Created on 06-30-2011 02:36 AM Edited on 03-24-2022 12:17 PM By Anonymous
Description
Scope
Solution
#config firewall address
edit China
set type geography
set country CN
set interface wan1
end
On FortiOS 4.0 MR3:
A diagnose command can be used to view more information about geography based addressing.The command displays country and address information for the countries that have been added to firewall addresses:
#diagnose firewall ipgeo {country-list | ip-list | ip2country}where:
- country-list shows all of the countries that have been added to a firewall address.
- ip-list shows the IP addresses of a specified country or all of the countries added to firewall addresses.
- ip2country shows the country of origin for a specified IP address. The address must be assigned to one of the countries that has been added to a firewall address
For example, use the following command to view the countries that have been added to a firewall address.The example command output shows that a firewall address has been added for China.
#diagnose firewall ipgeo country-list
Total countries loaded:1
CN
On FortiOS 5.0:
The diagnose command has more options compared to the previous version:
#diagnose firewall ipgeo {copyright-notice | country-list | ip-list | ip2country | override }where, in addition to the previous ones:
• copyright-notice shows the copyright note
• override prints out all user defined IPgeo data
Override can be defined with the new CLI command:
#config system geoip-overridewhere it is possible to specify an IP address range to be associated with customized country group (country-id)
#config system geoip-overrideAfter creating a customized Country by using geoip-override command, the New country name has been added automatically to the country list and will be available on the Firewall Address Country field.
edit "test"
set country-id "A0"
config ip-range
edit 1
set start-ip 7.7.7.7
set end-ip 7.7.7.8
next
end
next
end
Scenario: Allowing the traffic from a new Country which is not on the GEOIP database list to a Server
1) Create an Override for the New country called "FreeLand" by running the following CLI commands:
#config system geoip-override2) Create a Firewall Address Object that has country set to this override under Firewall Object -> Address -> Addresses in the GUI or by running the following CLI commands:
(geoip-override) # edit FreeLand
(FreeLand) # config ip-range
(ip-range) # ed 0
(0) # set start-ip 7.7.7.7
(0) # set end-ip 7.7.7.7
(0) # end
(FreeLand) # end
#config firewall address3) Configure a firewall policy for allowing traffic which is coming from FreeLand Country to access the server under Policy -> Policy -> Policy in the GUI or by running the following CLI commands:
(address) # edit NewCountry
# set country A0 /* A0 is a customized country group (country-id) which has been set to the customized country automatically */
(NewCountry) # end
# config firewall policyAdditionally IPgeo database is updated via FortiGuard on FortiOS 5.0 and the following CLI commands are available
(policy) # edit 0
(0) # set srcint wan1
(0) # set dstintf internal
(0) # set srcaddr NewCountry
(0) # set dstaddr Server_vip
(0) # set action accept
(0) # set schedule always
(0) # set service ALL
(0) # end
#execute update-geo-ip <----- To update the database
#diagnose autoupdate versions <----- To check the current database versionIP Geography DB
---------
Version: 1.009
Contract Expiry Date: N/A
Last Update Date: Wed Jan 9 22:22:19 2013
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.