Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Markus
Valued Contributor

Geoblocking Policy not working

Hi Fortigate Gurus ;)

 

I d'like to block some "bad" sources. For that, I've added some addresses and georegions to a group and created a policy and ordered as first from wan1 to lan.

 

For example I d'like to block China

 

name                : bad2lan srcintf             : "wan1" dstintf             : "internal" srcaddr             : "bads" dstaddr             : "all" rtp-nat             : disable learning-mode       : disable action              : deny status              : enable schedule            : always schedule-timeout    : disable service             : "ALL" logtraffic          : all logtraffic-start    : disable session-ttl         : 0 vlan-cos-fwd        : 255 vlan-cos-rev        : 255 wccp                : disable groups              : users               : devices             : natip               : 0.0.0.0 0.0.0.0 diffserv-forward    : disable diffserv-reverse    : disable tcp-mss-sender      : 0 tcp-mss-receiver    : 0 comments            : block-notification  : disable custom-log-fields   : tags                : replacemsg-override-group: srcaddr-negate      : disable dstaddr-negate      : disable service-negate      : disable captive-portal-exempt: disable ssl-mirror          : disable ssl-mirror-intf     : scan-botnet-connections: disable dsri                : disable delay-tcp-npu-sessoin: disable send-deny-packet    : disable match-vip           : disable edit "bads" set member "geo_china"  "geo_vietnam" "geo_korea" "geo_jordan" "geo_russia" "geo_indonesia" set comment "denied_sources"

 

 edit "geo_china"         set type geography         set country "CN"

In the log I can see failed connection attemps denied by pollicyid 0

Message meets Alert condition date=2017-02-13 time=06:28:43 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=222.186.58.35 srcport=43658 srcintf="wan1" dstip=xxx.xxx.xxx.xxx dstport=9200 dstintf="internal" poluuid=7ff66d8c-d7d4-51e6-9e08-69176710693d sessionid=37228 proto=6 action=deny policyid=0 policytype=policy dstcountry="Switzerland" srccountry="China" trandisp=dnat tranip=xxx.xxx.xxx.xxx tranport=9200 service="" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=high

I'm wondering why my deny policy won't work.

 

Any toughts?

 

Best regards,

Markus


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
1 Solution
tanr
Valued Contributor II

Do you have VIPs that it could be coming through on?  You have match-vip disabled so the rule wouldn't catch those.

View solution in original post

5 REPLIES 5
Carl_Wallmark
Valued Contributor

Hi,

 

Are you sure it´s not getting blocked ?

The message says "action=deny"

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Markus

Hi, thank you

 

Yes, it's get blocked but at least from the implicit deny policy (id 0) not from my policy that I've created.

 

Best,

Markus


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
tanr
Valued Contributor II

Do you have VIPs that it could be coming through on?  You have match-vip disabled so the rule wouldn't catch those.

Markus
Valued Contributor

Hi Tanr

 

Yes, have a VIP. Enabled match-vip does the trick. Thank you.


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
tanr
Valued Contributor II

Glad that was helpful.  You're welcome.

Labels
Top Kudoed Authors