Geo-Blocking with Local In Policy

Sometimes when you set up a standard policy to geo block some countries, you will still see attacks from certain IP addresses from the very same countries you blocked.  This is due to certain allowed access to the FortiGate itself (e.g. IPsec, HTTPS (for admin and Remote Access VPN), BGP, etc.

First thing you will want to do is create an Address object with the public IP of the firewall.  You may need to have multiple policies and Address objects to correspond to multiple WAN links.

Next you will need to create GEO objects for each country you want to block.  I created an article and have a script that will allow you to import all countries without having to manually enter them.

Create an Address Group and add the countries you want to block.  I named my group Blocked-Countries

Next we will create the Local-In Policy

1. You will need to enter your port (e.g. WAN1, WAN2, port1, etc)
2. Enter the Source address srcaddr from the address group we created earlier.
3. Here you will need to enter the address object of the firewall’s public IP address.
4. Next set the action to Deny
5. You need to then set the service to ALL to cover all ports.  You can be specific if you want but for the purposes of blocking countries, you probably want to block ALL.
6. You want to ensure that this policy is scheduled to always
7. Finally, set the status to enable

You should be good to go.

Hope this helps.