Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tana
Staff
Staff

Created on ‎08-13-2024 12:22 AM

Article Id 332497

Troubleshooting Tip : Local In Policy not denying expected GEO IP addresses

Description This article describes how to troubleshoot the issue where local in policy is not blocking the expected source address from all countries except the allowed country geo IP address. 
Scope FortiGate.
Solution

Check the full configuration of the local in policy configured:

 

2.jpg

 

In this example, the goal is to deny all geo IP addresses except IP addresses from Cambodia.  The local in policies has the parameter 'srcaddr-negate enable'. This will negate the specified source address set on the local in policies, which will return the opposite result of what is expected. 

 

Proceed to correct the configuration in the CLI console : 

 

config firewall local-in-policy
  edit 1
  set srcaddr-negate disable
  next
edit 2
  set srcaddr-negate disable
  next
end

Labels:
466
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.