|
In the FortiWeb configuration, there are defined content routing policies.
config server-policy policy
edit "testpolicy"
set web-protection-profile WPP_default profile
set deployment-mode http-content-routing
set ssl enable
set vserver VIP_test
set service HTTP
config http-content-routing-list
edit 1
set content-routing-policy-name site1.securedomain.com.mx
set web-protection-profile WPP_site1
next
edit 2
set content-routing-policy-name site2.securedomain.com.mx
set profile-inherit enable
next
edit 3
set content-routing-policy-name site3.securedomain.com.mx
set web-protection-profile WPP_site3
In the Web profile, the GeoIP list is called.
config waf geo-block-list
edit "GEO_IP_TEST"
config country-list
...
edit 120
set country-name Mongolia
next
In the traffic log, it is possible to see, that the hostname in the HTTP request will not match any content routing policy, so then GEOIP restriction will not apply.
To ensure the request will match with one content routing policy, define one of them as default.
config http-content-routing-list
edit 2
set content-routing-policy-name site2.securedomain.com.mx
set profile-inherit enable
set is-default yes<---
end
If there is no explicit match with the other content routing policies the default will be chosen and the web profile with the GEO IP object will deny the request of the country in case it is in the blocked list.
|
