Description
This article shows the configuration to protect a server from attacks from countries the user has no business with.
Scope
FortiGate.
Solution
Create an address object: Go to Policy & Object -> Addresses, and then in the 'address' label, select 'create new'.
- Name: Choose a name.
- Type: Select 'Geography'.
- Country: Select the country to block.
Configure the Firewall address in the CLI as follows:
config firewall address
edit Moraco-Geo
set type geography
set associated-interface wan1
set country CN
end
edit Moraco-Geo
set type geography
set associated-interface wan1
set country CN
end
Do this for all of the countries to be blocked and create a group for these countries that need to be blocked.
Select 'create' and 'new address group'.
Configure the Firewall addrgrp in the CLI as follows:
config firewall addrgrp
edit Country-Block
set member Moraco-Geo
end
edit Country-Block
set member Moraco-Geo
end
To create all country address objects via script, consult the following KB article: Technical Tip: Script to create Address objects and one address group for all geography countries o...
Go to Policy & Object -> IPv4 Policy.
Create a policy that blocks the traffic from the countries to the resources (like servers in the DMZ) that need to be protected.
Once this rule is created, the traffic from those countries will be blocked (this is to protect the server only, it does not block the internet).
If there is even 1 VIP policy on the FortiGate, then this policy will not work as expected. To make this work, ensure that in the policy itself, add a command to match it to the VIP or add the destination as all the VIPs present in the destination instead of 'all.'
Option 1: Enable match-vip in the block geolocation policy:
config firewall policy
edit <policy-id> <----- Here the policy ID would be of the 'Block Geolocation Traffic' as seen in the screenshot above.
set match-vip enableend
Option 2: Add all the VIPs that are used in the FortiGate:
Geolocation also contains the Reserved option (ZZ) which denotes the addresses that are not assigned publicly.
Note:
- To restrict/allow access from specific countries through an SSL VPN tunnel, the following KB articlecan be referred to: Technical Tip: Restricting/allowing SSL VPN access from specific countries using sslvpn settings via...
- The match-vip option is disabled by default until v7.2.3. In versions after 7.2.3, the option is enabled by default.
- The 'set match-vip' option is only available if the policy action is set to 'deny'.
- In addition to firewall policies, geo-blocking can be enforced using local-in policies to prevent unauthorized management or service access to the FortiGate from specific countries on the external interface or any defined source interface.
Related documents:
Technical Tip: How FortiGate can block Duolingo in different ways. Blocks web application.
Technical Tip: Disconnecting a member from a cluster
Technical Tip: Commands to verify GeoIP information and troubleshoot GeoIP database
Technical Tip: Blocking Inbound Access from Specific Country IP Ranges on FortiGate
