Add GEO IP Fortigate

Description An option is available to add a geography based address scheme.  With this type of addressing the geographic region or country can be indicated. The FortiGate unit includes an internal list of countries and IPv4 IP addresses based on historical data from the FortiGuard network.

Add Geo IP Address Firewall Fortigate

  • Login Fortigate Via Cli
  • config system geoip-override
  • edit Indonesia
  • config ip-range
  • Ketik ed 0
  • set start-ip xxx.xxx.x.1
  • set end-ip xxx.xxx.x.254
  • end
  • Cek Konfigurasi dengan perintah “diagnose firewall ipgeo ip2country <IP Address> ENter”

xxx.xxx.xxx.1 is in country:ID

################################################################

Description An option is available to add a geography based address scheme.  With this type of addressing the geographic region or country can be indicated. The FortiGate unit includes an internal list of countries and IPv4 IP addresses based on historical data from the FortiGuard network.

When used in security policies, traffic originating or going to a particular country can be logged, blocked or specific filtering applied.

SolutionIn the following examples, a geographic based address for China is added for the WAN1 port.

To add a geography based address using the web based manager.

1 Go to Firewall > Address > Address and select Create New.
2 Enter the Name of China.
3 For the Type, select Geography.
4 From the Country list, select China.
5 Select the Interface of WAN1.
6 Select OK.

To add a geography based address using CLI.

config firewall address
edit China
set type geography
set country CN
set interface wan1
end

On FortiOS 4.0 MR3

A diagnose command can be used to view more information about geography based addressing. The command displays country and address information for the countries that have been added to firewall addresses:

diagnose firewall ipgeo {country-list | ip-list | ip2country}

where

• country-list shows all of the countries that have been added to a firewall address.
• ip-list shows the IP addresses of a specified country or all of the countries added to firewall addresses.
• ip2country shows the country of origin for a specified IP address. The address must be assigned to one of the countries that has been added to a firewall address

For example, use the following command to view the countries that have been added to a firewall address. The example command output shows that a firewall address has been added for China.

diagnose firewall ipgeo country-list
Total countries loaded:1
CN

On FortiOS 5.0

The diagnose command has more options compared to the previous version:

diagnose firewall ipgeo {copyright-notice | country-list | ip-list | ip2country | override }

where, in addition to the previous ones:

• copyright-notice shows the copyright note
• override prints out all user defined IPgeo data

Override can be defined with the new CLI command:

config system geoip-override

where it is possible to specify an IP address range to be associated with customized country group (country-id)

config system geoip-override
    edit “test”
        set country-id “A0”
            config ip-range
                edit 1
                    set start-ip 7.7.7.7
                    set end-ip 7.7.7.8
                next
            end
    next
end

After creating a customized Country by using geoip-override command, the New country name has been added automatically to the country list and will be available on the Firewall Address Country field.

Scenario: Allowing the traffic from a new Country which is not on the GEOIP database list to a Server

1) Create an Override for the New country called “FreeLand” by running the following CLI commands:

# config system geoip-override
(geoip-override) # edit FreeLand
(FreeLand) # config ip-range
(ip-range) # ed 0
(0) # set start-ip 7.7.7.7
(0) # set end-ip 7.7.7.7
(0) # end
(FreeLand) # end

2) Create a Firewall Address Object that has country set to this override under Firewall Object > Address > Addresses in the GUI or by running the following CLI commands:

# config firewall address
(address) # edit NewCountry
# set country A0
  /* A0 is a customized country group (country-id) which has been set to the customized country automatically */
(NewCountry) # end 

3) Configure a firewall policy for allowing traffic which is coming from FreeLand Country to access the server under Policy > Policy > Policy in the GUI or by running the following CLI commands:

# config firewall policy
(policy) # edit 0
(0) # set srcint wan1
(0) # set dstintf internal
(0) # set srcaddr NewCountry 
(0) # set dstaddr Server_vip
(0) # set action accept
(0) # set schedule always
(0) # set service ALL
(0) # end


Additionally IPgeo database is update via FortiGuard on FortiOS 5.0 and the following CLI commands are available

execute update-geo-ip  ==> to update the database

diagnose autoupdate versions ==> to check the current database version

Source : https://kb.fortinet.com/kb/viewContent.do?externalId=FD33209&sliceId=1

Posted on: February 27, 2019, by :