Description
This article shows the configuration to protect a server from attacks from countries the user has no business with.
Scope
FortiGate.
Solution
First, create an address object:
Go to Policy&Object -> addresses and then select 'create' and 'new address'
Name: Choose a name
Type: Select 'Geography'
Country: Select the country to block
Type: Select 'Geography'
Country: Select the country to block
Do this for all the countries to block.
Then, create a group for these countries that need to be blocked.
Then, create a group for these countries that need to be blocked.
Select 'create' and 'new address group'
The last thing to do is to create a policy.
Go to Policy & Object -> IPv4 Policy
Go to Policy & Object -> IPv4 Policy
Create a policy that blocks the traffic from the countries to your resources (like servers in your DMZ) that need to be protected.
Once this rule is created, the traffic from that countries will be blocked (this is to protect the server only, it does not block the internet).
If there is a there is even 1 VIP policy on the FortiGate then this policy will not work as expected. To make this work ensure that in the policy itself add a command to match it to the VIP or add the destination as all The VIPs you have in the destination instead of 'all'.
Option 1: Enable match-vip in teh block geolocation Policy:
config firewall policy
edit <policy-id> <----- Here the policy policy ID would be of the "Block Geoloction Traffic" as seen in the screenshot above.
set match-vip enable end
Option 2: Add all the VIPs that are used in the FortiGate:
Related articles:
Technical Note: How FortiGate can block Duolingo in different ways. Blocks web application.
Technical Note: Disconnecting a member from a cluster
Technical Tip: Commands to verify GeoIP information and troubleshoot GeoIP database
