FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

This article describes how to update FortiGate’s Geo-IP Database and how to utilize it in blocking/permitting traffic from specific Geographic location(s).

There are times when you want to block or permit traffic based on their Geographic location(s), this is when FortiGate Geo-IP Database needed to be as accurate as it can, and one way to ensure this is by making sure your unit Geo-IP Database is up-to date.


FortiGate v6.2

FortiGate v6.4

FortiGate v7.0

  1. You can use this command to check which version of Geo-IP DB installed on your FortiGate.


# diag autoupdate versions | grep -A6 Geo

IP Geography DB


Version: 3.00111

Contract Expiry Date: n/a

Last Updated using scheduled update on Fri Jan 14 22:12:21 2022

Last Update Attempt: Mon Jan 17 10:42:34 2022

Result: No Updates


Note: As at Jan 17, 2022 the latest Geo-IP DB is 3.00111


  1. If your Geo-IP DB is old, you can update it manually with:

# execute update-geo-ip


  1. Now that you have up-to date Geo-IP DB, you can create Firewall Address based on Geographic location and use it in Firewall policy.

Goto Policy & Objects > Addresses > Create New => then fill the need column as you want. Remember to set Address type to Geography and select the country you want from the drop down list.


     4. You can now use your Geo-based Firewall Address in Policy.

In this example, traffic is DENY from a specific country (CZ) to FortiGate dmz from Internet (wan1), and from dmz to Internet (wan1).


Goto Policy & Objects > Firewall Policy > Create New => then fill the need column as you want. Remember to set source/destination to the Geographic Address.

 See example below.

a> Block from Internet (wan1) to dmzppatel_1-1643649484335.png


b> Block from dmz to Internet (wan1)ppatel_2-1643649512876.png


      5. If this is not enough, you can also block traffic from specific geographic location(s) to the FortiGate itself using Firewall local-In-Policy.


Note: this feature need to be enabled under “System” > “Feature Visibility” > Local In Policy > Apply.


See example below, traffic is denied from Geo-IP address “CZ” from wan1 Interface to all.