Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC-F
- FortiNAC
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiRecon
- FortiProxy
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiTester
- FortiSwitch
- FortiToken
- FortiVoice
- FortiWAN
- FortiAppSec Cloud
- FortiWeb
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Geo Location Restriction Issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Geo Location Restriction Issue
Hi
We want to enable Geolocation based blocking
So we follows the guides from the FN site
a) Create Address objects of each country b) Put each address object in to a group c) Create a policy so that anything on the WAN interface to LAN that arrives from the Geolocation Address Group is Denied
We then test this from a IP that is in the "banned" country but we are still able to, for example, get to the SSLVPN webpage.
We would expect the SSL VPN page from the FW to not display from that country. We can also ping the FW from the said country as well.
I saw that adding set match-vip enable may be the reason but we have no VIPS on the FW
Any ideas?
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Access to the SSL-VPN is not controlled by firewall policy unless you're using a loopback for the VPN to listen on or something. Pinging the firewall is controlled by local-in policy and/or administrative access settings on the various interfaces. Again, nothing under Firewall Policy affects it.
You may want to check out this guide (talks about IPSEC VPN, but the principles would apply to SSL as well):
https://kb.fortinet.com/kb/documentLink.do?externalID=FD45208
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very helpful thank you!
So as it stands in the config I have deployed - any access outside of SSL and PING etc -will be blocked right? Im just trying to get a view on what else is excluded as standard from Firewall Policies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The bottom line is traffic initiated BY or terminated BY the firewall is completely unaffected by firewall policy. Firewall policy is for traffic traversing the firewall.
Your config would block anyone from those countries accessing servers hosted on your LAN. However, if you use VIPs for those WAN to LAN rules (most common), you will also need to use "set match-vip enable" on the deny policy (you could alternatively list all of your VIPs, but that doesn't scale as well). Check out this article about that specific scenario:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD36750
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Once again thanks
So in terms of set match-vip enable - we dont use vips - so in this case if it was enabled it wouldnt do any harm right?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's correct; it doesn't hurt. Curious though...do you have any policies that actually allow traffic from WAN to LAN? If not, this won't really accomplish anything. You might be wanting to block traffic TO those countries (from LAN to WAN) to prevent users from accessing sketchy sites.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi - you was right in curiosity! I realised that doing this does nothing as it has no NAT or access to inyternal servers to block! The Geo block only happens to things that you've VIP'd
Thank you for well - making me read up! :) Your help was really appreciated.
Labels
-
FortiGate
9,688 -
FortiClient
1,979 -
FortiManager
824 -
5.2
801 -
5.4
639 -
FortiAnalyzer
635 -
FortiSwitch
535 -
FortiAP
522 -
FortiClient EMS
494 -
6.0
416 -
5.6
362 -
FortiMail
353 -
SSL-VPN
320 -
IPsec
300 -
6.2
251 -
FortiNAC
236 -
FortiAuthenticator v5.5
234 -
FortiWeb
233 -
5.0
196 -
SD-WAN
155 -
FortiGuard
153 -
FortiAuthenticator
141 -
6.4
128 -
Firewall policy
116 -
FortiSIEM
109 -
FortiGateCloud
109 -
FortiCloud Products
105 -
FortiToken
97 -
Wireless Controller
90 -
Customer Service
83 -
FortiProxy
72 -
High Availability
72 -
FortiGate-VM
68 -
4.0MR3
64 -
FortiEDR
64 -
ZTNA
64 -
Fortivoice
63 -
Routing
61 -
FortiADC
60 -
VLAN
60 -
DNS
58 -
SAML
56 -
BGP
55 -
Authentication
54 -
RADIUS
51 -
LDAP
50 -
FortiSandbox
49 -
NAT
49 -
FortiExtender
47 -
Certificate
47 -
SSO
45 -
FortiDNS
43 -
FortiLink
42 -
FortiGate v5.4
37 -
Application control
37 -
FortiSwitch v6.4
35 -
Interface
35 -
VDOM
35 -
Logging
35 -
FortiConnect
32 -
FortiWAN
31 -
Virtual IP
30 -
Web profile
30 -
FortiPAM
29 -
FortiGate v5.2
27 -
FortiConverter
27 -
SSL SSH inspection
25 -
FortiPortal
23 -
Traffic shaping
23 -
FortiGate Cloud
22 -
Automation
22 -
Static route
22 -
FortiSwitch v6.2
20 -
SNMP
20 -
SSID
20 -
WAN optimization
19 -
FortiMonitor
18 -
System settings
17 -
OSPF
16 -
API
16 -
FortiDDoS
15 -
FortiSoar
15 -
Admin
15 -
Security profile
15 -
Web application firewall profile
15 -
IP address management - IPAM
15 -
FortiGate v5.0
14 -
FortiCASB
14 -
IPS signature
14 -
FortiAP profile
14 -
Proxy policy
13 -
Intrusion prevention
13 -
Traffic shaping policy
12 -
Web rating
12 -
FortiManager v5.0
11 -
FortiManager v4.0
11 -
FortiRecorder
11 -
Explicit proxy
11 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Traffic shaping profile
10 -
Fabric connector
10 -
Port policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
DNS filter
9 -
Users
9 -
Fortinet Engage Partner Program
9 -
FortiDeceptor
8 -
FortiCache
8 -
RMA Information and Announcements
8 -
trunk
8 -
Antivirus profile
8 -
4.0
7 -
Authentication rule and scheme
7 -
FortiToken Cloud
6 -
Packet capture
6 -
NAC policy
6 -
Application signature
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
DLP profile
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
VoIP profile
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
Vulnerability Management
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
FortiNDR
3 -
DLP Dictionary
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
File filter
2 -
Schedule
2 -
Zone
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
ICAP profile
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2261 | |
| 1230 | |
| 772 | |
| 452 | |
| 378 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.