Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Geo Location Restriction Issue


We want to enable Geolocation based blocking

So we follows the guides from the FN site

a) Create Address objects of each country b) Put each address object in to a group c) Create a policy so that anything on the WAN interface to LAN that arrives from the Geolocation Address Group is Denied

We then test this from a IP that is in the "banned" country but we are still able to, for example, get to the SSLVPN webpage.

We would expect the SSL VPN page from the FW to not display from that country. We can also ping the FW from the said country as well.


I saw that adding set match-vip enable may be the reason but we have no VIPS on the FW

Any ideas?

Valued Contributor

Access to the SSL-VPN is not controlled by firewall policy unless you're using a loopback for the VPN to listen on or something.  Pinging the firewall is controlled by local-in policy and/or administrative access settings on the various interfaces.  Again, nothing under Firewall Policy affects it.


You may want to check out this guide (talks about IPSEC VPN, but the principles would apply to SSL as well):




Very helpful thank you!


So as it stands in the config I have deployed - any access outside of SSL and PING etc -will be blocked right? Im just trying to get a view on what else is excluded as standard from Firewall Policies

Valued Contributor

The bottom line is traffic initiated BY or terminated BY the firewall is completely unaffected by firewall policy.  Firewall policy is for traffic traversing the firewall.


Your config would block anyone from those countries accessing servers hosted on your LAN.  However, if you use VIPs for those WAN to LAN rules (most common), you will also need to use "set match-vip enable" on the deny policy (you could alternatively list all of your VIPs, but that doesn't scale as well).  Check out this article about that specific scenario:



Once again thanks


So in terms of set match-vip enable - we dont use vips - so in this case if it was enabled it wouldnt do any harm right?



Valued Contributor

That's correct; it doesn't hurt.  Curious you have any policies that actually allow traffic from WAN to LAN?  If not, this won't really accomplish anything.   You might be wanting to block traffic TO those countries (from LAN to WAN) to prevent users from accessing sketchy sites.


Hi - you was right in curiosity! I realised that doing this does nothing as it has no NAT or access to inyternal servers to block! The Geo block only happens to things that you've VIP'd


Thank you for well - making me read up! :) Your help was really appreciated. 

Top Kudoed Authors