t...