Description
This article describes the configuration to enable VIP along with GEO Location.
Scope
Version: 5.2 onwards
Solution
Users want to deny the VIP server access from countries using GEO Location.
- create an address object with Type Geography:
- Go to Policy&Object -> addresses.
- Select 'create' and 'address'.
Name: Define the name.
Type: Select 'Geography'.
Country: Select the country to block.
Create it for all the Regions to block.
- Create the address group and add the respected address object created earlier.
- Go to Policy&Object -> Addresses Group.
- Select 'create' and 'address group'.
Group Name: Define the name.
Type: Select 'Group'.
Members: Add the respected Geo Address created.
- Create the VIP as per the requirement, for example, the ICMP and RDP have been used.
- Go to Policy&Object -> Virtual IPs.
- Select 'create' and 'Virtual IP'.
4) Create the policy for the VIP and allow the communication.
Go to Policy&Object -> Firewall Policy.
Select the incoming and outgoing interface then select the source as all and destination as VIP, set action as ACCEPT, and disable or enable the NAT as per the requirement.
It is possible to apply the respected UTM as per the requirement and also change the mode as per the requirement.
- Create a policy to protect the VIP server access from countries where it is not wanted to expose the server.
- Go to Policy&Object -> Firewall Policy.
- Select the incoming and outgoing interface then select the source as the address group which has been created Country_Block and destination as VIP, set action as deny and enable the Log Violation. traffic.
- Move the respected Deny policy above the Accept policy.
- Enable the Match-VIP in the deny policy necessary to use the CLI for this as the VIP routing table takes precedence over firewall policy this command is not enabling the traffic will bypass the country block policy.
edit 4
set name "Country_Block_VIP"
set uuid 1cef9bae-a2be-51ec-8e01-d6902dc053b1
set srcintf "port2"
set dstintf "port4"
set srcaddr "Country_Block"
set dstaddr "10.5.59.206_VIP"
set schedule "always"
set service "ALL"
set logtraffic all
set match-vip enable
next
Logs:
id=20085 trace_id=25 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=1, 10.5.63.254:60417->10.5.59.206:2048) from port2. type=8, code=0, id=60417, seq=1238."
id=20085 trace_id=25 func=init_ip_session_common line=5918 msg="allocate a new session-00259762"
id=20085 trace_id=25 func=iprope_dnat_check line=5191 msg="in-[port2], out-[]"
id=20085 trace_id=25 func=iprope_dnat_tree_check line=830 msg="len=1"
id=20085 trace_id=25 func=__iprope_check_one_dnat_policy line=5050 msg="checking gnum-100000 policy-1"
id=20085 trace_id=25 func=get_new_addr line=1229 msg="find DNAT: IP-10.26.3.109, port-0(fixed port)"
id=20085 trace_id=25 func=__iprope_check_one_dnat_policy line=5147 msg="matched policy-1, act=accept, vip=1, flag=104, sflag=2000000"
id=20085 trace_id=25 func=iprope_dnat_check line=5204 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000104"
id=20085 trace_id=25 func=fw_pre_route_handler line=181 msg="VIP-10.26.3.109:8, outdev-port2"
id=20085 trace_id=25 func=__ip_session_run_tuple line=3492 msg="DNAT 10.5.59.206:8->10.26.3.109:8"
id=20085 trace_id=25 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-10.26.3.109 via port4"
id=20085 trace_id=25 func=iprope_fwd_check line=789 msg="in-[port2], out-[port4], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0"
id=20085 trace_id=25 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=3"
id=20085 trace_id=25 func=__iprope_check_one_policy line=1994 msg="checked gnum-100004 policy-4, ret-matched, act-accept"
id=20085 trace_id=25 func=__iprope_user_identity_check line=1815 msg="ret-matched"
id=20085 trace_id=25 func=__iprope_check_one_policy line=2224 msg="policy-4 is matched, act-drop"
id=20085 trace_id=25 func=iprope_fwd_check line=826 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-4"
id=20085 trace_id=25 func=iprope_fwd_auth_check line=845 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-4"
id=20085 trace_id=25 func=fw_forward_handler line=687 msg="Denied by forward policy check (policy 4)"
Note:
As of FortiOS 6.4.3, match-VIP is not allowed in firewall policies when the action is set to accept.
In addition, the Local-in-policy is preferred over the Firewall policy as local-in-policies control inbound traffic that is going to a FortiGate interface. Administrative access traffic, such as HTTPS, PING, SSH, and more, by enabling or disabling specific services in the interface settings
https://docs.fortinet.com/document/fortigate/6.4.3/fortios-release-notes/230510/changes-in-default-b...
Related Article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-Virtual-IPs-to-configure-port-forwar...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-...
https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/491762/firewall-policy-policy6
