I would like to block all outbound traffic to Russia, China, PRK and all the usual suspects via a GEO block policy.
HOWEVER, one of our suppliers is Chinese and we need to able to get to their website and their mail servers. Despite my reticence to allow anything AT ALL to China, this must happen.
What's the cleanest way to do this? Currently I have an outbound policy blocking anything TO these countries but i need to make a number of exceptions. Should I just add a policy allowing what i want and place it ABOVE the GEO Block? or is there a graceful way to do this inside the GEO Block policy using the negate source or negate destination functions? THANKS!
From your description, do you have a list of permitted country or you only have a list of denied country in your mind? If you have only a list of permitted country and the exception is a few of the mentioned website, my think process is as below:
1. Create an address group that contains the permitted country and the exception website IP/FQDN.
2. In the firewall policy, if this is outgoing traffic, you should put the address group in the destination and set the action to permit. This would means that only the hosts within the address object group is permitted.
**This is provided that you do not have other firewall policy that allows the respective traffic.
The negate feature may not be useful in the case of the exception that you want to establish with your supplier. If you only wanted to block the mentioned countries, I am thinking as below:
1. Create an address object group that contains the whitelisted webserver and mailserver of your supplier.
2. Create a firewall policy that permit the traffic and place it at the top
3. Create an address object group that contains all the countries that you want to block
4. Create another firewall policy, setting the destination as the address object created in step 3, enable dstaddr-negate and set the action as enable
The latter scenario would allow exception on your supplier webserver and mailserver, while the second firewall policy would allow connection to other countries except those that you defined in the address object created in step 3.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.