We were having trouble accessing a specific website and the issue ended up being our Geo Blocker policy was preventing access to the website. We have temporarily resolved the issue by disabling the Geo Blocker policy but would like to reenable this policy while still allowing access to the website we were previously experiencing issues with. I called the company that owns the website/server, and they gave me the public ip address for their webserver I created both a subnet allow policy and an ip range allow policy to hopefully allow access to this server while the Geo blocker policy is on. Neither allow policies seemed to work and when I looked up the company's server ip address it is located in a country that is not blocked by out firewall. I am assuming they either gave me the wrong ip address, somehow the webserver is associated with a country that is blocked by our policy, or I configured the allow policies wrong. Would anyone be able to assist in listing out the steps required to create this allow policy that will allow public ip address with the geo blocker enabled.
Any other thoughts on the issue are appreciated too. Thank you.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I appreciate you all reaching out. It ended up being the server for Microsoft's b2c identity security service that was being blocked by our Geo Blocker policy which was preventing the website from loading. It was not the server for the company's website we were trying to access.
Hello
Please refer to the document to configure local in policy to allow or block single IP
FortiGate reads the policies from top to bottom in the Firewall Policy list. Make sure the new policy allowing access to the new Web Server is above the GeoBlock policy.
Hi,
To allow single Public IP address through IPV4 policy just follow the below document. Only thing to change is instead of block you need to allow the policy. Also make sure that policy should be above Geo block policy as mentioned by previous engineer.
How to block specific external (public) I... - Fortinet Community
First of all you can confirm the ip address and search forward logs for that ip address if it is being blocked. You can confirm to which country that ip belongs using:
diagnose geoip ip2country x.x.x.x <- the ip address that should be allowed
If it belongs to geographical country that is blocked and you're allowing USA (or any) for example, then you can override that ip and add as if it belongs to that allowed country as per:
config system geoip-override
edit USA <----- Country name.
# config ip-range
edit 1
set start-ip x.x.x.x
set end-ip x.x.x.x
next
end
next
end
Hope this helps.
I appreciate you all reaching out. It ended up being the server for Microsoft's b2c identity security service that was being blocked by our Geo Blocker policy which was preventing the website from loading. It was not the server for the company's website we were trying to access.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.