Description
This article describes the limited administration access by geography location.
Scope
FortiGate.
Solution
- Go to Policy & Objects -> Addresses, select 'Create New' -> Address.
In this example, a new geography address with the country of Vietnam is created.
-
The first local in policy is to allow the country of Vietnam to connect FortiGate via PORT1.In this example, PORT1 is a WAN interface that can be publicly accessed from the internet.
config firewall local-in-policy
edit 0
set intf port1
set srcaddr Vietnam
set dstaddr all
set service ALL
set schedule always
set action accept
end
-
The second local in policy is to block any country from connecting to FortiGate via port1. In this example, port1 is a WAN interface that can be accessed from the Internet.
config firewall local-in-policy
edit 0
set intf port1
set srcaddr all
set dstaddr all
set service ALL
set schedule always
end
set intf port1
set srcaddr all
set dstaddr all
set service ALL
set schedule always
end
- Now, only the country of Vietnam can access the FortiGate from the Internet.
Alternatively, a single local-in policy rule can also be created by using the 'Negate' option and will perform the same task. Here is the configuration when using srcaddr-negate enable option.
config firewall local-in-policy
edit 0
set intf "port1"
set srcaddr "Vietnam"
set srcaddr-negate enable <----- This command will negate the rule and will block all source addresses except those. defined in the "srcaddr" field
set dstaddr "all"
set action deny
set service "ALL"
set schedule "always"
set status enable
next
end
When using the 'Vietnam' geographical address group in the srcaddr field, this will also exclude RFC 1918 private subnet ranges. For instance, if an administrator tries to access FortiGate on the LAN port using 192.168.1.99, it will be blocked as it is a private IP address, which would not be defined in the Geographical IP ranges for any country.
The best option is to have a Geo address 'Vietnam' as well as a local subnet in an address group, and then apply it in local-in-policy.
config firewall address
edit "Lan"
set subnet 192.168.1.0 255.255.255.0
end
config firewall address
edit 'Vietnam'
set type geography
set country 'VN'
end
config firewall addrgrp
edit 'Allowed'
set member 'Lan' 'Vietnam'
end
The first policy will then look like the following:
config firewall local-in-policy
edit 1
set intf "port1"
set srcaddr "Allowed" <----- The address group allowing access to Vietnam and Local LAN.
set dstaddr "all"
set action accept
set service "ALL"
set schedule "always"
set status enable
next
end
Note:
Starting from FortiGate v7.6.0, the Local-in-Policy can also be configured in the GUI. Refer to this document for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI.
Related articles:
