FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Dongfang_Li_FTNT
Article Id 276619
Description

This article describes a scenario where a user wants to block traffic from certain countries from reaching the internal server behind FortiGate LAN. The IP belonging to the GEO block country is still able to access the internal server.

 

Below are the configs:    

  • Virtual IP(VIP) and its policy allowing traffic from the Internet interface WAN to LAN, source address 'ALL'.
  • GEO block address for the country to be blocked.
  • Local in policy to block any traffic arriving at the WAN interface from the GEO block address.
Scope FortiGate.
Solution

According to Packet Life in FortiGate, Destination NAT takes effect at the beginning of the packet process. In the FortiGate kernel, packets are processed in the following order:

 

  1. DNAT (Virtual IP).
  2. Routing.
  3. Policy lookup.
  4. Session helper.
  5. User authentication.
  6. Device identification.
  7. SSL VPN.
  8. Local management traffic.

 

A local policy with an 'action deny' will not deny traffic allowed by a VIP policy because when the local policy takes effect, the VIP policy has already allowed the traffic.  

To resolve the issue.

  1. Create a GEO address object.
  2. Create a firewall policy and select the source address of the 'GEO address' object.
  3. Select the destination VIP.
  4. Select the action deny in the policy.
  5. Put it on top of the VIP allow policy to block the source GEO block address.

 

Capture.PNG

 

Note:

  • The destination address of the deny policy should be set to the VIP address, if set to the normal local server IP address, use CLI to enable match-vip 'set match-vip enable' in the deny policy.
  • The match-vip option is disabled by default until v7.2.3. In versions after 7.2.3, the option is enabled by default.
  • The 'set match-vip' option is only available if the policy action is set to 'deny'. 

 

The following article explains how to configure block VIP access using the GEO location:

Technical Tip: How to block VIP access using GEO Location

 

Related documents:

Packet flow ingress and egress: FortiGates without network processor offloading

Technical Tip: Firewall does not block incoming (WAN to LAN) connection even though deny policy
Technical Tip: Local In Policy VS Virtual IP Policy
Technical Tip: Using Virtual IPs to configure port forwarding