Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
martinsd
Staff
Staff

Created on ‎09-26-2023 07:45 AM

Article Id 276058

Technical Tip: Use of geographic address objects on ZTNA Rules/Proxy policies

Description This article describes the behavior and limitations of using geographic address objects on ZTNA Rules/Proxy policies.
Scope FortiOS 7.0.x and 7.2.x
Solution

Geographic address objects are not supported by ZTNA Rules/Proxy policies and they make FortiGate ignore the policy they are in. 

 

Geographic address objects will be hidden in future releases.

 

Below are some logs to demonstrate this behavior:

 

When using the 'all' object as the source, an 'accept' action takes place (policy index = 1):

 

config firewall address

edit "Portugal"

set type geography

set country "PT"

next

end

show firewall proxy-policy 1

config firewall proxy-policy

edit 1

set name "GeoTest"

set proxy access-proxy

set access-proxy "TCP-Forwarding"

set srcintf "wan1"

set srcaddr "all"

set dstaddr "LAB"

set action accept

set schedule "always"

set logtraffic all

set groups "SAML_LAB"

set utm-status enable

set ssl-ssh-profile "certificate-inspection"

next

end

 

diagnose firewall iprope list 100017

policy index=1 uuid_idx=15932 action=accept
flag (8810009): log redir master nlb pol_stats
flag3 (80000000):
schedule(always)
cos_fwd=0 cos_rev=0
group=00100017 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=4
zone(4): 3 4 5 6 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15739,
dest(1): 192.168.100.69-192.168.100.69, uuid_idx=0,
service(1):
        [6:0x0:1012/(0,65535)->(8887,8887)] flags:0 helper:auto

 

Upon using the 'Portugal' object as the source, a 'drop' is observed (policy index = 0 - implicit deny):

 

show firewall proxy-policy 1

config firewall proxy-policy

edit 1

set name "GeoTest"

set proxy access-proxy

set access-proxy "TCP-Forwarding"

set srcintf "wan1"

set srcaddr "Portugal"

set dstaddr "LAB"

set action accept

set schedule "always"

set logtraffic all

set groups "SAML_LAB"

set utm-status enable

set ssl-ssh-profile "certificate-inspection"

next

end

 

diag firewall iprope list 100017

policy index=0 uuid_idx=0 action=drop
flag (8010000): master pol_stats
flag3 (100): last-deny
schedule()
cos_fwd=0 cos_rev=0
group=00100017 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=4
zone(1): 0 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15739,
dest(1): 192.168.100.69-192.168.100.69, uuid_idx=0,
service(1):
        [6:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto
297
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.