A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Article Id 195671


FortiWeb has a function to protect Web servers against access from clients in certain countries based upon GEO IP profiles.  The function can be configured from the Web GUI  using Web Protection > Access > GEO IP.  However, the CLI does not support the configuration of a list in "waf geo-block-list".

This article explains why the CLI does not support "config waf geo-block-list".


"waf geo-block-list" holds multiple country-lists where it is possible to configure countries to be blocked based upon GEOIP but CLI fails to configure an entry for a country in a list at saving as follows.

Configuring an entry in a country-list is disabled by design because CLI is unable to validate the legitimacy of the user input.
(geo-block-list) # edit GEOIP-Example
(GEOIP-Example) # config country-list
(country-list) # edit 0
Add new entry '1' for node 5204
(1) # set country-name Afghanistan
(1) # end
Command fail. cmdb dont't save    }----Here
(GEOIP-Example) #
GOIP block policy must be configured from the Web GUI.