Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
michaelleroy
New Contributor

Geo-Lock VPN traffic

We are wanting to restrict SSL tunnel, SSL web, and IPsec Dial up VPN connections to limited countries. 

 

I can't seem to find any specific documentation on this, other than the generic Geographic options available.

 

What would be the best practice to accomplish this?

2 REPLIES 2
EMES
Contributor

Local-In Policy would work for you. Its only copnfigured in the CLI. You would first create address objects for the countries you want to allow, setting the type to "Geography" and then the country to want to allow. Then in the CLI you would create a policy to allow that country and then create a deny all. 

 

config firewall address 
edit "US"
 
 set type geography
 set country "US"
 next
end
config firewall local-in-policy
 edit 1
 set intf "port2"
 set srcaddr "US"
 set dstaddr "all"
 set action accept
 set service "HTTPS"
 set schedule "always"
 next
 edit 2
 set intf "port2"
 set srcaddr "all"
 set dstaddr "all"
 set service "HTTPS"
 set schedule "always"
 next
end

 

Here is a link to a kb on how to configure it further. http://kb.fortinet.com/kb/documentLink.do?externalID=FD33649 

emnoc
Esteemed Contributor III

I agree geoip and local-policy will get you what you want.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors