GEO blocking is not working properly

chakravarthinakka · ‎11-30-2022

I have created GEO blocking policy on top of the policies , I have blocked Russia specifically. But the following ip from Russia 5.8.16.163 , As per GEO blocking policy its not blocked. I already enabled match-vip on this policy.

Please help why Fortinet not able to block the geo block correctly

Toshi_Esumi · ‎11-30-2022

There are two separate policy sets:

- Firewall Policy (config firewall policy)

- Local-in Policy (config firewall local-in-policy)

Firewall Policy handles traffic coming in one interface and going out another interface. Local-in Policy handles traffic hits the FGT itself like IPsec, SSL VPNs, and other FGT initiated traffic's returns.

Did you put the your GEO blocking policy in the local-in-policy? Or firewall policy?

Toshi

chakravarthinakka · ‎11-30-2022

it is firewall policy , traffic coming from outside to inside

Toshi_Esumi · ‎11-30-2022

So you're saying you have some VIP policies to allow outside parties to come through the FGT and forwarded to internal servers like Web server, FTP server, etc.

Then the traffic from Russia is actually hitting those internal servers, right?

You need to share the actual policy GUI or CLI by masking some proprietary info as well as the GEO address definition the policy is using.

Toshi

chakravarthinakka · ‎11-30-2022

So you're saying you have some VIP policies to allow outside parties to come through the FGT and forwarded to internal servers like Web server, FTP server, etc.

-- Yes , traffic from Russia is hitting internal servers

Toshi_Esumi · ‎11-30-2022

I found a KB for your situation. Did you follow this instruction?
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-VIP-access-using-GEO-Location...

<edit>

As described at the end of this KB, your deny policy is most likely missing "set match-vip enable" in CLI.

</edit>

Toshi

GEO blocking is not working properly

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website