Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alwis
Staff
Staff

Created on ‎11-28-2021 11:25 PM Edited on ‎10-02-2024 11:53 PM By Community Manager

Article Id 199805

Technical Tip: Restrict HTTPS access from certain countries by using local-in-policy

Description This article describes how to restrict HTTPS access from certain countries to the WAN interface by configuring a local-in Policy.
Scope FortiGate.
Solution

Note.
Have internal access or console before configuring local in policy

Pre-configuration on WAN interface Administrative Access.

 

config system interface
    edit "WAN"
        set vdom "root"
        set ip 192.168.1.99 255.255.252.0
        set allowaccess https <-----
        set type physical
    next
end

 

Configure the Firewall address object.

 

  1. Go to Policy & Object -> Addresses and create a new Address.
  • Select Type as Geography.
  • Select Country/Region.

 

alwis_0-1638108143436.png

 

Firewall Address Object Cli Configuration.

 

config firewall address
    edit "Allow-Access-Geo"
        set type geography
        set country "US"
    next
end

 

  1. To configure a local-in policy from CLI (Local-in policies can only be created or edited from CLI). Starting from FortiGate v7.6.0, the Local-in-Policy can now be also configured in the GUI. Refer to this document for reference: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI

     

config firewall local-in-policy
    edit 1
        set intf "wan1"
        set srcaddr "Allow-Access-Geo"
        set srcaddr-negate enable   <----- Enable source address Negate if IP address NOT from 'Allow-Access-Geo' access will be blocked.
        set dstaddr "all"
        set service "HTTPS”     <----- Select service.
        set schedule "always"
    next
end

 

Note:

In this example, the service is using default port 443 for HTTPS, if are using a different port create new 'service' object and add it to your local in-policy service.

 

  1. To test the HTTPS access.

 

Test access from blocked country:

 

telnet x.x.x.x 443

 

  1. On the FortiGate, enable debug flow.

     

    diagnose debug flow filter dport 443
    diagnose debug flow filter proto 6
    diagnose de enable
    diagnose de flow trace start 10

       

     

  2. Output Of the debug flow shows that traffic is dropped by local-in policy 1.

     

    id=20085 trace_id=1 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=6, 1.1.1.1:55105->192.168.2.104:443) from wan1. flag [S], seq 2359949110, ack 0, win 65535"
    id=20085 trace_id=1 func=init_ip_session_common line=5918 msg="allocate a new session-003741d4"
    id=20085 trace_id=1 func=vf_ip_route_input_common line=2615 msg="find a route: flag=80000000 gw-192.168.2.104 via root"
    id=20085 trace_id=1 func=fw_local_in_handler line=474 msg="iprope_in_check() check failed on policy 1, drop

     

     

  3. To verify the logs, navigate Log & Report -> Local Traffic.

    Filter by service 'HTTPS'.

     

     

Related documents:

Local-in policies

Technical Tip: Firewall Policy 'Negate' option 
Labels:
29696
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.