A typical setup configures a VIP to forward traffic to an internal server. The firewall policy is then created with the VIP as the destination and a GeoIP filter applied on the source address.

However, users from outside the intended geographic region are still able to access the service, even though the GeoIP filter is configured. This is due to a mismatch between registered and physical IP locations. When this discrepancy happens, the traffic may pass through the firewall undetected by the geographical restrictions.

In FortiGate, the geoip-match setting allows to control traffic based on IP location data.

• physical-location matches the actual physical location of the IP address.
• registered-location matches the country where the IP address is officially registered.

In this article, for example, geo-location address has been configured for India and Saudi Arabia. So, traffic originating from India and Saudi Arabia will be able to access the internal service in the example below.

However, users from other regions might be able to access the internal services. To ensure that only users from specific regions can access the internal service, it is necessary to explicitly match the physical location of the IP address. Use the geoip-match command to explicitly match the physical location of the IP address, ensuring the correct enforcement of the geographical restriction for users from that region.

Edit the policy in CLI and configure as below:

config firewall policy

    edit <policy-id> <----- Here mention the policy ID.

        set geoip-match physical-location

    next

end

This solution blocks traffic from unauthorized regions, preventing bypasses of the GeoIP-based policy.