FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 199805

This article describes how to restrict HTTPS access from certain countries to the WAN interface by configuring local-in Policy.

Scope FortiGate.

Have internal access or console before configuring local in policy

Pre-configuration on WAN interface Administrative Access.


# config system interface
  edit "WAN"
    set vdom "root"
    set ip
    set allowaccess https <-----
    set type physical


Configure the Firewall address object.


1) Go to Policy & Object -> Addresses and create new Address.

- Select Type as Geography.

- Select Country/Region.




Firewall Address Object Cli Configuration.


# config firewall address
    edit "Allow-Access-Geo"
        set type geography
        set country "US"


2) To configure a local-in policy from CLI (Local-in policies can only be created or edited from CLI).


# config firewall local-in-policy
    edit 1
        set intf "wan1"
        set srcaddr "Allow-Access-Geo"
        set srcaddr-negate enable   <----- Enable source address Negate, if IP address NOT from 'Allow-Access-Geo' access will be block.
        set dstaddr "all"
        set service "HTTPS”     <----- Select service.
        set schedule "always"


To test the HTTPS access.


1) Test access from blocked country:


telnet x.x.x.x 443


2) On the FortiGate, enable debug flow.


# diagnose debug flow filter dport 443
# diagnose debug flow filter proto 6
# diagnose de enable
# diagnose de flow trace start 10


3)  Output Of the debug flow shows that traffic is dropped by local-in policy 1.


id=20085 trace_id=1 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=6,> from wan1. flag [S], seq 2359949110, ack 0, win 65535"
id=20085 trace_id=1 func=init_ip_session_common line=5918 msg="allocate a new session-003741d4"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2615 msg="find a route: flag=80000000 gw- via root"
id=20085 trace_id=1 func=fw_local_in_handler line=474 msg="iprope_in_check() check failed on policy 1, drop


4) To verify the logs, navigate Log & Report -> Local Traffic.

Filter by service 'HTTPS'.


Related Article:

Local-in policies

Technical Tip: Firewall Policy 'Negate' option