Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Negate option or something else?

I would like to block all outbound traffic to Russia, China, PRK and all the usual suspects via a GEO block policy.


HOWEVER, one of our suppliers is Chinese and we need to able to get to their website and their mail servers.  Despite my reticence to allow anything AT ALL to China, this must happen.


What's the cleanest way to do this? Currently I have an outbound policy blocking anything TO these countries but i need to make a number of exceptions.  Should I just add a policy allowing what i want and place it ABOVE the GEO Block?  or is there a graceful way to do this inside the GEO Block policy using the negate source or negate destination functions?  THANKS! 



FortiGate is evaluating policies from top to bottom. So for your case, put on top policies that allow traffic to your supplier and then after keep policy to block all other traffic to GEO IPs.


Hi @UrbyTuesday 


From your description, do you have a list of permitted country or you only have a list of denied country in your mind? If you have only a list of permitted country and the exception is a few of the mentioned website, my think process is as below:

1. Create an address group that contains the permitted country and the exception website IP/FQDN.

2. In the firewall policy, if this is outgoing traffic, you should put the address group in the destination and set the action to permit. This would means that only the hosts within the address object group is permitted.

**This is provided that you do not have other firewall policy that allows the respective traffic.


The negate feature may not be useful in the case of the exception that you want to establish with your supplier. If you only wanted to block the mentioned countries, I am thinking as below:

1. Create an address object group that contains the whitelisted webserver and mailserver of your supplier.

2. Create a firewall policy that permit the traffic and place it at the top

3. Create an address object group that contains all the countries that you want to block

4. Create another firewall policy, setting the destination as the address object created in step 3, enable dstaddr-negate and set the action as enable


The latter scenario would allow exception on your supplier webserver and mailserver, while the second firewall policy would allow connection to other countries except those that you defined in the address object created in step 3.

Kayzie Cheng