Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alwis
Staff
Staff

Created on ‎11-28-2021 11:25 PM Edited on ‎12-04-2022 11:57 PM By Community Manager

Article Id 199805

Technical Tip: Restrict HTTPS access from certain countries by using local-in-policy

Description

This article describes how to restrict HTTPS access from certain countries to the WAN interface by configuring local-in Policy.
Scope FortiGate.
Solution

Note.
Have internal access or console before configuring local in policy

Pre-configuration on WAN interface Administrative Access.

 

# config system interface
  edit "WAN"
    set vdom "root"
    set ip 192.168.1.99 255.255.252.0
    set allowaccess https <-----
    set type physical
  next
end

 

Configure the Firewall address object.

 

1) Go to Policy & Object -> Addresses and create new Address.

- Select Type as Geography.

- Select Country/Region.

 

alwis_0-1638108143436.png

 

Firewall Address Object Cli Configuration.

 

# config firewall address
    edit "Allow-Access-Geo"
        set type geography
        set country "US"
    next
end

 

2) To configure a local-in policy from CLI (Local-in policies can only be created or edited from CLI).

 

# config firewall local-in-policy
    edit 1
        set intf "wan1"
        set srcaddr "Allow-Access-Geo"
        set srcaddr-negate enable   <----- Enable source address Negate, if IP address NOT from 'Allow-Access-Geo' access will be block.
        set dstaddr "all"
        set service "HTTPS”     <----- Select service.
        set schedule "always"
    next
end

 

To test the HTTPS access.

 

1) Test access from blocked country:

 

telnet x.x.x.x 443

 

2) On the FortiGate, enable debug flow.

 

# diagnose debug flow filter dport 443
# diagnose debug flow filter proto 6
# diagnose de enable
# diagnose de flow trace start 10

   

3)  Output Of the debug flow shows that traffic is dropped by local-in policy 1.

 

id=20085 trace_id=1 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=6, 1.1.1.1:55105->192.168.2.104:443) from wan1. flag [S], seq 2359949110, ack 0, win 65535"
id=20085 trace_id=1 func=init_ip_session_common line=5918 msg="allocate a new session-003741d4"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2615 msg="find a route: flag=80000000 gw-192.168.2.104 via root"
id=20085 trace_id=1 func=fw_local_in_handler line=474 msg="iprope_in_check() check failed on policy 1, drop

 

4) To verify the logs, navigate Log & Report -> Local Traffic.

Filter by service 'HTTPS'.

 

Related Article:

Local-in policies

Technical Tip: Firewall Policy 'Negate' option 
Labels:
16801
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.