Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alwis
Staff
Staff

Created on ‎09-30-2024 01:04 AM

Article Id 345558

Technical Tip : Local-in Policy not working due to different ip registered location or the physical location of IP addresses

Description This article describes an issue when using a local-in policy to block a certain region address but not working as expected.
Scope FortiGate.
Solution

Refer to the local-in policy configure below ;


config firewall local-in-policy
    edit 1
        set uuid c1326b62-ab02-51ee-ab9b-3751cf89892a
        set intf "port1"
        set srcaddr "Country RU"
        set dstaddr "all"
        set service "ALL"
        set schedule "always"
    next

 

Suppose the blocking should work, but due to differences in registration and physical address location, the access still working.

 

Example:

 

diagnose firewall ipgeo ip2country 62.233.39.35
62.233.39.35 is in country: NL, registered country is RU, is not anycast ip.

 

The registration address is Russia but the physical location is Netherlands. The respective address (Netherlands) also needs to be added to the source address since the GeoIP-match. It was only supported on normal firewall policy, not local-in-policy.

 

Related articles: 

Technical Tip: Commands to verify GeoIP information and troubleshoot GeoIP database 

Technical Tip: Registered location and physical location of IP addresses
814
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.