Since you're looking to permit only a specific set of IPs (GeoIP of country-X), you don't need a deny policy with match-vip.

It should suffice to ensure that all firewall policies using this VIP use exclusively the Geo-IP object of country-X as the source-address value. Remember that anything which is not allowed is by default blocked by the firewall.

Hi @Umesh,

1: Any reason you are not on FortiOS 7.0.12/13 ??

I would highly recommend to upgrade, if possible.

2a: Follow the guide linked above, to create an Address Object for the country you like to Allow.

2b: Make a Local In Policy that allow traffic from that Address Object for the country.

By default, the FortiGate allow all (as I remember) traffic in Local In Policy, and then you make Firewall Policies to limit access.

2c: Make a second Local In Policy that deny all other traffic. Remember: Policies with lowest number have priority over later policies.

3: VIP Adresses you then use to NAT between you public IP(s) and internal IP's, either 1:1 IP NAT or 1 IP portmapping to different internap IP's.

Remember that when you create a VirtualIP, you need a matching Firewall Policy that actually allow the traffic.

Hint: If you make a 1:1 NAT mapping, you can then limit what ports are open via the Firewall Policy.

Hope that helps a bit.

Hello ,

I think you want to block geolocation address while allowing it for a particular location or source range.

You can achieve this by simply using local in policy.

By default the action is to deny for these policies.

So you have to follow the below steps:

1: Create an address object based on geo location or specific address range and service.

2: Create a Local-in-policy and attach the source address as created above.

3: And set action as accept.

4.After that create another local-in-policy and put the same service:

 suppose you want to block IKE service :

config firewall local-in-policy
edit 1
set intf "port1"
set srcaddr all
set dstaddr "all"
set service "IKE"
set schedule "always"

Thank you.

Regards,

Prince