Setting Up Geo-Blocking with FortiWeb IP Protection

,

One of our FortiWeb clients is releasing a new app and they’ve requested us to block IPs not associated with Australia.  There are a number of ways we can achieve this whether it’s via the FortiWeb, a FortiGate in front or other methods. In this instance, we’ll be using the FortiWeb IP Protection feature. This uses the MaxMind Geo IP lists and is a good but not fool-proof way to enable geo-blocking.

We firstly need to setup a IP List to apply to our Policy, so go to IP Protection > GEO IP. Once there, we create a new GEO IP Policy, specify an action (in our case the customer wanted to simply Deny without logging, however I’d recommend logging at least for a short while. Click OK, and then this will allow us to create the new Country Item, to select the country or countries we want to block.

Once that’s done, click OK to save the item and policy.  We now navigate to the Server Policy that we want to apply the Geo Block to, so go to Policy > Server Policy and edit the particular policy you want. Now scroll down to Security Configuration and edit the Web Protection Profile. Scroll down again until you get to IP Protection and under GEO IP, we should be able to select the Policy we created earlier. Hit OK to save the Web Protection Profile and then hit OK again to save the Server Policy.

And there you have it, applying a Geo IP filter on a FortiWeb Server Policy.


Leave a Reply

More Posts

Sync multiple Pi-Hole Configs

For my home network, I run Pi-Hole in docker containers in separate hosts. Whenever making a change such as creating a local DNS entry on one Pi-hole means logging into the other Pi-hole and making the same change, not ideal. So I’ve tried looking for a solution to this. I did give Gravity sync a […]

How to Reset a Domain Controller’s Domain Admin password for a Virtual Machine running up in Azure

The Reset password utility for Virtual Machines has come in handy on the odd occasion when we never recorded or misplaced the password for a VM running in Azure. The downside is this tool does not support running against Domain Controllers (to reset the in-built Administrator account).  So what happens when you have a domain […]

Get-MessageTackingLog cmdlet for Exchange 2010 Returns Cannot process argument transformation on parameter ‘Start’. Cannot convert value to type “System.DateTime” because String was not recognized as a valid DateTime.

Recently, I was conducting some investigative work around mail delivery for a client.  PowerShell cmdlets for Exchange are awesome and give us as administrators some real power in trying to figure out what is wrong.  Some things in PowerShell though don’t take into account the regional language settings of the machine you’re working on.  One […]