Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vusal_d
New Contributor

GeoIP Blocking seems not working

I have a rule on my Fortigate (FortiGate 1000D) to block some countries (geoip blocking) But rule seems not working.

Can someone help me to find out why?

 

FortiFw (25) # show
config firewall policy
    edit 25
        set name "GeoIP Block"
        set uuid d40a24de-1cad-51e9-5df4-b01121de63c3
        set srcintf "port9"
        set dstintf "port10"
        set srcaddr "Blocked Countries"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set fsso disable
    next
end
FortiFw (25) #

 

 

 

                 
1 Solution
Markus
Valued Contributor

Try to set match-vip enable on this rule.

config firewall policy

edit "25"

set match-vip enable

end

 

Best, Markus


________________________________________________________
--- NSE 4 ---
________________________________________________________

View solution in original post

________________________________________________________--- NSE 4 ---________________________________________________________
4 REPLIES 4
Markus
Valued Contributor

Try to set match-vip enable on this rule.

config firewall policy

edit "25"

set match-vip enable

end

 

Best, Markus


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
ede_pfau
Esteemed Contributor III

What are you trying to block, which kind of traffic?

There are 2 main categories:

- traffic through the FGT

- traffic to the FGT

 

The first one is controlled by regular policies, and only applies if you use VIPs (destination NAT). Unless you use public IP addresses on your LAN.

The second one is controlled by local-in policies. These are configured in the CLI (config firewall local-in).

They do not only control management traffic (like brute-force SSH attacks on the wan port) but IPsec access also.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
vusal_d

ede_pfau wrote:

What are you trying to block, which kind of traffic?

- traffic to the FGT . All traffic from above mentioned countries 

 

ede_pfau wrote:
The second one is controlled by local-in policies. These are configured in the CLI (config firewall local-in).

 

where I can read about this?

vusal_d
New Contributor

mgrosni wrote:

Try to set match-vip enable on this rule.

config firewall policy

edit "25"

set match-vip enable

end

 

Best, Markus

 

That did the job! Thanks

Labels
Top Kudoed Authors