FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alwis
Staff
Staff
Description

This article describes how to restrict HTTPS access from certain countries to your WAN interface by configuring local-in Policy.

Scope  
Solution

Note.
Have internal access or console before configuring local in policy

Pre-configuration on WAN interface Administrative Access.

 

# config system interface
  edit "WAN"
    set vdom "root"
    set ip 192.168.1.99 255.255.252.0
    set allowaccess https <-----
    set type physical
  next
end

 

Configure the Firewall address object.

 

1) Go to Policy & Object -> Addresses and create new Address.

- Select Type as Geography.

- Select Country/Region.

 

alwis_0-1638108143436.png

 

Firewall Address Object Cli Configuration.

 

# config firewall address
    edit "Allow-Access-Geo"
        set type geography
        set country "US"
    next
end

 

2) To configure a local-in policy from CLI (Local-in policies can only be created or edited from CLI).

 

# config firewall local-in-policy
    edit 1
        set intf "wan1"
        set srcaddr "Allow-Access-Geo"
        set srcaddr-negate enable   <----- Enable source address Negate, if IP address NOT from 'Allow-Access-Geo' access will be block.
        set dstaddr "all"
        set service "HTTPS”     <----- Select service.
        set schedule "always"
    next
end

 

To test the HTTPS access.

 

1) Test access from blocked country:

 

telnet x.x.x.x 443

 

2) On the FortiGate, enable debug flow.

 

# diagnose debug flow filter dport 443
# diagnose debug flow filter proto 6
# diagnose de enable
# diagnose de flow trace start 10

   

3)  Output Of the debug flow shows that traffic is dropped by local-in policy 1.

 

id=20085 trace_id=1 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=6, 1.1.1.1:55105->192.168.2.104:443) from wan1. flag [S], seq 2359949110, ack 0, win 65535"
id=20085 trace_id=1 func=init_ip_session_common line=5918 msg="allocate a new session-003741d4"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2615 msg="find a route: flag=80000000 gw-192.168.2.104 via root"
id=20085 trace_id=1 func=fw_local_in_handler line=474 msg="iprope_in_check() check failed on policy 1, drop

 

4) To verify the logs, navigate Log & Report -> Local Traffic.

Filter by service 'HTTPS'.

 

Related Articles:

Local-in policies

Technical Tip: Firewall Policy 'Negate' option 

 
 
Contributors