Description
This article describes a possible cause of ZTNA proxy or firewall policies failing to be matched if Geography IP Address object is used as source.
Geography Address objects are commonly used to restrict access to certain countries for certain features in FortiOS, such as SSL VPN, Firewall Policies, Local-in Policies. Administrators may also leverage GeoIP objects to restrict access to ZTNA policies since those objects are available for selection in those policies.
However, when GeoIP addresses are set to the source address of ZTNA policies, even though traffic is sourced from an IP address that matches the country specified in the Geography object, it would fail to match the policy in question.
An example is the ZTNA Proxy policy below when the source address is set to a regular firewall address object called 'all'.
config firewall proxy-policy
edit 8
set name "Colombas Servers"
set proxy access-proxy
set access-proxy "Colombas"
set srcintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "LAN1" "wildcard_dropbox"
set ztna-ems-tag "EMS1_ZTNA_ZTNA-Challenge-HTTPS" "EMS1_ZTNA_Win11-Protected"
set ztna-tags-match-logic and
set action accept
set schedule "always"
set logtraffic all
set groups "ZTNA-SAML-Escalations-Azure"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set av-profile "Development-AV"
set ips-sensor "g-default"
next
end
The command below will show the same ZTNA proxy policy ID 8 installed on the backend.
diagnose firewall iprope list 100017 | grep -A15 index=8
policy index=8 uuid_idx=16114 action=accept
flag (8810009): log redir master nlb pol_stats
flag3 (80000000):
schedule(always)
cos_fwd=0 cos_rev=0
group=00100017 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=30
zone(2): 3 4 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15752,
dest(1): 192.168.10.43-192.168.10.43, uuid_idx=0,
service(1):
[6:0x0:1051/(0,65535)->(8887,8887)] flags:0 helper:auto
If the source address is set to a Geography address object below, the policy is removed from the backend.
config firewall address
edit "Canada"
set uuid fe7fe430-c053-51ed-54c6-7638e3a6fed3
set type geography
set country "CA"
next
end
FGT1-A (root) # config firewall proxy-policy
FGT1-A (proxy-policy) # edit 8
FGT1-A (8) # set srcaddr Canada
FGT1-A (8) # end
FGT1-A (root) # diagnose firewall iprope list 100017 | grep -A20 index=8
FGT1-A (root) #
Because the policy has been removed from the backend, traffic will not match it anymore even though it is visible from the GUI.
Scope
FortiGate v7.0+, v7.2+, v7.4+.
Solution
Geography IP Address objects are not supported in ZTNA proxy policies and ZTNA firewall policies.
In FortiOS 7v.4.1+, the Geography address object type is filtered out for ZTNA firewall policies, but it is still available in the ZTNA proxy policy type.
Note:
This is being tracked by internal ticket ID 855123.
GeoIPv6 is tracked by internal ticket ID 894580.
The solution is to remove any GeoIP address object from ZTNA policies.
