Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

Created on ‎01-15-2024 12:32 AM

Geo location ip blocking for particular server

Dear All,

 

I want to block all country except one country, what steps should be taken by me If we have two server inside the LAN and both server are mapped with VIP at Fortigate Firewall.

 

Below is the Diagram what I have shown you. please provide steps on the basis of it.

 

G.JPG

 

Thank you.

Labels:
1420
0 Kudos
6 REPLIES 6
smaruvala
Staff
Staff

Created on ‎01-15-2024 12:58 AM

Hi,

 

We can use geo location policy for this purpose.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-...

 

Regards,

Shiva

1410
Umesh
Contributor

Created on ‎01-15-2024 02:11 AM

Hi Shiva,


I tried to enable set match-vip enable in accept policy. but command is not available.

 

We are using 6.4.4 version.

FYI I had gone through fortigate documents - As of FortiOS 6.4.3, match-vip is not allowed in firewall policies when the action is set to accept.

 

Thank you.

1397
0 Kudos
pminarik
Staff
Staff
In response to Umesh

Created on ‎01-15-2024 02:56 AM

Since you're looking to permit only a specific set of IPs (GeoIP of country-X), you don't need a deny policy with match-vip.

It should suffice to ensure that all firewall policies using this VIP use exclusively the Geo-IP object of country-X as the source-address value. Remember that anything which is not allowed is by default blocked by the firewall.

[ corrections always welcome ]
1384
0 Kudos
Jakob-AHHG
Contributor II
In response to Umesh

Created on ‎01-16-2024 01:20 AM

Hi @Umesh,

1: Any reason you are not on FortiOS 7.0.12/13 ??

I would highly recommend to upgrade, if possible.

 

2a: Follow the guide linked above, to create an Address Object for the country you like to Allow.

2b: Make a Local In Policy that allow traffic from that Address Object for the country.

By default, the FortiGate allow all (as I remember) traffic in Local In Policy, and then you make Firewall Policies to limit access.

2c: Make a second Local In Policy that deny all other traffic. Remember: Policies with lowest number have priority over later policies.

 

3: VIP Adresses you then use to NAT between you public IP(s) and internal IP's, either 1:1 IP NAT or 1 IP portmapping to different internap IP's.

Remember that when you create a VirtualIP, you need a matching Firewall Policy that actually allow the traffic.

Hint: If you make a 1:1 NAT mapping, you can then limit what ports are open via the Firewall Policy.

 

Hope that helps a bit.

Jakob Peterhänsel,
IT System Admin,
Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Jakob Peterhänsel,IT System Admin,Arp-Hansen Hotrel Group A/S, Copenhagen, DK
1352
0 Kudos
Umesh
Contributor

Created on ‎01-16-2024 12:13 AM

Not get solution.

1358
0 Kudos
princes
Staff
Staff
In response to Umesh

Created on ‎01-16-2024 02:16 AM

Hello ,

 

I think you want to block geolocation address while allowing it for a particular location or source range.

You can achieve this by simply using local in policy.

By default the action is to deny for these policies.

 

So you have to follow the below steps:

1: Create an address object based on geo location or specific address range and service.

2: Create a Local-in-policy and attach the source address as created above.

3: And set action as accept.

4.After that create another local-in-policy and put the same service:

 suppose you want to block IKE service :

config firewall local-in-policy
edit 1
set intf "port1"
set srcaddr all
set dstaddr "all"
set service "IKE"
set schedule "always"

 

Thank you.

Regards,

Prince

1341
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.