This article describes how to update FortiGate’s Geo-IP Database and how to utilize it in blocking/permitting traffic from specific Geographic location(s).

To block or permit traffic based on their Geographic location(s), this is when the FortiGate Geo-IP Database needs to be as accurate as it can, and one way to ensure this is by making sure the unit Geo-IP Database is up-to-date.

FortiGate v6.2, v6.4 and v7.0.

1. Use this command to check which version of Geo-IP DB is installed on the FortiGate.

diag autoupdate versions | grep -A6 Geo

IP Geography DB

---------

Version: 3.00111

Contract Expiry Date: n/a

Last Updated using scheduled update on Fri Jan 14 22:12:21 2022

Last Update Attempt: Mon Jan 17 10:42:34 2022

Result: No Updates

Note:

As at Jan 17, 2022 the latest Geo-IP DB is 3.00111

2. If the Geo-IP DB is old, you can update it manually with:

execute update-geo-ip

3. The Geo-IP DB is updated, create Firewall Address based on Geographic location and use it in the Firewall policy. Goto Policy & Objects > Addresses > Create New => then fill the need column as you want. Remember to set Address type to Geography and select the country you want from the drop down list.

Use the Geo-based Firewall Address in the Policy.

In this example, traffic is DENY from a specific country (CZ) to FortiGate dmz from Internet (wan1), and from dmz to Internet (wan1).

Goto Policy & Objects > Firewall Policy > Create New => then fill the need column as you want. Remember to set source/destination to the Geographic Address.

 See example below.

• Block from Internet (wan1) to DMZ:

• Block from DMZ to Internet (wan1):

If this is not enough, block the traffic from specific geographic locations (s) to the FortiGate using a Firewall local-In-Policy.

Note:

This feature needs to be enabled under System -> Feature Visibility -> Local In Policy -> Apply.

See the example below, traffic is denied from Geo-IP address 'CZ' from the wan1 Interface to all: