Fortinet GeoFiltering

19th December 2019

Uncategorised

Fortinet makes a nice Firewall; it uses ASIC chips to offload much of it’s CPU intensive work, making the firewall responsive, high-throuput without drastically increasing the cost. Fortinet 60e $1380 800Mbps thruput vs Sonicwall tz300 $960 340Mbps thruput (lower with dpi on)

My objective is to filter large chunks of the internet that are not usually used as we don’t speak that language. spamhaus.org keeps a nice list of worst botnet countries. I’ll be filtering India, China, Vietnam, Russia.

My instructions are based on v6.2 firmware. Verify by going into Log & Report, Forward Traffic. The Destination Column shows small flags indicating the traffic destination. Scroll thru this list to verify the countries you want to filter are not in use.

Policies and Objects, Addresses. Create New, Address. Give your address a name ie India, beside Type choose Geography, and choose the country you want to block. Repeat for all countries to be blocked.

Now we want to create a group for all these Bad Countries. Policies and Objects, Addresses. Create New, Address Group. I called mine BadGeo. Add the countries to the Members section that were created in the previous step.

Now we need to make a Policy to do the blocking. Policies & Objects, IPv4 Policy, Create New, Give your Policy a name, Incoming Interface=Lan, Outgoing Interface=WAN1 (or WAN2 whichever one is green aka live), Source is All or you can limit this to a Subnet, Destintation is the BadGeo Group you created. Verify your action is Deny (or accept and Log for testing) Enable Log and Enable the Policy.

Initially your Block policy will be at the bottom of your policy list but we need it to be at the top to be effective as policies are effected in order. To the left of the ID number there is a Handle, it won’t appear until you hover over it, use it to drag your new rule above your default accept rule. (my accept rule is named 2May2018)

Which brings us to the issue of a whitelist; there will always be exeptions to every rule, so create a list of sites that you never want filtered and order it above this new block list.

This is another layer that will give you a decent chance of blocking that link included in a Spam email, without being too invasive.