Description
FortiWeb allows the blocking of traffic from many IP addresses that are currently known to belong to networks in other regions.
It uses a MaxMind GeoLite database of mappings between geographical regions and all public IP addresses that are known to originate from them.
Exceptions can be specified to the blacklist, this allows, for example, to block a country or region but allow a geographic location within that country or region.
In order to apply policies correctly and log accurately, it is important that the FortiWeb is aware of certain other points on the network.
Scope
FortiWeb
Solution
To scan traffic for the web servers, FortiWeb must know which IP addresses and HTTP host names to protect. If there are proxies and load balancers in the network stream between the client and the FortiWeb, these will also need to be defined.
If the web servers have features that operate using the source IP address of a client, it may also be necessary to configure FortiWeb to pass that information to the web servers.
A very common issue with Geo IP filtering not working as expected is not permitting the client IPs in the X header in the Load balancers.
Configure the load balancer so that it does not multiplex HTTP requests from multiple different clients into each TCP connection with the FortiWeb.
Make sure that the FortiWeb is allowed to decide the Geo IP based on the IP address region.
Configure the load balancer to insert or append to an X-Forwarded-For:, X-Real-IP:, or other HTTP X-header.
Configure the FortiWeb to find the original attacker’s or client’s IP address in that HTTP header, not in the IP session.
