Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Ahmed_Galal
Staff
Staff

Created on ‎03-31-2025 05:12 AM Edited on ‎11-26-2025 10:23 PM By Community Manager

Article Id 385517

Troubleshooting Tip: Private IP is getting blocked by GEO-IP

 

Description This article describes how to resolve a connection getting blocked by GEO-IP when the source is a private IP.
Scope FortiWeb.
Solutionn

GEO-IP is a security feature that allows access based on the client's Location/Country. However, in some cases, the client might be using a private IP and still gets blocked by GEO-IP:

geo-ip.png

 

This issue can be resolved by removing the category 'unknown country/region' from the Selected Geolocation List.

 

Screenshot 2025-03-31 135022.png

 

CLI commands:

 

config waf geo-block-list
    edit "Test"
        set block-period 600
        set severity High
            config country-list
                edit 1
                    set country-name China
                next
                edit 2
                    set country-name "Russian Federation"
                next
                edit 3
                    set country-name "Unknown Country/Region"
                next
            end
    next
end

 

To remove entry number 3:

 

config waf geo-block-list

    edit "Test"

        config country-list

        delete 3

        end

end

 

Related document:
GEO IP - Blocklisting & whitelisting countries & regions
261
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.