Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
evejar
Staff
Staff

Created on ‎06-05-2017 08:49 AM Edited on ‎12-30-2024 12:01 AM By Moderator

Article Id 196741

Technical Tip: How to block by country or geolocation

Description

 

This article shows the configuration to protect a server from attacks from countries the user has no business with.

Scope

 

FortiGate.


Solution

 

First, create an address object:

Go to Policy&Object -> Addresses and then select 'create' and 'new address'.


2023-03-22 14_34_17-FortiGate - FG3H — Mozilla Firefox.png

 

Name: Choose a name.
Type: Select 'Geography'.
Country: Select the country to block.
 
Do this for all the countries to block.
 
Then, create a group for these countries that need to be blocked.
 
Select 'create' and 'new address group'.
 
2023-03-22 14_43_25-FortiGate - FG3H — Mozilla Firefox.png

 

The last thing to do is to create a policy.
Go to Policy & Object -> IPv4 Policy.
 
Create a policy that blocks the traffic from the countries to the resources (like servers in the DMZ) that need to be protected.
Once this rule is created, the traffic from those countries will be blocked (this is to protect the server only, it does not block the internet).
 
block policy.PNG

 

If there is even 1 VIP policy on the FortiGate then this policy will not work as expected. To make this work ensure that in the policy itself add a command to match it to the VIP or add the destination as all The VIPs present in the destination instead of 'all'.
 
Option 1: Enable match-vip in the block geolocation Policy:
 

config firewall policy

    edit <policy-id>  <----- Here the policy ID would be of the 'Block Geolocation Traffic' as seen in the screenshot above.

           set match-vip enable
end
 
Option 2: Add all the VIPs that are used in the FortiGate:
 
vip block.PNG

Geolocation also contains the Reserved option (ZZ) which denotes the addresses that are not assigned publicly.

 

Note:

  • To restrict/allow access from specific countries through an SSL VPN tunnel, the following document can be referred to:
    Restricting/allowing SSL VPN access from ... - Fortinet Community
  • The match-vip option is disabled by default until v7.2.3. In versions after 7.2.3, the option is enabled by default.
  • The 'set match-vip' option is only available if the policy action is set to 'deny'. 

 

Related documents:

Identity-based-route

Technical Note: How FortiGate can block Duolingo in different ways. Blocks web application.

Technical Note: Disconnecting a member from a cluster

Technical Tip: Commands to verify GeoIP information and troubleshoot GeoIP database 
Technical Tip: How to block by country or geolocat... - Fortinet Community

Labels:
202642
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.