Geography based addresses
Geography based addressing enables you to design policies based on addresses that are associated with a country.
This feature can be used to make either inclusive or exclusive policies. For instance, if you have a SSL VPN where the users will only be connecting from a single country, but you don’t know from where in that country, you can filter out any connections coming in that are from outside that country.
On the other side of the equation, if you find that you are constantly being attacked by malicious intruders from a few countries that you have no dealings with you can block access to them before any traffic comes through.
The matching of geographical country designations to an IP address is achieved by collecting data from any IP addresses that connect to any of the FortiGuard Servers throughout the world. As a secondary task, when a FortiGuard server connects to an IP it also does a search on the Country of origin for the address and updates the database.
There is no single comprehensive list of IP addresses and their locations available because IP addresses can be transferred between ISPs or countries and some organization may not keep complete or up-to-date records regarding locations. FortiGuard Services are constantly updating their database of addresses matched to locations, but the database is dynamic and there may be addresses that have not been resolved to a location. While this means that there can be gaps in the completeness of the database it is possible to fill them in manually by means local to your FortiGate unit.
FortiOS IPv6 does not support the creation of geography-based address objects. This feature is for IPv4 addresses only.
|Best Practices Tip:
Based on the limitation of the IP address matched to country database, it is best to use this type of address in a group with other addresses to fill in the gaps. For instance, if you are a company in Country “A” and all of your employees that will be using the SSL-VPN connection are in that country, the best practice would be to create an address group that includes the geographical address of Country “A”. As valid addresses appear that are not allowed, you can add these other IPs to that group using IP addresses or IP range addresses without having to change the policy itself.
If you are trying to block addresses the principle works just the same. Your logs show that someone from IP address x.x.x.x has been trying to connect inappropriately to your network. You use a IP locator web site to determine that they have been attempting to connect from Country “X”. Up until now they have not been successful, but you don’t deal with the country they are connecting from so don’t mind blocking the whole country. Create an address group that is designed for Blocking Access to any addresses in it, then add the geographical address for Country “X”. Even if the policy does not block every single IP address from that country you have greatly increased your odds of blocking potential intrusion attempts. As your logs show other attempts you can look them up in an IP locator web site and if they are from the same country you can add the IP address for the subnet that they are connecting from.
Creating a geography address
- Go to Policy & Objects > Objects > Addresses.
- Select Create New.
- If you use the down arrow next to Create New, select Address.
- Choose the Category, “Address”.
- Input a Name for the address object.
- Select the Type,Geography from the dropdown menu.
- Select the country from the dropdown menu in the Country field.
The bottom of the dropdown menu has a search field so that you don’t have to scroll through the entire list of countries.
- Select the Interface from the dropdown menu.
- Check the Visibility box.
- Input any additional information in the Comments field.
- Press OK.
Example of a Geography address for a country that should be able to access resourses on the network.
Configuring the address in the CLI
Enter the following CLI commands:
config firewall address
set type geography
set country CN
set interface wan1
It is possible to assign a specific ip address range to a customized country ID. Generally, geographic addressing is done at the VDOM level; it could be considered global if you are using the root VDOM, but the geoip-override setting is a global setting.
config system geoip-override
set country-id "A0"
set start-ip 126.96.36.199
set end-ip 188.8.131.52
set start-ip 184.108.40.206
set end-ip 220.127.116.11
After creating a customized Country by using geoip-override command, the New country name has been added automatically to the country list and will be available on the Firewall Address Country field.