Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Efficiently Limiting Access by Country on Port 443"


I have a service exposed on port 443 and want to limit access to one specific country. Is there a way to deny all countries in one go and only allow the desired one, instead of listing all the countries to deny?





Honored Contributor


You can do it in two ways:


Option 1:

In your deny policy, use you country as source, and enable "Negate source". But first you need to enable "Advanced policy options" in System > Feature Visibility, in order to make this feature available.


Option 2:

Add these policies in the listed order:

- Allow traffic from the desired country

- Deny traffic from all other sources


New Contributor

Thanks. I am a bit confused by your suggestion because I am not used to Fortigate.

What I am doing at present is to create geographical policies in Adresses (on per each of the countries bothering me):

Screenshot 2023-10-22 at 08.23.52.png



and then I add them one by one in a Firewall Policy with destination to specific IPs where I have the DB and the service as destination:


Screenshot 2023-10-22 at 08.24.21.png

How your solution 1 is to be implemented? Can you guide me?



If you want to do it from GUI you have to enable this feature to be visible from: System > Feature Visibility > Enable "Policy Advanced Options". In the Accept policy, specify this sources (countries) and than the Negate Source (enabled) will allow all traffic apart from the selected sources directly on the Accept policy, you don't need this Deny policy anymore.

Or from CLI:

config firewall policy
     edit 111
           set srcaddr-negate enable

 To look nicer in the policy you can also create an Address Group with all this countries and just refer that group only, not every country individually.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
New Contributor



Are you accessing the intended service on port 443 through a VIP ?

Esteemed Contributor III

What @Camuegi is asking is you didn't clearly state if the 443 access you're talking about is at the FGT istelf, like addmin GUI access or SSL VPN access, or at a web sever behind the FGT. In the latter case, you must have a VIP policy unless you route the public IP on the web server through the FGT.

And further, in the former case you need to set this up with local-in policy/ies, while in the latter case with a VIP you need to set it up with regular firewall policy with "set match-vip enable" option.  Otherwise, the block policy won't work as you expect because if it matches VIP, it won't examine any other policies even if it's placed above the VIP policy.

(see this KB:




New Contributor

Hi, sorry for the late reply. I am routing the public IP through the FGT. Port 443 is forwarded to a webserver in a VM which is on a dedicated Vlan.

Top Kudoed Authors