Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AdrianR
New Contributor III

Created on ‎05-30-2023 11:32 PM

Geo Blocking with SD-Wan enable

Hello, I want to make a policy with Geo Blocking in my wan port that's inside an SD-Wan interface, I tried to configure the policy with income interface SD-Wan but it doesn’t work, If I take out my wan from the SD-Wan and configure the policy with income interface wan it works correctly, how can I configure the policy using SD-Wan?

I tried looking online for the answer but couldn’t find anything with SD-Wan, thank for the help!

Labels:
3255
0 Kudos
1 Solution
ezhupa
Staff
Staff

Created on ‎06-01-2023 07:50 AM

Hi Adrian, 

You can also configure local-in policies following the below documentation. You just need to adjust it to your own case:
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/363127/local-in-policy

View solution in original post

3113
12 REPLIES 12
scan888
Contributor

Created on ‎05-31-2023 12:03 AM

Hi Adrian

 

Acctually, it sould work.

After you add interface to the SD-WAN Interface you need to creat Firewall policies with the matching SD-WAN Interface.

For example:

config firewall policy
    edit 0
        set name "Internet to local System"
        set srcintf "virtual-wan-link" <!-- Your SD-WAN Interface -->
        set dstintf "<Dst. Interface>"
        set action accept
        set srcaddr "<your allowed GEO Object>"
        set dstaddr "<your VIP Object"
        set schedule "always"
        set service "ALL"
    next
end
- Have you found a solution? Then give your helper a "Like" and mark the solution.
- Have you found a solution? Then give your helper a "Like" and mark the solution.
2500
0 Kudos
AdrianR
New Contributor III
In response to scan888

Created on ‎05-31-2023 09:25 AM

Thanks for the quick replay scan888, I have my policy configure like this: 

Screenshot 2023-05-31 102403.png

When I have the Deny option enable I cant assign a VIP 

2478
0 Kudos
scan888
Contributor
In response to AdrianR

Created on ‎05-31-2023 11:03 AM

Hi @AdrianR 

Your Rule block any connections comming from your selected country to any hosts behind the "lan"-Switch.

 

I'm not sure, what exectly you would like to achive. Because this rule only helps if you have any VIP-Rules below that rule. If you have no forwardings from the Internet to your "lan"-Switch the implicit deny rule block the connections anyway.

- Have you found a solution? Then give your helper a "Like" and mark the solution.
- Have you found a solution? Then give your helper a "Like" and mark the solution.
2461
0 Kudos
AdrianR
New Contributor III
In response to scan888

Created on ‎05-31-2023 11:13 AM

That’s correct I’m trying to block any connections from those countries but it isn’t working, I’m still able to access from those countries.

2457
0 Kudos
scan888
Contributor
In response to AdrianR

Created on ‎05-31-2023 11:17 AM

Enable logging an all rules and check the log in the "Log & Report" section. for all allowed traffic you see the corresponding rule id.

 

Double check, if you have no allow police above this rule.

Otherwise use the debug commands:

diag debug enable
diag debug flow filter addr <your destination ip>
diag debug flow filter port <your testing port>
diag debug flow trace start 10

Produce test traffic and check which firewall policy is allowing the traffic.

 

 

- Have you found a solution? Then give your helper a "Like" and mark the solution.
- Have you found a solution? Then give your helper a "Like" and mark the solution.
2454
0 Kudos
AdrianR
New Contributor III
In response to scan888

Created on ‎05-31-2023 11:50 AM Edited on ‎05-31-2023 11:52 AM

Scan888 thanks a lot for taking the time to help me, I tried the commands but didn't see any output in my test:
 debugg.png

But the policy accepting the traffic is the one below:

I even tried to block all incoming traffic with "all" as source but doesn't work:

example 2.png

2441
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎05-31-2023 09:24 AM

Try put your interface in sd-wan again but keep the policy with the original wan interface (not sd-wan).

AEK
AEK
2478
0 Kudos
AdrianR
New Contributor III
In response to AEK

Created on ‎05-31-2023 09:43 AM

Hello AEK the SD-WAN configuration won’t let me add the wan interface back in because it’s been use by the original policy with wan interface as incoming interface.

2469
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎05-31-2023 01:50 PM

Hello Adrian

Which FOS version?

AEK
AEK
2426
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.