DescriptionFortiDDoS provides two options for blocking or allowing traffic by location:
• Allow all and deny some
• Deny all and allow some
This is configured under Global Settings > Settings > Settings: Geo Location Policy.
SolutionOption (a) Allow all and deny some
This will be used in cases where you want traffic from all countries/geo-locations to be allowed through FortiDDoS (this traffic will be analyzed first accordingly with SPP settings; this does not mean it is implicitly allowed), but you just want to blacklist some countries (For example: only Russia; it will not be analyzed but it will be implicitly blocked).
Countries
that are blocked will not be analyzed and checked against FortiDDoS
thresholds, they will be automatically dropped. All other countries will
be processed by FortiDDoS.
Option (b) Deny all and allow some
This will block traffic from all countries (it will implicitly block all traffic without analysis) expect the one that you specifically allow (this traffic will be analyzed first accordingly with SPP settings; this doesn’t mean it’s implicitly allowed). Let us say that in your environment, you want to allow traffic only from your home country (For example, in the case of a University where you want to allow your students to connect only from your country) and block everything else, then you would use this feature.
Countries that are allowed will be analyzed by FortiDDoS. All other countries will be implicitly blocked.
Frequently asked questions
Does this mean that we cannot white-list some country without blocking all traffic from all other countries?
Yes. If you want to white-list some countries you would have to use option (b) Deny all and allow some, which means that traffic from all other countries that are not white-listed will be blocked. Note that white-list does not mean that this country will be implicitly allowed but will be analyzed first by FortiDDoS.
Do geo-location ACLs affect outgoing traffic?
No. Only Incoming traffic which can be from all around the world. This option would not be meaningful for Outgoing traffic.
Is it possible to configure the following scenario:
- White-list some countries so this traffic will not be checked at all but implicitly allowed.
- All other countries should be first analyzed/processed by FortiDDoS.
This sounds good in theory, but there is one very important thing you have to think about: "IP spoofing". Imagine that a potential attacker realizes that you have your country white-listed and that FortiDDoS would not then analyze this traffic. In this case the attacker could very easily spoof it's IP address and put some from your country and kill your servers very fast.
