FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 252129
Description This article describes how to allow traffic from certain clients in the blocked country list to access VIP servers.
Scope FortiGate.

In this scenario, a VIP configuration for internal servers is used.

A policy (test1) with source as specific countries and destination as VIPs configured to block traffic from specific countries to the server for which VIP is configured.



Now all traffic coming from a blocked country will hit the VIP policy first and get blocked.

If creating a policy (test2) for a specific source and destination is the IP address of the server, the traffic will still hit the VIP policy and will get blocked.

new vip2.PNG


If there is a requirement to allow traffic from a client in the blocked county list to access the VIP servers, a policy (test3) has to be created with the source as the required IP, and the destination as the VIP server IP.

It should be placed above the block policy.


new vip.PNG

There are possibilities where some IPs are registered by a country and Fortiguard might show a different country. In such scenarios, it is possible to override Geo-IP database.


Related articles: