Description | This article describes the behavior and limitations of using Geography IP Address objects in ZTNA Rules/Proxy policies. There is also a similar mention for FQDN and Wildcard Address objects. |
Scope | FortiGate v7.0, v7.2, v7.4. |
Solution |
Key Note: Geographic address objects are not supported by ZTNA policies (both Simple and Full), even though they can be set in the Source Address field in v7.4 and earlier. When configured in the Source field for a ZTNA policy, Geography Address objects cause the FortiGate to no longer match the ZTNA proxy policy correctly. This is also true for FQDN and Wildcard FQDN Address objects.
In future releases, these object types will be hidden when working on ZTNA policies. Below are some logs to demonstrate this behavior:
When using the 'all' object as the source, an 'accept' action takes place (policy index = 1):
config firewall address edit "Portugal" set type geography set country "PT" next end config firewall proxy-policy edit 1 set name "GeoTest" set proxy access-proxy set access-proxy "TCP-Forwarding" set srcintf "wan1" set srcaddr "all" set dstaddr "LAB" set action accept set schedule "always" set logtraffic all set groups "SAML_LAB" set utm-status enable set ssl-ssh-profile "certificate-inspection" next end
diagnose firewall iprope list 100017
Upon using the 'Portugal' object as the source, a 'drop' is observed (policy index = 0 - implicit deny):
show firewall proxy-policy 1 config firewall proxy-policy edit 1 set name "GeoTest" set proxy access-proxy set access-proxy "TCP-Forwarding" set srcintf "wan1" set srcaddr "Portugal" set dstaddr "LAB" set action accept set schedule "always" set logtraffic all set groups "SAML_LAB" set utm-status enable set ssl-ssh-profile "certificate-inspection" next end
diag firewall iprope list 100017
In the above iprope table entries, the entry corresponding to the ZTNA policy is removed once a Geography IP Address object has been added.
Note: set ztna-geo-tag has been removed and is not supported on newer versions for both IPv4 and IPv6 Geo type address objects. However, it shows the option in the access-proxy source address drop-down list in the ZTNA proxy policy if the version is before v7.6.3. The option is not available after v7.6.3. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.