Im in the middle of setting up a policy to block all traffic outside of the US. It appears I have to add each country to the Policy & Objects > Addresses section separately and then create a group and add the addresses to the group ...then create a policy to block the group. I have started to do that and it appears to be working fine, but I was wondering if there is a way to create an allow list instead? I thought if I setup a policy to Allow US, but no one else...will this block everyone else? I didnt know if the data would be read through the security like...data from country b arrives....policy 1: its not US...go to policy 2-9...there are no other policies that "block" country B...allow data.... Or will it be... data from country b arrives...policy 1: its not US...blocked...dont care about other policies. It seem like the default is ...if there is no policy...let it through.
Solved! Go to Solution.
If I may indecently point you to this page where exactly this is laid out, with ready-to-use batch command files for the geo-objects and an example of how to allow incoming (towards the FGT) traffic from just one country.
I am not 100% sure if the list of geo-objects is identical to that in FortiOS v6.2 but it'll work. The correlation between country name and IP ranges is constantly updated online in FortiOS.
Simply put the allowed US polity at the top. Then deny all next, which includes all other countries.
Actually the "deny all" is implicitly there already. You don't need it. It should be working as you intended with the current set up with the second one "disabled".
Ok...I just have the second policy disabled because I didnt want to enable it and accidently lock myself out... Nothing better than struggling through CLI recovery on a Monday afternoon...
I will keep what is in place active and monitor the logs and see if anything slips through. Thanks for the help.
Depending on what you are trying to achieve, you just might want to set the GEO blocking on a local-in-policy - that's assuming you are trying to block anything directed at the firewall itself.
If you have internal devices (behind the firewall) making/establishing connections to GEO countries outside the US then I would investigate the cause/reasons for this with the owner(s) of those devices and/or just block access from Internal-->WAN to those GEO countries. But try the local-in-policy first. YMMV.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
I am trying to block all traffic from the web that is not US originating. We don't want to block any outgoing.
If I may indecently point you to this page where exactly this is laid out, with ready-to-use batch command files for the geo-objects and an example of how to allow incoming (towards the FGT) traffic from just one country.
I am not 100% sure if the list of geo-objects is identical to that in FortiOS v6.2 but it'll work. The correlation between country name and IP ranges is constantly updated online in FortiOS.
I just finished typing all these out by hand on my second and last firewall. Just a bit too slow on getting your reply. Thanks. I will use that for the next time I have to set this up.... which of course will probably be never. :D Thanks again
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.