AnsweredHot!Geo Blocking

Author
mouse51180
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/03/07 11:15:18
  • Status: offline
2019/07/29 08:23:50 (permalink)
0

Geo Blocking

Im in the middle of setting up a policy to block all traffic outside of the US.  

It appears I have to add each country to the Policy & Objects > Addresses section separately and then create a group and add the addresses to the group ...then create a policy to block the group.  I have started to do that and it appears to be working fine, but I was wondering if there is a way to create an allow list instead?

I thought if I setup a policy to Allow US, but no one else...will this block everyone else?  I didnt know if the data would be read through the security like...data from country b arrives....policy 1: its not US...go to policy 2-9...there are no other policies that "block" country B...allow data....
Or will it be...  data from country  b arrives...policy 1: its not US...blocked...dont care about other policies.

It seem like the default is ...if there is no policy...let it through.
#1
Toshi Esumi
Expert Member
  • Total Posts : 1647
  • Scores: 139
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Geo Blocking 2019/07/29 09:15:14 (permalink)
0
Simply put the allowed US polity at the top. Then deny all next, which includes all other countries.
#2
mouse51180
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/03/07 11:15:18
  • Status: offline
Re: Geo Blocking 2019/07/29 10:48:06 (permalink)
0
Tell me if this is correct...
 
See attached screenshot
 
I would think that Traffic would come in from the US....hit policy ID 33....it is US based...to it goes to next policy.  Policy ID 31 then checks it and see that it is traffic from the ANY group and then its blocked.



post edited by mouse51180 - 2019/07/29 10:54:55

Attached Image(s)

#3
Toshi Esumi
Expert Member
  • Total Posts : 1647
  • Scores: 139
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Geo Blocking 2019/07/29 11:08:35 (permalink)
0
Actually the "deny all" is implicitly there already. You don't need it. It should be working as you intended with the current set up with the second one "disabled".
#4
mouse51180
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/03/07 11:15:18
  • Status: offline
Re: Geo Blocking 2019/07/29 11:17:37 (permalink)
0
Ok...I just have the second policy disabled because I didnt want to enable it and accidently lock myself out...

Nothing better than struggling through CLI recovery on a Monday afternoon... 
 
I will keep what is in place active and monitor the logs and see if anything slips through.  Thanks for the help.
#5
mouse51180
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/03/07 11:15:18
  • Status: offline
Re: Geo Blocking 2019/07/29 11:37:48 (permalink)
0
I dont think that worked.  I have the top most policy to US allow and the second policy disabled with All and Deny and looking in the logs I can see out of country traffic coming in at the time I implemented the changes and continuing to come through.  



Attached Image(s)

#6
Dave Hall
Expert Member
  • Total Posts : 1477
  • Scores: 163
  • Reward points: 0
  • Joined: 2012/05/11 07:55:58
  • Location: Canada
  • Status: offline
Re: Geo Blocking 2019/07/29 12:10:01 (permalink)
0
Depending on what you are trying to achieve, you just might want to set the GEO blocking on a local-in-policy - that's assuming you are trying to block anything directed at the firewall itself. 
 
If you have internal devices (behind the firewall) making/establishing connections to GEO countries outside the US then I would investigate the cause/reasons for this with the owner(s) of those devices and/or just block access from Internal-->WAN to those GEO countries.  But try the local-in-policy first.  YMMV.
 
 

NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
#7
mouse51180
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/03/07 11:15:18
  • Status: offline
Re: Geo Blocking 2019/08/01 07:51:51 (permalink)
0
I am trying to  block all traffic from the web that is not US originating.  We don't want to block any outgoing.
 
 
#8
ede_pfau
Expert Member
  • Total Posts : 6047
  • Scores: 480
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Geo Blocking 2019/08/01 10:46:26 (permalink) ☼ Best Answerby mouse51180 2019/08/01 11:17:59
5 (1)
If I may indecently point you to this page where exactly this is laid out, with ready-to-use batch command files for the geo-objects and an example of how to allow incoming (towards the FGT) traffic from just one country.
 
I am not 100% sure if the list of geo-objects is identical to that in FortiOS v6.2 but it'll work. The correlation between country name and IP ranges is constantly updated online in FortiOS.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#9
mouse51180
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/03/07 11:15:18
  • Status: offline
Re: Geo Blocking 2019/08/01 11:17:45 (permalink)
0

I just finished typing all these out by hand on my second and last firewall.  Just a bit too slow on getting your reply. 

Thanks.  I will use that for the next time I have to set this up.... which of course will probably be never.  :D

Thanks again
#10
Jump to:
© 2019 APG vNext Commercial Version 5.5