Description

This article describes about a misconfiguration in the FortiSASE GEO restrictions led to users being unable to connect to the VPN.

Scope

FortiSASE.

Solution

To restrict access from specific geo-locations, go to Configuration -> Restrictions in the FortiSASE GUI and turn the feature on.

If Wrong Countries were mistakenly added after enabling the Restriction feature, it will stop the user from connecting to the VPN. This error highlights the critical need for accuracy when configuring geo-based access controls.

Regardless of which geolocation host is added, after enabling it, only those geolocations will be allowed and others will be blocked.

To allow users to connect only from the India GEO location, enabling the Restriction feature without adding India will result in a local-in policy being created on the SASE backend with the srcaddr-negate option enabled.

The purpose of the 'Negate' option is to take the opposite of the cell to match the policy.

config firewall local-in-policy

edit 8883

set uuid d215f83e-5536-51ef-890a-834f93436c41
set intf "any"
set srcaddr "BLOCKED_COUNTRIES" >> it will block access to those GEO host who is not defined over here
set srcaddr-negate enable
set dstaddr "all"
set dstaddr-negate disable
set action deny
set service "BLOCKED_COUNTRIES_SERVICES"
set service-negate disable
set schedule "always"
set status enable
set comments ''

next

end

On the back-end, it can be seen that traffic reaches SASE, but there is no sync ack sent back.

024-08-28 09:01:54.451845 port1 in 152.58.31.215.13531 -> 10.8.89.234.443: syn 2369586447
2024-08-28 09:01:58.131009 port1 in 152.58.31.215.55404 -> 10.8.89.234.443: syn 3332377024
2024-08-28 09:01:58.959279 port1 in 152.58.31.215.13531 -> 10.8.89.234.443: syn 2369586447
2024-08-28 09:02:01.647421 port1 in 152.58.31.215.55186 -> 10.8.89.234.443: syn 937973363

Note that the traffic is getting dropped on the back-end because of policy 8883.

rutg7vy3-89ksljsv-pnq-f1 $ 2024-08-28 09:03:54 id=65308 trace_id=1 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=6, 152.58.31.215:55531->10.8.
89.234:443) tun_id=0.0.0.0 from port1. flag [S], seq 2959973693, ack 0, win 14600"
2024-08-28 09:03:54 id=65308 trace_id=1 func=init_ip_session_common line=6080 msg="allocate a new session-0003fbf7, tun_id=0.0.0.0"
2024-08-28 09:03:54 id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
2024-08-28 09:03:54 id=65308 trace_id=1 func=fw_local_in_handler line=615 msg="iprope_in_check() check failed on policy 8883, drop"
2024-08-28 09:03:56 id=65308 trace_id=2 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=6, 152.58.31.215:40450->10.8.89.234:443) tun_id=0.0.0.0

As of v24.3.42 and above, there is a slight change in the GUI.

Geo Fencing terminology is now used instead of 'Restrictions', and there are clear allow or deny options. Selecting 'Allow' ensures that only the countries added to the list are granted access. This helps users understand the configuration process more easily.

This will also allow the user to block multiple specific countries. In the later v24.4.60, there are three configuration options available in the GUI that allow all.  Allow specified and Deny specified.