Using the Geo IP block list

Chapter 7: Security Features > Using the Geo IP block list

Using the Geo IP block list

The FortiGuard Geo IP service provides a database that maps IP addresses to countries, satellite providers, and anonymous proxies. The database is updated periodically.

The Geo IP block list is a policy that takes the action you specify when the virtual server receives requests from IP addresses in the blocked country’s IP address space.

For Layer 4 virtual servers, FortiADC blocks access when the first TCP SYN packet arrives. For Layer 7 virtual servers, FortiADC blocks access after the handshake, allowing it to redirect the traffic if you have configured it to do so.

Table 53 lists limitations for Geo IP block list actions.

Table 53: Geo IP block list actions
Action		Profile Limitations
Pass	IPv4 only	Not supported for HTTP Turbo, RADIUS.
Deny	IPv4 only	Not supported for HTTP Turbo, RADIUS.
Redirect	IPv4 only	Not supported for HTTP Turbo, RADIUS, FTP, TCP, TCPS, UDP.
Send 403 Forbidden	IPv4 only	Not supported for HTTP Turbo, RADIUS, FTP, TCP, TCPS, UDP.

Basic Steps

Configure the connection to FortiGuard so the system can receive periodic Geo IP Database updates. See Configuring FortiGuard service settings.
Create rules to block traffic from locations.
Maintain a whitelist to allow traffic from specified subnets even if they belong to the address space blocked by the Geo IP block list.
Select the Geo IP block list and whitelist in the profiles you associate with virtual servers. See Configuring virtual server profiles.

Before you begin:

You must have Read-Write permission for Security settings.

To configure a Geo IP block list:

Go to Security > Geo IP.
Click the Geo IP tab to create a block list and the Whitelist tab to create a whitelist.
Complete the block list configuration as described in Table 54 and the whitelist configuration as described in Table 55.
Save the configuration.

Table 54: Geo IP block list configuration
Settings	Guidelines
Name	Configuration name. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No spaces. After you initially save the configuration, you cannot edit the name.
Log	Enable/disable logging.
Action	Pass—Allow the traffic. Deny—Drop the traffic. Redirect—Send a redirect. You specify the redirect URL on the profile configuration page. Send 403 Forbidden—Send the HTTP Response code 403. Note: Layer 4 and TCPS virtual servers do not support Redirect or Send 403 Forbidden. If you apply an Geo IP configuration that uses these options to a Layer 4 or TCPS virtual server, FortiADC logs the action as Redirect or Send 403 Forbidden, but in fact denies the traffic.
Severity	The severity to apply to the event. Severity is useful when you filter and sort logs: Low Medium High
Status	Enable/disable the configuration.
Member
Country	Select a geolocation object. The list includes countries as well as selections for anonymous proxies and satellite providers.

Table 55: Geo IP whitelist configuration
Settings	Guidelines
Name	Configuration name. The name can be up to 35 characters long. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No space is allowed. After you initially save the configuration, you cannot edit the name.
Description	A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use.
Status	Enable/disable the exception. You might have occasion to toggle the exception off and on.
Member
Type	IP Subnet—Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.0/24. Dotted quad formatted subnet masks are not accepted. IPv6 addresses are not supported. IP Range—Specify the Start IP and the End IP addresses of the IP range.
Description	Enter a brief description of the IP subnet or IP range, depending on which Type you choose. The description can be up to 1023 characters long. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, `-`,`.`, and `:`. No space is allowed.