Created on
09-28-2023
10:23 PM
Edited on
09-15-2025
10:17 PM
By
Jean-Philippe_P
Description |
This article describes a scenario where a user wants to block traffic from certain countries from reaching the internal server behind FortiGate LAN. The IP belonging to the GEO block country is still able to access the internal server.
Below are the configs:
|
Scope | FortiGate. |
Solution |
According to Packet Life in FortiGate, Destination NAT takes effect at the beginning of the packet process. In the FortiGate kernel, packets are processed in the following order:
A local policy with an 'action deny' will not deny traffic allowed by a VIP policy because when the local policy takes effect, the VIP policy has already allowed the traffic. To resolve the issue.
Note:
The following article explains how to configure block VIP access using the GEO location: Technical Tip: How to block VIP access using GEO Location
Related documents: Packet flow ingress and egress: FortiGates without network processor offloading Technical Tip: Firewall does not block incoming (WAN to LAN) connection even though deny policy |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.