FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 276619

This article describes a scenario where a user wants to block traffic from certain countries to reach the internal server behind FortiGate Lan. The IP belonging to the GEO block country is still able to reach the internal server.


Below are the config:    

  • Virtual IP(VIP) and its policy allowing traffic from Internet interface Wan to Lan, source addr 'ALL'.
  • GEO block address for the country to be blocked.
  • Local in policy to block any traffic arriving at WAN interface from the GEO block address.
Scope FortiGate.

According to packet life in FotiGate, virtual IP takes effect before local policy. In FortiGate kernel, FortiGate process packet following below order:


1.     DNAT (Virtual IP)

2.     Routing

3.     Policy lookup

4.     Session helper

5.     User authentication

6.     Device identification

7.     SSLVPN

8.     Local management traffic(Local in policy)


Local in policy with action deny will not deny traffic allowed by VIP policy because when Local in policy takes effect, the VIP policy already allows the traffic.  


To resolve the issue, create a VIP deny policy and put it on top of the VIP allow policy to block the source GEO block address.



The destination address of the deny policy should be set to the VIP address, if set to the normal local server IP address, use CLI to enable match-vip 'set match-vip enable' in the deny policy.


Related documents:

Packet flow ingress and egress: FortiGates without network processor offloading

Technical Tip: Firewall does not block incoming (WAN to LAN) connection even though deny policy