Efficiently Limiting Access by Country on Port 443"

feliceM · ‎10-21-2023

Hi,

I have a service exposed on port 443 and want to limit access to one specific country. Is there a way to deny all countries in one go and only allow the desired one, instead of listing all the countries to deny?

Thanks

AEK · ‎10-21-2023

Hello

You can do it in two ways:

Option 1:

In your deny policy, use you country as source, and enable "Negate source". But first you need to enable "Advanced policy options" in System > Feature Visibility, in order to make this feature available.

Option 2:

Add these policies in the listed order:

- Allow traffic from the desired country

- Deny traffic from all other sources

AEK

feliceM · ‎10-21-2023

Thanks. I am a bit confused by your suggestion because I am not used to Fortigate.

What I am doing at present is to create geographical policies in Adresses (on per each of the countries bothering me):

and then I add them one by one in a Firewall Policy with destination to specific IPs where I have the DB and the service as destination:

How your solution 1 is to be implemented? Can you guide me?

Thanks

ebilcari · ‎10-22-2023

If you want to do it from GUI you have to enable this feature to be visible from: System > Feature Visibility > Enable "Policy Advanced Options". In the Accept policy, specify this sources (countries) and than the Negate Source (enabled) will allow all traffic apart from the selected sources directly on the Accept policy, you don't need this Deny policy anymore.

Or from CLI:

config firewall policy
     edit 111
           set srcaddr-negate enable

To look nicer in the policy you can also create an Address Group with all this countries and just refer that group only, not every country individually.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Camuegi · ‎10-22-2023

Hi,

Are you accessing the intended service on port 443 through a VIP ?

Djodje

Toshi_Esumi · ‎10-22-2023

What @Camuegi is asking is you didn't clearly state if the 443 access you're talking about is at the FGT istelf, like addmin GUI access or SSL VPN access, or at a web sever behind the FGT. In the latter case, you must have a VIP policy unless you route the public IP on the web server through the FGT.

And further, in the former case you need to set this up with local-in policy/ies, while in the latter case with a VIP you need to set it up with regular firewall policy with "set match-vip enable" option. Otherwise, the block policy won't work as you expect because if it matches VIP, it won't examine any other policies even if it's placed above the VIP policy.

(see this KB: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LA...)

Toshi

feliceM · ‎10-22-2023

Hi, sorry for the late reply. I am routing the public IP through the FGT. Port 443 is forwarded to a webserver in a VM which is on a dedicated Vlan.

Efficiently Limiting Access by Country on Port 443"

Nominate a Forum Post for Knowledge Article Creation