Block all traffic from outside the UK

ForgetItNet · ‎04-01-2023

Hi all,

I can find instructions to block certain IP's but is there a way to ONLY allow traffic in from any location in the UK, i.e so anything (and i mean anything) outside of the UK is blocked by default ?

Thanks

Ian

Yurisk · ‎04-01-2023

Hi, yes, you can.

Create a Geography objects in Addresses:
Use it in a Security Rule with an action Deny:
Negate this polic for its source addresses. I guess it can be done on CLi only (here my policy number is 3, change to yours):

config firewall policy
    edit 3
      set srcaddr-negate enable
end

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.

View solution in original post

funkylicious · ‎04-01-2023

Hi,

Check these

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/286826/geography-based-addre...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Geography-Based-Addressing-Version-5-4-and...

geek

ForgetItNet · ‎04-01-2023

That's very easy....one thing i can't figure out though (i'm assuming it's simple and i just can't think) is that how do i set a policy to allow only traffic from here ? obviously i can block traffic from other countries by creating an address with a country in and then selecting block but i don't want to have to manually add all countries so is there a way to set it to allow ONLY from this address ? Do i have to create a group and manually add all the available countries ?

Yurisk · ‎04-01-2023

Hi, yes, you can.

Create a Geography objects in Addresses:
Use it in a Security Rule with an action Deny:
Negate this polic for its source addresses. I guess it can be done on CLi only (here my policy number is 3, change to yours):

config firewall policy
    edit 3
      set srcaddr-negate enable
end

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.

funkylicious · ‎04-01-2023

Also, remember that if you have VIPs this should also be included, set match-vip enable if u don't run 7.2.4 that has is by default when a deny rule is created.

geek

Toshi_Esumi · ‎04-01-2023

OP's statements were not clear about what kind of traffic to be blocked. If you want to block like VPN attempts to your FGT itself, not passing through the FGT, you need to do this under "config firewall local-in-policy".

Toshi

ForgetItNet · ‎04-02-2023

Thanks all,

it's ALL traffic we want to block if that's possible without causing any issues. We don't deal with any location outside of the UK so would want all and everything not from the UK to be blocked so would this just be easier to put in a simple deny rule and then add all the countries available except the UK ?

Yurisk · ‎04-02-2023

As @Toshi_Esumi rightfully noted - you are not providing us enough of information to recommend something. The block is to be made in Security rules/Local-in Policy/Web filtering/whatever, i.e. it can only be done in context of your Fortigate configuration. "Block traffic non UK without issues" is not a technical requirement, it is a wish which we cannot translate without additional info.

DO you want to block access to your internal resources which are accessible via VIPs?
Do you want to block outbound from LAN access to non-UK countries as well?
Do you want to block access to specific services running on FGT itself (like SSL VPN portal, or admin access or ...)?
Do you want this as the only policy - block everything from non-UK AND allow from UK everything, or you have more specific rules controlling traffic as well?

These are the questions to start with.

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.

ForgetItNet · ‎04-02-2023

Ok, so

1.I do want to block access to our internal resources which are accessible via any internet facing IP on the router

2.Yes, i'd like to block outbound to non-uk countries as well

3.As regards to specific ports...again this is a requirement (if possible) to block EVERYTHING as there's no location inbound or outbound that we need to access or give access to outside of the UK so it would be a complete block on anything in any direction on any port

4. Yes, i "assume" this would be the only policy so my goal is as you've said....block everything from non-uk and allow everything from uk

Apologies if I've mis-understood this as i thought it might be a simple case of putting a rule in to say if it's not from the uk then block (whether that's a rule with all the non-uk countires in....otherwise proceed down the firewall rules which it would then do normally ?

Thanks

Yurisk · ‎04-02-2023

OK, then as I posted above - you need to use negation of UK GEo object in the top-most security rule in the direction Internet -> Nets-behind-FGT, with the action Deny. This will block on the 1st rule all non-UK sources and will not try to match them against rules below. While source IPs from UK will not match here and continue matching to the rules below.
The same - you put as top-most rule in the direction LAN -> Internet, the rule source LAN destination UK GEO, action Deny, negate the destination on CLI. AS a result this rule will block all packets from LAN to non UK destination addresses and will not try to match such packets to the rules below.
This is a variation of 1) - you also want to block all non-UK sources trying to access services on the FGT itself, here as Toshi mentioned, you have to use Local-in Policy, which on newer versions (at least 7.2x) also allows to use UK as GEO and Block as action, while negating the source. It is configurable on CLI only, shameless plug - you can read more on them Fortigate Local-in policy configuration examples for VPN IPSec, VPN SSL, BGP and more or Google it, there are plenty of examples.
When using GEO addresses, make sure to have valid license on your FGT and that ISDB/IPS are updated regularly for changes in GEO to IPs mappings.

HTH

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.