How Geo location database work at Fortigate Firewall

Umesh · ‎01-05-2024

Dear All,

With reference to Geo location database I few have queries as follows:

1. I want to allow only specific country for my business except all, what septs should be taken If public IP are natted with Internal IP (like virtual IP 192.168.99.1 - 10.1.1.1).

2. How actually Fortigate Firewall's Geo IP database up to date with Fortigate Gaurd server globally.

3. what are the method for it. like should I create normal policy or local policy.

4. How to check logs the county which I have blocked, is being blocked or not.

5. What are the time frequency of Geo IP database for getting update.

Thank you advanced, I will be very happy If I get response as early as want.

Thank you

Fortigate learner.

AEK · ‎01-05-2024

Hello

Why do you nat public IP with private IP?
In your WNN to LAN policy, just allow (or deny) the GeoIP object you have created to access the target ressources
GeoIP DB updates every X hours, where X is the update delay that you have configured in System > FortiGuard view
You create Firewall policy if you want allow/deny access to internal resources, and you create local-in-policy if you want to allow/deny access to FortiGate itself (VPN, HTTPS to FGT GUI, SSH to FGT CLI, ...)
Regarding the logs, your policy must have all traffic logs enabled. Then right click on the policy and click Show matching logs, and you will see all what this policy allowed/denied

AEK

Umesh · ‎01-05-2024

Hello AEK,

As you said why do you nat public IP with private Ip.

If we do not create natting with the help of virtual IP, how internal server will be access from outside world.

AEK · ‎01-05-2024

Hi Umesh

Yes this is DNAT, and it nats the destination IP, not the source IP.

AEK

Umesh · ‎01-05-2024

Yes, that's correct as you have written.

Can you please guide me, how can I block malicious IP to our network, we have created DNAT.

thank you.

Jakob-AHHG · ‎01-05-2024

Hi @Umesh
Yeah, you use Virtual IP objects to make NAT from outside to inside IP's.
Either one VIP pr. port you wanna map in, OR a VIP with all ports, and then open the ports in Firewall Rules you want open.
If you have few IP's the needs many services, option 1 is best.
If you have enough public IP's, you can assign one public to each internal IP you like to map.

You should be able to see all traffic under Log & Report in your FortiGate.

Jakob Peterhänsel,
IT System Admin,
Arp-Hansen Hotrel Group A/S, Copenhagen, DK

Umesh · ‎01-05-2024

commented information is correct.

But what about to blocking IP or particular group in local policy from wan to LAN.

AEK · ‎01-05-2024

If you protect a web server use WAF profile (enable proxy mode at policy level)
If you protect a mail server use an Antispam profile (enable proxy mode at policy level)
Also enable IPS profile
You can configure your policy to block bad IP addresses, but this is available in CLI only : https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/68937/ip-reputation-filterin...
You can also use Treat feed: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/9463/threat-feeds

AEK

Jakob-AHHG · ‎01-05-2024

In FG, Policy & Objects: Adresses:
Under Geography, create an Object for each of the countries you like to Allow or Deny:

Then combine them in an Adress Group, and use that Group in a firewall rule to allow/deny traffic from that area.

Jakob Peterhänsel,
IT System Admin,
Arp-Hansen Hotrel Group A/S, Copenhagen, DK