Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Andy_G
Staff
Staff

Created on ‎06-30-2011 02:36 AM Edited on ‎03-24-2022 12:17 PM By Anonymous

Article Id 195205

Technical Tip: Geography Based Addressing (Version 5.0 and below)

Description

This article shows the option to add a geography based address scheme. 
 
With this type of addressing the geographic region or country can be indicated.
The FortiGate unit includes an internal list of countries and IPv4 IP addresses based on historical data from the FortiGuard network.

When used in security policies, traffic (originating or going to a particular country) can be logged, blocked or a specific filtering can be applied.



Scope


Solution

In the following examples, a geographic based address for China is added for the WAN1 port.

To add a geography based address using the web based manager.

1) Go to Firewall -> Address -> Address and select Create New.
2) Enter the Name of China.
3) For the Type, select Geography.
4) From the Country list, select China.
5) Select the Interface of WAN1.
6) Select OK.

To add a geography based address using CLI:
#config firewall address
edit China
set type geography
set country CN
set interface wan1
end
On FortiOS 4.0 MR3:

A diagnose command can be used to view more information about geography based addressing.
The command displays country and address information for the countries that have been added to firewall addresses:
#diagnose firewall ipgeo {country-list | ip-list | ip2country}
where:
- country-list shows all of the countries that have been added to a firewall address.
- ip-list shows the IP addresses of a specified country or all of the countries added to firewall addresses.
- ip2country shows the country of origin for a specified IP address. The address must be assigned to one of the countries that has been added to a firewall address
For example, use the following command to view the countries that have been added to a firewall address.
The example command output shows that a firewall address has been added for China.
#diagnose firewall ipgeo country-list
Total countries loaded:1
CN
On FortiOS 5.0:

The diagnose command has more options compared to the previous version:
#diagnose firewall ipgeo {copyright-notice | country-list | ip-list | ip2country | override }
where, in addition to the previous ones:

• copyright-notice shows the copyright note
• override prints out all user defined IPgeo data

Override can be defined with the new CLI command:
#config system geoip-override
where it is possible to specify an IP address range to be associated with customized country group (country-id)
#config system geoip-override
    edit "test"
        set country-id "A0"
            config ip-range
                edit 1
                    set start-ip 7.7.7.7
                    set end-ip 7.7.7.8
                next
            end
    next
end
After creating a customized Country by using geoip-override command, the New country name has been added automatically to the country list and will be available on the Firewall Address Country field.

Scenario: Allowing the traffic from a new Country which is not on the GEOIP database list to a Server

1) Create an Override for the New country called "FreeLand" by running the following CLI commands:
#config system geoip-override
(geoip-override) # edit FreeLand
(FreeLand) # config ip-range
(ip-range) # ed 0
(0) # set start-ip 7.7.7.7
(0) # set end-ip 7.7.7.7
(0) # end
(FreeLand) # end
2) Create a Firewall Address Object that has country set to this override under Firewall Object -> Address -> Addresses in the GUI or by running the following CLI commands:
#config firewall address
(address) # edit NewCountry
# set country A0  /* A0 is a customized country group (country-id) which has been set to the customized country automatically */
(NewCountry) # end
3) Configure a firewall policy for allowing traffic which is coming from FreeLand Country to access the server under Policy -> Policy -> Policy in the GUI or by running the following CLI commands:
# config firewall policy
(policy) # edit 0
(0) # set srcint wan1
(0) # set dstintf internal
(0) # set srcaddr NewCountry
(0) # set dstaddr Server_vip
(0) # set action accept
(0) # set schedule always
(0) # set service ALL
(0) # end
Additionally IPgeo database is updated via FortiGuard on FortiOS 5.0 and the following CLI commands are available

#execute update-geo-ip                              <----- To update the database
#diagnose autoupdate versions                        <----- To check the current database version
IP Geography DB
---------
Version: 1.009
Contract Expiry Date: N/A
Last Update Date: Wed Jan  9 22:22:19 2013

 

33360
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.