Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mouse51180
New Contributor

Geo Blocking

Im in the middle of setting up a policy to block all traffic outside of the US.   It appears I have to add each country to the Policy & Objects > Addresses section separately and then create a group and add the addresses to the group ...then create a policy to block the group.  I have started to do that and it appears to be working fine, but I was wondering if there is a way to create an allow list instead? I thought if I setup a policy to Allow US, but no one else...will this block everyone else?  I didnt know if the data would be read through the security like...data from country b arrives....policy 1: its not US...go to policy 2-9...there are no other policies that "block" country B...allow data.... Or will it be...  data from country  b arrives...policy 1: its not US...blocked...dont care about other policies. It seem like the default is ...if there is no policy...let it through.

1 Solution
ede_pfau
Esteemed Contributor III

If I may indecently point you to this page where exactly this is laid out, with ready-to-use batch command files for the geo-objects and an example of how to allow incoming (towards the FGT) traffic from just one country.

 

I am not 100% sure if the list of geo-objects is identical to that in FortiOS v6.2 but it'll work. The correlation between country name and IP ranges is constantly updated online in FortiOS.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
9 REPLIES 9
Toshi_Esumi
Esteemed Contributor III

Simply put the allowed US polity at the top. Then deny all next, which includes all other countries.

mouse51180

Tell me if this is correct...

 

See attached screenshot

 

I would think that Traffic would come in from the US....hit policy ID 33....it is US based...to it goes to next policy.  Policy ID 31 then checks it and see that it is traffic from the ANY group and then its blocked.

Toshi_Esumi
Esteemed Contributor III

Actually the "deny all" is implicitly there already. You don't need it. It should be working as you intended with the current set up with the second one "disabled".

mouse51180

Ok...I just have the second policy disabled because I didnt want to enable it and accidently lock myself out... Nothing better than struggling through CLI recovery on a Monday afternoon... 

 

I will keep what is in place active and monitor the logs and see if anything slips through.  Thanks for the help.

mouse51180

I dont think that worked.  I have the top most policy to US allow and the second policy disabled with All and Deny and looking in the logs I can see out of country traffic coming in at the time I implemented the changes and continuing to come through.  

Dave_Hall
Honored Contributor

Depending on what you are trying to achieve, you just might want to set the GEO blocking on a local-in-policy - that's assuming you are trying to block anything directed at the firewall itself. 

 

If you have internal devices (behind the firewall) making/establishing connections to GEO countries outside the US then I would investigate the cause/reasons for this with the owner(s) of those devices and/or just block access from Internal-->WAN to those GEO countries.  But try the local-in-policy first.  YMMV.

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
mouse51180

I am trying to  block all traffic from the web that is not US originating.  We don't want to block any outgoing.

 

 

ede_pfau
Esteemed Contributor III

If I may indecently point you to this page where exactly this is laid out, with ready-to-use batch command files for the geo-objects and an example of how to allow incoming (towards the FGT) traffic from just one country.

 

I am not 100% sure if the list of geo-objects is identical to that in FortiOS v6.2 but it'll work. The correlation between country name and IP ranges is constantly updated online in FortiOS.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
mouse51180

I just finished typing all these out by hand on my second and last firewall.  Just a bit too slow on getting your reply.  Thanks.  I will use that for the next time I have to set this up.... which of course will probably be never.  :D Thanks again

Labels
Top Kudoed Authors