We help IT Professionals succeed at work.

Fortigate fw - geo blocking everything but U.S.

Steve Bantz
Steve Bantz asked
on
We are currently using a Fortigate 100F with firmware v6.2.2 build 6083.  We recently upgraded from an older 200B that is end-of-life soon. To geo-block countries in the past, we had added an Address object named "Country Block - Countryname" and set a type of geography to it.  We then added this address to an Address Group named Country Block that is contained in the existing IPV4 policy that blocks incoming traffic from the outside-zone.

With the latest build of 6.2.2, is there a more efficient way of doing this?  Also and perhaps more importantly, we are considering blocking everything but US sources and I am curious what the recommended course of action is to do this efficiently.  We don't have public-facing servers and I am just looking to harden intrusion prevention.  I realize this isn't a silver bullet but anything I can do to lessen exposure to risk is desired.
Comment
Watch Question

kevinhsiehNetwork Engineer

Commented:
Not a Fortigate user, so I don't know specifically how to geo block with it.

We too geo block, and have for over 15 years. We geo block inbound and outbound. It sounds like you only have outbound traffic.

I have a group of international web sites that we allow access to, and have a permit rule for that. Next rule is permit US web traffic. Final rule in the group is deny all other traffic.

Be careful if trying to use a rule like "block traffic !=US". I did that once and private IP traffic was blocked between internal network segments.
TimotiStDatacenter Technician
Top Expert 2012

Commented:
The only issue with US-only I had in the last few years was when the CEO went to Spain for holiday and tried to check his email (with server hosted in the office). But a few exceptions like that should be manageable.
Steve BantzIT Manager

Author

Commented:
Ours is set to drop incoming packets based on the geoblock to help with intrusion prevention.  I had thought about applying it to block access to country websites from our private network to the outside interface but thought better of it since we do have a web filter that can better handle that aspect.  We don't have any users that would be needing ssl vpn access outside of the US but that is a great thought to keep in mind.  :)

Still looking to see if another Fortigate user has an efficient solution specific to the product.  I greatly appreciate the input so far.
Hello Steve,

Basically everything is blocked to firewall without any specific rule defined (Except VPN and Management ports unless opened on those interfaces). For SSL VPN you may use geo address to  allow only access from US addresses on SSL VPN settings page.

If you still need granular  control on blocking all traffic hitting on WAN interface, you may use local-in policies. On first policy allow access on WAN (SSL VPN Service) interface only from US address and on second policy block access from all IP addresses.

Good Luck!