Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

How Geo location database work at Fortigate Firewall

Dear All,

 

 With reference to Geo location database I few have queries as follows:

 

1. I want to allow only specific country for my business except all, what septs should be taken If public IP are natted with Internal IP  (like virtual IP 192.168.99.1 - 10.1.1.1).

2. How actually Fortigate Firewall's Geo IP database  up to date with Fortigate Gaurd server globally.

 

3. what are the method for it. like should I create normal policy or local policy.

 

4. How to check logs the county which I have blocked, is being blocked or not.

 

5. What are the time frequency of Geo IP database for getting update.

 

Thank you advanced, I will be very happy If I get response as early as want.

 

Thank you

Fortigate learner.

 

 

8 REPLIES 8
AEK
Honored Contributor

Hello

  • Why do you nat public IP with private IP?
  • In your WNN to LAN policy, just allow (or deny) the GeoIP object you have created to access the target ressources
  • GeoIP DB updates every X hours, where X is the update delay that you have configured in System > FortiGuard view
  • You create Firewall policy if you want allow/deny access to internal resources, and you create local-in-policy if you want to allow/deny access to FortiGate itself (VPN, HTTPS to FGT GUI, SSH to FGT CLI, ...)
  • Regarding the logs, your policy must have all traffic logs enabled. Then right click on the policy and click Show matching logs, and you will see all what this policy allowed/denied
AEK
AEK
Umesh
Contributor

Hello AEK,

 

As you said why do you nat public IP with private Ip.

 

If we do not create natting with the help of virtual IP, how internal server will be access from outside  world.

AEK
Honored Contributor

Hi Umesh

Yes this is DNAT, and it nats the destination IP, not the source IP.

AEK
AEK
Umesh
Contributor

Yes, that's correct as you have written.

 

Can you please guide me, how can I block malicious IP to our network, we have created DNAT.

 

thank you.

 

 

 

Jakob-AHHG
Contributor II

Hi @Umesh 
Yeah, you use Virtual IP objects to make NAT from outside to inside IP's.
Either one VIP pr. port you wanna map in, OR a VIP with all ports, and then open the ports in Firewall Rules you want open.
If you have few IP's the needs many services, option 1 is best.
If you have enough public IP's, you can assign one public to each internal IP you like to map.

 

You should be able to see all traffic under Log & Report in your FortiGate.

Jakob Peterhänsel,
IT System Admin,
Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Jakob Peterhänsel,IT System Admin,Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Umesh
Contributor

commented information is correct.

 

But what about to blocking IP or particular group in local policy from wan to LAN.

AEK
Honored Contributor

AEK
AEK
Jakob-AHHG

In FG, Policy & Objects: Adresses:
Under Geography, create an Object for each of the countries you like to Allow or Deny:

FG Adresse Geo.png

Then combine them in an Adress Group, and use that Group in a firewall rule to allow/deny traffic from that area.

Jakob Peterhänsel,
IT System Admin,
Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Jakob Peterhänsel,IT System Admin,Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Labels
Top Kudoed Authors