Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vsahu
Staff
Staff

Created on ‎03-14-2022 12:46 AM Edited on ‎03-14-2022 12:49 AM By Community Manager

Article Id 206778

Technical Tip: How to block VIP access using GEO Location

Description

 

This article describes the configuration to enable VIP along with GEO Location.

 

Scope

 

Version: 5.2 onwards

 

Solution

 

Users want to deny the VIP server access from countries using GEO Location.

 

1) create an address object with Type Geography:

 

- Go to Policy&Object -> addresses.

-Select 'create' and 'address'.

 

Name: Define the name.

Type: Select 'Geography'.

Country: Select the country to block.

 

Address configuration.PNG

 

Create it for all the Regions to block.

 

2) Create the address group and add the respected address object created earlier.

 

- Go to Policy&Object -> Addresses Group.

- Select 'create' and 'address group'.

 

Group Name: Define the name.

Type: Select 'Group'.

Members: Add the respected Geo Address created.

 

Country_Block_Address group.PNG

 

3) Create the VIP as per the requirement, for example, the ICMP and RDP have been used.

 

- Go to Policy&Object -> Virtual IPs.

- Select 'create' and 'Virtual IP'.

 

Create the VIP as per your requirement.PNG

 

4) Create the policy for the VIP and allow the communication.

 

Go to Policy&Object -> Firewall Policy.

Select the incoming and outgoing interface then select the source as all and destination as VIP, set action as ACCEPT, and disable or enable the NAT as per the requirement.

 

Policy to allow VIP communication.PNG

 

It is possible to apply the respected UTM as per the requirement and also change the mode as per the requirement.

 

5) Create a policy to protect the VIP server access from countries where it is not wanted to expose the server.

 

- Go to Policy&Object -> Firewall Policy.

- Select the incoming and outgoing interface then select the source as the address group which has been created Country_Block and destination as VIP, set action as deny and enable the Log Violation. traffic.

 

Policy to Deny VIP communication from the respected Geo location.PNG

 

6 ) Move the respected Deny policy above the Accept policy.

 

Policy Precedence.PNG

 

7) Enable the Match-VIP in the deny policy necessary to use the CLI for this as the VIP routing table takes precedence over firewall policy  this command is not enabling the traffic will bypass the country block policy.

 

  edit 4

        set name "Country_Block_VIP"

        set uuid 1cef9bae-a2be-51ec-8e01-d6902dc053b1

        set srcintf "port2"

        set dstintf "port4"

        set srcaddr "Country_Block"

        set dstaddr "10.5.59.206_VIP"

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set match-vip enable     

    next

 

 

Logs:

 

id=20085 trace_id=25 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=1, 10.5.63.254:60417->10.5.59.206:2048) from port2. type=8, code=0, id=60417, seq=1238."
id=20085 trace_id=25 func=init_ip_session_common line=5918 msg="allocate a new session-00259762"
id=20085 trace_id=25 func=iprope_dnat_check line=5191 msg="in-[port2], out-[]"
id=20085 trace_id=25 func=iprope_dnat_tree_check line=830 msg="len=1"
id=20085 trace_id=25 func=__iprope_check_one_dnat_policy line=5050 msg="checking gnum-100000 policy-1"
id=20085 trace_id=25 func=get_new_addr line=1229 msg="find DNAT: IP-10.26.3.109, port-0(fixed port)"
id=20085 trace_id=25 func=__iprope_check_one_dnat_policy line=5147 msg="matched policy-1, act=accept, vip=1, flag=104, sflag=2000000"
id=20085 trace_id=25 func=iprope_dnat_check line=5204 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000104"
id=20085 trace_id=25 func=fw_pre_route_handler line=181 msg="VIP-10.26.3.109:8, outdev-port2"
id=20085 trace_id=25 func=__ip_session_run_tuple line=3492 msg="DNAT 10.5.59.206:8->10.26.3.109:8"
id=20085 trace_id=25 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-10.26.3.109 via port4"
id=20085 trace_id=25 func=iprope_fwd_check line=789 msg="in-[port2], out-[port4], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0"
id=20085 trace_id=25 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=3"
id=20085 trace_id=25 func=__iprope_check_one_policy line=1994 msg="checked gnum-100004 policy-4, ret-matched, act-accept"
id=20085 trace_id=25 func=__iprope_user_identity_check line=1815 msg="ret-matched"
id=20085 trace_id=25 func=__iprope_check_one_policy line=2224 msg="policy-4 is matched, act-drop"
id=20085 trace_id=25 func=iprope_fwd_check line=826 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-4"
id=20085 trace_id=25 func=iprope_fwd_auth_check line=845 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-4"
id=20085 trace_id=25 func=fw_forward_handler line=687 msg="Denied by forward policy check (policy 4)"

 

Note:


As of FortiOS 6.4.3, match-VIP is not allowed in firewall policies when the action is set to accept.

 

https://docs.fortinet.com/document/fortigate/6.4.3/fortios-release-notes/230510/changes-in-default-b... 

Related Article:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-Virtual-IPs-to-configure-port-forwar... 
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-... 
https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/491762/firewall-policy-policy6 

2837
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.