Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
smccarthy945
New Contributor

How to Block Multiple Countries?

I am trying to block a large list of countries by creating an address group and adding the countries into the group via the geography type.  The problem I am running into is that I have to create a new entry for every single country I want to block in the web interface and it will be incredibly time consuming to sit for hours to add every single country into the address group. Is there a faster way - maybe via the command line - that I can add countries into the address group? 

 

Since we only do business in the US, I want to block a good portion of other countries in my rule sets. Thanks in advance. 

Scott

 

19 REPLIES 19
SCSIraidGURU
Contributor

Source: Blocked Countries Create address list by country name, geography, country is on the list.  I had to do 198 of them and add them to address group Block Countries. 

smccarthy945

While I appreciate the reply, I am not sure what it means? It looks like you tried to post an image but unfortunately, I can't see it. 

ede_pfau

1- I think in v5.4.x there is a 'negate' option in the definition of an address group, at least in the CLI.

2- why don't you just allow the US as source, and leave the rest of the implicit DENY (a.k.a. policy 0)?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
smccarthy945

So create a rule with an action of accept and only include the United States as the source? That's actually a dam good idea. Thanks!

SCSIraidGURU

We do business in 20 countries.   I block 198 countries at 120,000+ hits a day.   I set it as the first rule. 

smccarthy945

So let me ask a question. I set the 1st rule as the following:

Incoming Int: Internet

Outgoing Int: LAN

Source: United States

Destination Address: ALL

Schedule: Always

Service: ALL

Action: ACCEPT

I don't believe the rule is working as I am not seeing any deny in the logs. Is this the proper way to set this up? Thanks in advance. 

SCSIraidGURU

So let me ask a question. I set the 1st rule as the following:

Incoming Int: Internet

Outgoing Int: LAN

Source: Blocked Country Group of all countries

Destination Address: ALL

Schedule: Always

Service: ALL

Action: DENY

 

This is how I did it.   You want implicit deny rules not implicit allow rules on firewalls.  I added 187 countries to my list. 

SCSIraidGURU

Addresses you can create one country at a time as a geography rule.  They you add in each of them to address group.  So you can't do an implicit allow for US and then implicit deny for all other countries.  That would be the only way to do it 1.)  Allow US 2.) Deny all other countries No way to do this.

 

So you need to create an address for each country.   CA_Aland for Aland Islands, CA_Russia for Russia then create and address group including CA_Aland and CA_Russia as members. 

smccarthy945

Got it. In terms of rules, I have several INTERNET to LAN rules that allow specific services through (IE. Email, Web, etc). Do I create a rule at the top that is specifically set to deny the countries I want to deny or do I block on the individual rules? I am just trying to understand how I implement the rule. Right now, I have a rule at the top of the list called BLOCK_COUNTRIES that has the following properties:

INCOMING:INTERNET

OUTGOING:LAN

SOURCE:COUNTRY_BLOCK

DESTINATION ADDRESS: ALL

SERVICE:ALL

ACTION:DENY

Is this the right way to go about it? Thanks. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors