Security Features : Using the Geo IP block list
 
Using the Geo IP block list
The FortiGuard Geo IP service provides a database that maps IP addresses to countries, satellite providers, and anonymous proxies. The database is updated periodically.
The Geo IP block list is a policy that takes the action you specify when the virtual server receives requests from IP addresses in the blocked country’s IP address space.
For Layer 4 virtual servers, FortiADC blocks access when the first TCP SYN packet arrives. For Layer 7 virtual servers, FortiADC blocks access after the handshake, allowing it to redirect the traffic if you have configured it to do so.
Table 50 lists limitations for Geo IP block list actions.
Table 50: Geo IP block list actions
Action
Address Type
Profile Limitations
Pass
IPv4 only
Not supported for HTTP Turbo, RADIUS.
Deny
IPv4 only
Not supported for HTTP Turbo, RADIUS.
Redirect
IPv4 only
Not supported for HTTP Turbo, RADIUS, FTP, TCP, TCPS, UDP.
Send 403 Forbidden
IPv4 only
Not supported for HTTP Turbo, RADIUS, FTP, TCP, TCPS, UDP.
Basic Steps
1. Configure the connection to FortiGuard so the system can receive periodic Geo IP Database updates. See “Configuring FortiGuard service settings”.
2. Create rules to block traffic from locations.
3. Maintain a whitelist to allow traffic from specified subnets even if they belong to the address space blocked by the Geo IP block list.
4. Select the Geo IP block list and whitelist in the profiles you associate with virtual servers. See “Configuring profiles”.
Before you begin:
You must have Read-Write permission for Security settings.
To configure a Geo IP block list:
1. Go to Security > Geo IP.
2. Click the Geo IP tab to create a block list and the Whitelist tab to create a whitelist.
3. Complete the block list configuration as described in Table 51 and the whitelist configuration as described in Table 52.
4. Save the configuration.
Table 51: Geo IP block list configuration
Settings
Guidelines
Name
Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.
After you initially save the configuration, you cannot edit the name.
Log
Enable/disable logging.
Action
Pass—Allow the traffic.
Deny—Drop the traffic.
Redirect—Send a redirect. You specify the redirect URL on the profile configuration page.
Send 403 Forbidden—Send the HTTP Response code 403.
Note: Layer 4 and TCPS virtual servers do not support Redirect or Send 403 Forbidden. If you apply an Geo IP configuration that uses these options to a Layer 4 or TCPS virtual server, FortiADC logs the action as Redirect or Send 403 Forbidden, but in fact denies the traffic.
Severity
The severity to apply to the event. Severity is useful when you filter and sort logs:
Low
Medium
High
Status
Enable/disable the configuration.
Member
Country
Select a geolocation object. The list includes countries as well as selections for anonymous proxies and satellite providers.
 
Table 52: Geo IP whitelist configuration
Settings
Guidelines
Name
Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.
After you initially save the configuration, you cannot edit the name.
Description
A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use.
Status
Enable/disable the exception. You might have occasion to toggle the exception off and on.
Member
IP Subnet
Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.0/24. Dotted quad formatted subnet masks are not accepted.
IPv6 addresses are not supported.