Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

Geo location ip blocking for particular server

Dear All,

 

I want to block all country except one country, what steps should be taken by me If we have two server inside the LAN and both server are mapped with VIP at Fortigate Firewall.

 

Below is the Diagram what I have shown you. please provide steps on the basis of it.

 

G.JPG

 

Thank you.

6 REPLIES 6
smaruvala
Staff
Staff

Hi,

 

We can use geo location policy for this purpose.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-...

 

Regards,

Shiva

Umesh
Contributor

Hi Shiva,


I tried to enable set match-vip enable in accept policy. but command is not available.

 

We are using 6.4.4 version.

FYI I had gone through fortigate documents - As of FortiOS 6.4.3, match-vip is not allowed in firewall policies when the action is set to accept.

 

Thank you.

pminarik

Since you're looking to permit only a specific set of IPs (GeoIP of country-X), you don't need a deny policy with match-vip.

It should suffice to ensure that all firewall policies using this VIP use exclusively the Geo-IP object of country-X as the source-address value. Remember that anything which is not allowed is by default blocked by the firewall.

[ corrections always welcome ]
Jakob-AHHG

Hi @Umesh,

1: Any reason you are not on FortiOS 7.0.12/13 ??

I would highly recommend to upgrade, if possible.

 

2a: Follow the guide linked above, to create an Address Object for the country you like to Allow.

2b: Make a Local In Policy that allow traffic from that Address Object for the country.

By default, the FortiGate allow all (as I remember) traffic in Local In Policy, and then you make Firewall Policies to limit access.

2c: Make a second Local In Policy that deny all other traffic. Remember: Policies with lowest number have priority over later policies.

 

3: VIP Adresses you then use to NAT between you public IP(s) and internal IP's, either 1:1 IP NAT or 1 IP portmapping to different internap IP's.

Remember that when you create a VirtualIP, you need a matching Firewall Policy that actually allow the traffic.

Hint: If you make a 1:1 NAT mapping, you can then limit what ports are open via the Firewall Policy.

 

Hope that helps a bit.

Jakob Peterhänsel,
IT System Admin,
Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Jakob Peterhänsel,IT System Admin,Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Umesh
Contributor

Not get solution.

princes

Hello ,

 

I think you want to block geolocation address while allowing it for a particular location or source range.

You can achieve this by simply using local in policy.

By default the action is to deny for these policies.

 

So you have to follow the below steps:

1: Create an address object based on geo location or specific address range and service.

2: Create a Local-in-policy and attach the source address as created above.

3: And set action as accept.

4.After that create another local-in-policy and put the same service:

 suppose you want to block IKE service :

config firewall local-in-policy
edit 1
set intf "port1"
set srcaddr all
set dstaddr "all"
set service "IKE"
set schedule "always"

 

Thank you.

Regards,

Prince

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors