One of our FortiWeb clients is releasing a new app and they’ve requested us to block IPs not associated with Australia. There are a number of ways we can achieve this whether it’s via the FortiWeb, a FortiGate in front or other methods. In this instance, we’ll be using the FortiWeb IP Protection feature. This uses the MaxMind Geo IP lists and is a good but not fool-proof way to enable geo-blocking.
We firstly need to setup a IP List to apply to our Policy, so go to IP Protection > GEO IP. Once there, we create a new GEO IP Policy, specify an action (in our case the customer wanted to simply Deny without logging, however I’d recommend logging at least for a short while. Click OK, and then this will allow us to create the new Country Item, to select the country or countries we want to block.
Once that’s done, click OK to save the item and policy. We now navigate to the Server Policy that we want to apply the Geo Block to, so go to Policy > Server Policy and edit the particular policy you want. Now scroll down to Security Configuration and edit the Web Protection Profile. Scroll down again until you get to IP Protection and under GEO IP, we should be able to select the Policy we created earlier. Hit OK to save the Web Protection Profile and then hit OK again to save the Server Policy.
And there you have it, applying a Geo IP filter on a FortiWeb Server Policy.
Leave a Reply