| Description |
This article describes how to update FortiGate’s Geo-IP Database and how to utilize it in blocking/permitting traffic from specific Geographic location(s). There are times when you want to block or permit traffic based on their Geographic location(s), this is when FortiGate Geo-IP Database needed to be as accurate as it can, and one way to ensure this is by making sure your unit Geo-IP Database is up-to date. |
| Scope |
FortiGate v6.2 FortiGate v6.4 FortiGate v7.0 |
| Solution |
# diag autoupdate versions | grep -A6 Geo IP Geography DB --------- Version: 3.00111 Contract Expiry Date: n/a Last Updated using scheduled update on Fri Jan 14 22:12:21 2022 Last Update Attempt: Mon Jan 17 10:42:34 2022 Result: No Updates
Note: As at Jan 17, 2022 the latest Geo-IP DB is 3.00111
# execute update-geo-ip
Goto Policy & Objects > Addresses > Create New => then fill the need column as you want. Remember to set Address type to Geography and select the country you want from the drop down list. 
4. You can now use your Geo-based Firewall Address in Policy. In this example, traffic is DENY from a specific country (CZ) to FortiGate dmz from Internet (wan1), and from dmz to Internet (wan1).
Goto Policy & Objects > Firewall Policy > Create New => then fill the need column as you want. Remember to set source/destination to the Geographic Address. See example below. a> Block from Internet (wan1) to dmz
b> Block from dmz to Internet (wan1)
5. If this is not enough, you can also block traffic from specific geographic location(s) to the FortiGate itself using Firewall local-In-Policy.
Note: this feature need to be enabled under “System” > “Feature Visibility” > Local In Policy > Apply.
See example below, traffic is denied from Geo-IP address “CZ” from wan1 Interface to all. 
|
