I have many corporate Fortinet firewalls in play, but finally just went and bought one for myself (a 60e, great for home internet and labs) so am posting with my personal acct - and am seeing the following weird issue.  

I have created an address group blocking a number of countries (Russia and China primarily, seeing attempted connectoin attempts from various IP's).

While I do 'allow' SSH on wan1, the administrator super_admin and my acct profile_admin are only allowed from certain IP ranges (my inside subnets and the VPN DHCP range I hand out when I connect to my own network from outside) so that's already fairly locked down.

I am seeing logs denying 'admin' by blocked IP because it falls outside trustedhosts range, but if the bots try any other account (that does NOT exist on the Fortinet) it allows the connection to try passwords and then of course fails because there's no such account. 

I have created a deny policy referencing the regions and put wan1/wan1 as the from/to because this isn't hitting a VIP, it's just SSH attempts to wan1. 

What I was hoping would happen here is that the policy would deny even the attempted connection from source IP's that match the regions and my address group BEFORE allowing the SSH connection and attempting authentication.  I have tested this from another static IP that I added to the group and the hitcount does not increase (show matching logs shows nothing hitting the policy at all)

What's happening here where a bad acct can attempt to log in from a region blocked IP but a known acct filters based on the trustedhosts?

These are slow attempts, maybe a few to up to a dozen a day, so definitely not killing my bandwidth, stressing the firewall, or causing any disruptions, but I would still want to deny ANY connections from those regions.

Looking for advice and guidance here. 

Thanks!