Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AdrianR
New Contributor III

Geo Blocking with SD-Wan enable

Hello, I want to make a policy with Geo Blocking in my wan port that's inside an SD-Wan interface, I tried to configure the policy with income interface SD-Wan but it doesn’t work, If I take out my wan from the SD-Wan and configure the policy with income interface wan it works correctly, how can I configure the policy using SD-Wan?

I tried looking online for the answer but couldn’t find anything with SD-Wan, thank for the help!

1 Solution
ezhupa
Staff
Staff

Hi Adrian, 

You can also configure local-in policies following the below documentation. You just need to adjust it to your own case:
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/363127/local-in-policy

View solution in original post

12 REPLIES 12
scan888
Contributor

Hi Adrian

 

Acctually, it sould work.

After you add interface to the SD-WAN Interface you need to creat Firewall policies with the matching SD-WAN Interface.

For example:

config firewall policy
    edit 0
        set name "Internet to local System"
        set srcintf "virtual-wan-link" <!-- Your SD-WAN Interface -->
        set dstintf "<Dst. Interface>"
        set action accept
        set srcaddr "<your allowed GEO Object>"
        set dstaddr "<your VIP Object"
        set schedule "always"
        set service "ALL"
    next
end
- Have you found a solution? Then give your helper a "Like" and mark the solution.
- Have you found a solution? Then give your helper a "Like" and mark the solution.
AdrianR
New Contributor III

Thanks for the quick replay scan888, I have my policy configure like this: 

Screenshot 2023-05-31 102403.png

When I have the Deny option enable I cant assign a VIP 

scan888

Hi @AdrianR 

Your Rule block any connections comming from your selected country to any hosts behind the "lan"-Switch.

 

I'm not sure, what exectly you would like to achive. Because this rule only helps if you have any VIP-Rules below that rule. If you have no forwardings from the Internet to your "lan"-Switch the implicit deny rule block the connections anyway.

- Have you found a solution? Then give your helper a "Like" and mark the solution.
- Have you found a solution? Then give your helper a "Like" and mark the solution.
AdrianR
New Contributor III

That’s correct I’m trying to block any connections from those countries but it isn’t working, I’m still able to access from those countries.

scan888

Enable logging an all rules and check the log in the "Log & Report" section. for all allowed traffic you see the corresponding rule id.

 

Double check, if you have no allow police above this rule.

Otherwise use the debug commands:

diag debug enable
diag debug flow filter addr <your destination ip>
diag debug flow filter port <your testing port>
diag debug flow trace start 10

Produce test traffic and check which firewall policy is allowing the traffic.

 

 

- Have you found a solution? Then give your helper a "Like" and mark the solution.
- Have you found a solution? Then give your helper a "Like" and mark the solution.
AdrianR
New Contributor III

Scan888 thanks a lot for taking the time to help me, I tried the commands but didn't see any output in my test:
 debugg.png

But the policy accepting the traffic is the one below:

I even tried to block all incoming traffic with "all" as source but doesn't work:

example 2.png

AEK
Honored Contributor

Try put your interface in sd-wan again but keep the policy with the original wan interface (not sd-wan).

AEK
AEK
AdrianR
New Contributor III

Hello AEK the SD-WAN configuration won’t let me add the wan interface back in because it’s been use by the original policy with wan interface as incoming interface.

AEK
Honored Contributor

Hello Adrian

Which FOS version?

AEK
AEK
Labels
Top Kudoed Authors