Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Pillar
New Contributor

How to allow a single Public IP address

We were having trouble accessing a specific website and the issue ended up being our Geo Blocker policy was preventing access to the website. We have temporarily resolved the issue by disabling the Geo Blocker policy but would like to reenable this policy while still allowing access to the website we were previously experiencing issues with. I called the company that owns the website/server, and they gave me the public ip address for their webserver I created both a subnet allow policy and an ip range allow policy to hopefully allow access to this server while the Geo blocker policy is on. Neither allow policies seemed to work and when I looked up the company's server ip address it is located in a country that is not blocked by out firewall. I am assuming they either gave me the wrong ip address, somehow the webserver is associated with a country that is blocked by our policy, or I configured the allow policies wrong. Would anyone be able to assist in listing out the steps required to create this allow policy that will allow public ip address with the geo blocker enabled. 

 

Any other thoughts on the issue are appreciated too. Thank you.

1 Solution
Pillar
New Contributor

I appreciate you all reaching out. It ended up being the server for Microsoft's b2c identity security service that was being blocked by our Geo Blocker policy which was preventing the website from loading. It was not the server for the company's website we were trying to access.

View solution in original post

5 REPLIES 5
Shashwati
Staff
Staff

Hello 

Please refer to the document to configure local in policy to allow or block single IP 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-local-in-policy-to-restrict-unauthoriz...

jguerra
Staff
Staff

FortiGate reads the policies from top to bottom in the Firewall Policy list.  Make sure the new policy allowing access to the new Web Server is above the GeoBlock policy.

rsondal
Staff
Staff

Hi,

 To allow single Public IP address through IPV4 policy just follow the below document. Only thing to change is instead of block you need to allow the policy. Also make sure that policy should be above Geo block policy as mentioned by previous engineer.
How to block specific external (public) I... - Fortinet Community

FortiArt
Staff
Staff

First of all you can confirm the ip address and search forward logs for that ip address if it is being blocked. You can confirm to which country that ip belongs using:

 

diagnose geoip ip2country x.x.x.x <- the ip address that should be allowed

 

If it belongs to geographical country that is blocked and you're allowing USA (or any) for example, then you can override that ip and add as if it belongs to that allowed country as per:

 

config system geoip-override

    edit  USA                                           <----- Country name.

        # config ip-range

            edit 1

                set start-ip x.x.x.x

                set end-ip x.x.x.x

            next

        end

    next

end

 

FYI: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Commands-to-verify-GeoIP-information-and/t...

 

Hope this helps.

Pillar
New Contributor

I appreciate you all reaching out. It ended up being the server for Microsoft's b2c identity security service that was being blocked by our Geo Blocker policy which was preventing the website from loading. It was not the server for the company's website we were trying to access.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors