We geo block all inbound connections to our web servers that aren't from the United States.
Our Let's Encrypt http certificate renewals are failing due to this geo block policy, as the inbound http requests from Let's Encrypt come from other counties like Sweden and the Netherlands.
Unfortunately Let's Encrypt does not publish their IP ranges or FQDNs to create a geo block exception, and DNS challenges are not an option for our environment at this time.
Is there a way to geo block all inbound connections EXCEPT for inbound http requests to this directory:
/.well-known/acme-challenge
This was listed as a potential solution in this support article, but I'm not sure how this would be accomplished on a FortiGate firewall:
Whitelist LetsEncrypt Server IPs - Help - Let's Encrypt Community Support
I thought it might be possible using a web filter profile, but I haven't found any FortiGate specific articles about this so I wanted to raise the question to the community.
Any advice you have is much appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @tryingmybest ,
Yes, as you said, you can do it with the static-url filter in the web filter. You can define things like regex or wildcards in the static filter, so this is possible. However, this will not be possible if you are using the lets encrypt certificate on the FortiGate itself. Because web filters can only be applied to traffic passing through FortiGate.
You can access the documentation on how to use it from the link below.
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/371670/static-url-filter
Thanks for the reply, much appreciated! I'm not 100% sure what the firewall policy would look like to accomplish this.
I'm trying to think it through, and this is what I came up with. This rule would go above our current geo block policy:
Source: United States (Negate)
Destination: My Web Server
Service: http
Action: Accept
Security Profile: Web Profile with a static URL Filter Allow to */.well-known/acme-challenge
Is this the correct method for accomplishing my goal?
If so, how would I setup the policy to only allow access to */.well-known/acme-challenge and nothing else over http since the firewall policy Action is set to Accept? Do I need to set a Deny action somewhere in the Web Filter profile that denies traffic anywhere but to */.well-known/acme-challenge?
Yes, as you said, you need to block all categories in the web filter. Since I haven't tried anything like this before, I can't say for sure that it will work. But I think it wouldn't hurt to try :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.