Created on ‎11-30-2022 09:46 AM Edited on ‎11-30-2022 09:46 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
GEO blocking is not working properly
I have created GEO blocking policy on top of the policies , I have blocked Russia specifically. But the following ip from Russia 5.8.16.163 , As per GEO blocking policy its not blocked. I already enabled match-vip on this policy.
Please help why Fortinet not able to block the geo block correctly
- Labels:
-
FortiClient
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are two separate policy sets:
- Firewall Policy (config firewall policy)
- Local-in Policy (config firewall local-in-policy)
Firewall Policy handles traffic coming in one interface and going out another interface. Local-in Policy handles traffic hits the FGT itself like IPsec, SSL VPNs, and other FGT initiated traffic's returns.
Did you put the your GEO blocking policy in the local-in-policy? Or firewall policy?
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it is firewall policy , traffic coming from outside to inside
Created on ‎11-30-2022 10:17 AM Edited on ‎11-30-2022 10:18 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you're saying you have some VIP policies to allow outside parties to come through the FGT and forwarded to internal servers like Web server, FTP server, etc.
Then the traffic from Russia is actually hitting those internal servers, right?
You need to share the actual policy GUI or CLI by masking some proprietary info as well as the GEO address definition the policy is using.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you're saying you have some VIP policies to allow outside parties to come through the FGT and forwarded to internal servers like Web server, FTP server, etc.
-- Yes , traffic from Russia is hitting internal servers
Created on ‎11-30-2022 10:30 AM Edited on ‎11-30-2022 03:16 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found a KB for your situation. Did you follow this instruction?
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-VIP-access-using-GEO-Location...
<edit>
As described at the end of this KB, your deny policy is most likely missing "set match-vip enable" in CLI.
</edit>
Toshi
