- David Galiata
Throughout this week I've been working with a customer on an issue where we've been looking at Geo Blocking. I decided to perform a quick test on a FortiGate firewall and was surprised just how easy it was. I'm going to look at implementing this into my normal configs going forward.
The first step is to create an address objects for the countries you want to block.
Go to Policy&Object -> addresses Then select 'create' and 'new address'
Name: Choose a name Type: Select 'Geography' Country: Select the country to block
Again, do this for all the countries to block.
Then, create a group for these countries that needs to be blocked.
Select 'create' and 'new address group'
The last thing to do is to create a policy. Go to Policy & Object -> IPv4 Policy
Below is a sample of the policy. It is essentially inside to outside- Deny to the Geo-Block address group.
Do the same but in reverse for traffic where the source is outside destined for you network.
Test the policies
Enable the policies when ready and perform testing. This is a sample test I performed. As you can see it worked!
You can also check the policy to look at how much traffic has been sent.
I hope this helps!