FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Description

This article describes how to update FortiGate’s Geo-IP Database and how to utilize it in blocking/permitting traffic from specific Geographic location(s).

There are times when you want to block or permit traffic based on their Geographic location(s), this is when FortiGate Geo-IP Database needed to be as accurate as it can, and one way to ensure this is by making sure your unit Geo-IP Database is up-to date.

Scope

FortiGate v6.2

FortiGate v6.4

FortiGate v7.0

Solution
  1. You can use this command to check which version of Geo-IP DB installed on your FortiGate.

 

# diag autoupdate versions | grep -A6 Geo

IP Geography DB

---------

Version: 3.00111

Contract Expiry Date: n/a

Last Updated using scheduled update on Fri Jan 14 22:12:21 2022

Last Update Attempt: Mon Jan 17 10:42:34 2022

Result: No Updates

 

Note: As at Jan 17, 2022 the latest Geo-IP DB is 3.00111

 

  1. If your Geo-IP DB is old, you can update it manually with:

# execute update-geo-ip

 

  1. Now that you have up-to date Geo-IP DB, you can create Firewall Address based on Geographic location and use it in Firewall policy.

Goto Policy & Objects > Addresses > Create New => then fill the need column as you want. Remember to set Address type to Geography and select the country you want from the drop down list.

ppatel_0-1643649445267.png

     4. You can now use your Geo-based Firewall Address in Policy.

In this example, traffic is DENY from a specific country (CZ) to FortiGate dmz from Internet (wan1), and from dmz to Internet (wan1).

 

Goto Policy & Objects > Firewall Policy > Create New => then fill the need column as you want. Remember to set source/destination to the Geographic Address.

 See example below.

a> Block from Internet (wan1) to dmzppatel_1-1643649484335.png

 

b> Block from dmz to Internet (wan1)ppatel_2-1643649512876.png

 

      5. If this is not enough, you can also block traffic from specific geographic location(s) to the FortiGate itself using Firewall local-In-Policy.

 

Note: this feature need to be enabled under “System” > “Feature Visibility” > Local In Policy > Apply.

 

See example below, traffic is denied from Geo-IP address “CZ” from wan1 Interface to all.

ppatel_3-1643649602147.png

 

 

 

Contributors