Hi,
I have a service exposed on port 443 and want to limit access to one specific country. Is there a way to deny all countries in one go and only allow the desired one, instead of listing all the countries to deny?
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
You can do it in two ways:
Option 1:
In your deny policy, use you country as source, and enable "Negate source". But first you need to enable "Advanced policy options" in System > Feature Visibility, in order to make this feature available.
Option 2:
Add these policies in the listed order:
- Allow traffic from the desired country
- Deny traffic from all other sources
Thanks. I am a bit confused by your suggestion because I am not used to Fortigate.
What I am doing at present is to create geographical policies in Adresses (on per each of the countries bothering me):
and then I add them one by one in a Firewall Policy with destination to specific IPs where I have the DB and the service as destination:
How your solution 1 is to be implemented? Can you guide me?
Thanks
If you want to do it from GUI you have to enable this feature to be visible from: System > Feature Visibility > Enable "Policy Advanced Options". In the Accept policy, specify this sources (countries) and than the Negate Source (enabled) will allow all traffic apart from the selected sources directly on the Accept policy, you don't need this Deny policy anymore.
Or from CLI:
config firewall policy
edit 111
set srcaddr-negate enable
To look nicer in the policy you can also create an Address Group with all this countries and just refer that group only, not every country individually.
Hi,
Are you accessing the intended service on port 443 through a VIP ?
What @Camuegi is asking is you didn't clearly state if the 443 access you're talking about is at the FGT istelf, like addmin GUI access or SSL VPN access, or at a web sever behind the FGT. In the latter case, you must have a VIP policy unless you route the public IP on the web server through the FGT.
And further, in the former case you need to set this up with local-in policy/ies, while in the latter case with a VIP you need to set it up with regular firewall policy with "set match-vip enable" option. Otherwise, the block policy won't work as you expect because if it matches VIP, it won't examine any other policies even if it's placed above the VIP policy.
(see this KB: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LA...)
Toshi
Hi, sorry for the late reply. I am routing the public IP through the FGT. Port 443 is forwarded to a webserver in a VM which is on a dedicated Vlan.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1629 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.