FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes a scenario where a user wants to block traffic from certain countries to reach the internal server behind FortiGate Lan. The IP belonging to the GEO block country is still able to reach the internal server.
Below are the config:
Virtual IP(VIP) and its policy allowing traffic from Internet interface Wan to Lan, source addr 'ALL'.
GEO block address for the country to be blocked.
Local in policy to block any traffic arriving at WAN interface from the GEO block address.
Scope
FortiGate.
Solution
According to packet life in FortiGate, Destination NAT takes effect at the beginning of the packet process. In the FortiGate kernel, packets are processed in the following order:
DNAT (Virtual IP).
Routing.
Policy lookup.
Session helper.
User authentication.
Device identification.
SSL VPN.
Local management traffic.
Local in policy with action deny will not deny traffic allowed by VIP policy because when Local in policy takes effect, the VIP policy already allows the traffic.
To resolve the issue, create a VIP deny policy and put it on top of the VIP allow policy to block the source GEO block address.
Note:
The destination address of the deny policy should be set to the VIP address, if set to the normal local server IP address, use CLI to enable match-vip 'set match-vip enable' in the deny policy.
The match-vip option is disabled by default until v7.2.3. In versions after 7.2.3, the option is enabled by default.
The 'set match-vip' option is only available if the policy action is set to 'deny'.
The following article explains How to configure block VIP access using the GEO location:
