Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
evejar
Staff
Staff

Created on ‎06-05-2017 08:49 AM Edited on ‎01-19-2026 10:52 PM By Community Manager

Article Id 196741

Technical Tip: How to block by country or geolocation

Description

 

This article describes a configuration that protects a server from attacks originating in countries with which the user has no business.

Scope

 

FortiGate, Geo IP location.


Solution

 

  1. Create an address object: Go to Policy & Object -> Addresses, and then, in the 'Address' tab, select 'Create New'.


schedule.gif

 

  1. Name: Choose a name.
  2. Type: Select 'Geography'.
  3. Country: Select the country to block.
 
Or:
 
Configure the Firewall address in the CLI as follows:
 
config firewall address
    edit Monaco-Geo
        set type geography
        set associated-interface wan1
        set country CN
end
 
Note:
Do this for all of the countries to be blocked and create a group for these countries that need to be blocked.
 
  1. Go to Policy & Object -> Addresses, and then, in the 'Address Group' tab, select 'Create New'.
 

schedule2.gif

 
  1. Add members to the group created in step 2 (Country-Blocked), or configure the firewall 'addrgrp' in the CLI as follows:
     
config firewall addrgrp
    edit Country-Blocked
        set member Monaco-Geo
end

Note:
To create all country address objects via script, consult the following KB article: Technical Tip: Script to create Address objects and one address group for all geography countries on....
 
  1. Create a policy. Go to Policy & Object -> IPv4 Policy.
  • Create a policy that blocks traffic from selected countries to protected resources (such as servers in the DMZ).
  • Once this rule is created, traffic from those countries will be blocked (this protects the server only; it does not block internet access).
 

schedule3.gif

 
Note:
If a VIP policy exists on the FortiGate, this policy may not function as expected. To ensure proper operation, configure the policy to include a command that matches the relevant VIP, or specify the destination as all existing VIPs instead of all.
 
Option 1: Enable match-vip in the block geolocation policy:
 

config firewall policy

    edit <policy-id>  <----- Here, the policy ID would be of the 'Block Geolocation Traffic' as seen in the screenshot above.

           set match-vip enable
end
 
Option 2: Add all the VIPs that are used in the FortiGate:
 
vip block.PNGNote:

Geolocation also contains the Reserved option (ZZ), which denotes the addresses that are not assigned publicly.

 

Additional Notes:

  • To restrict or allow access from specific countries through an SSL VPN tunnel, refer to the following KB article: Technical Tip: Restricting/allowing SSL VPN access from specific countries using sslvpn settings via....
  • The match-vip option is disabled by default in versions up to 7.2.3. In versions after 7.2.3, it is enabled by default.
  • The set match-vip option is available only when the policy action is set to deny.
  • In addition to firewall policies, geo-blocking can be enforced using local-in policies to prevent unauthorized management or service access to the FortiGate from specific countries on the external interface or any defined source interface.
  • If access control must be based on the registered country of an IP address rather than its physical location, the FortiGate supports Geo-IP matching using IP registration data. This is useful when users connect through VPNs, cloud providers, or international ISPs, where physical location may be misleading. Refer to the following document for configuration details: Matching GeoIP by registered and physical location.
  • An anycast IP can be advertised from multiple locations. This technique is widely used by providers to route users to the nearest server. Because the IP is hosted in multiple geographic locations, it is not possible to specify a single location for that IP. Refer to Recognize anycast addresses in geo-IP blocking for more information. 
  • If the device accesses sites hosted behind a Content Delivery Network (CDN) service—for example, Akamai—the DNS responses returned by the CDN may include IP addresses that fall within a geography address object. These addresses may then be used in a firewall policy with a deny action. Depending on the site or CDN provider, firewall policy configuration may need to be adjusted accordingly.

 

Related articles:

Technical Tip: Identity-based-route

Technical Tip: How FortiGate can block Duolingo in different ways. Blocks web application.

Technical Tip: Disconnecting a member from a cluster

Technical Tip: Commands to verify GeoIP information and troubleshoot GeoIP database 

Technical Tip: Blocking Inbound Access from Specific Country IP Ranges on FortiGate

Technical Tip: How to block VIP access using GEO Location

235866
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.