Technical Tip: Setup website restriction by GeoIP using 1 Webserver with X vhosts

ManoelMartins · ‎03-27-2025

Description

This article describes a way to restrict the Access from an IP address range to websites according to the FQDN, which is hosted on only one Web Server with vhosts behind the FortiGate.

Scope

The LAB was built on FortiGate v7.4.4, but should be applied on any newest firmware versions.

Solution

Use of Virtual Servers configuration.

In this case, there is no certificate, and port 80 is used to simplify the lab and the understanding of how the dynamic works.

Topology/diagram:

Topology/Diagram

The External Devices Ext_PC_1, Ext_PC_2, and FortiGate WAN interface are using a Private IP address to represent the Public addresses:

The GeoIP_Y address object represents the GeoIP_China.
The GeoIP_X address object represents the GeoIP_Argentina.

The host file was used to have the name resolution for the External Devices to simulate a Public DNS database.

To accomplish this goal, it is necessary to segment the approach to better understand:

Restrict access by GeoIP.

Create an Addresses object with the Type Geography and the country as needed.

GeoIP objects

Create a Virtual Server (this article will not approach the VS creation).

VS config

If it is necessary to have a certificate (SSL), it is also required to create also VS for each website to match the certificate SNI (another topic).

Create a Policy with the respective GeoIP.

Policies

Create a Webfilter to allow a website and block the others.

Create a Webfilter for each Website.

Webfilter website1

Website 1:

Webfilter website2

The results:

From China:

Website1 from China

From Argentina:

Website 2 from Argentina

Related documents:

Technical Tip: Configure a virtual server

Geography based addresses

Static URL filter

Technical Tip: Setup website restriction by GeoIP using 1 Webserver with X vhosts

You are leaving our website