Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config load-balance geoip-list

Use this command to configure the Geo IP address block list.

The FortiGuard Geo IP service provides a database that maps IP addresses to countries, satellite providers, and anonymous proxies. The database is updated periodically.

The Geo IP block list is a policy that takes the action you specify when the virtual server receives requests from IP addresses in the blocked country’s IP address space.

For Layer 4 virtual servers, FortiADC blocks access when the first TCP SYN packet arrives. For Layer 7 virtual servers, FortiADC blocks access after the handshake, allowing it to redirect the traffic if you have configured it to do so.

Basic Steps
  1. Configure the connection to FortiGuard so the system can receive periodic Geo IP Database updates.
  2. Create rules to block traffic from locations.
  3. Maintain a allowlist to allow traffic from specified subnets even if they belong to the address space blocked by the Geo IP block list.
  4. Select the Geo IP block list and allowlist in the profiles you associate with virtual servers.

Before you begin:

  • You must have read-write permission for load balancing settings.

Syntax

config load-balance geoip-list

edit <name>

set action {deny | pass | redirect | send-403-forbidden}

set log {enable|disable}

set severity {high | low | medium}

set status {enable|disable}

config geoip-member

edit <No.>

set region-list <country-code>

next

next

end

action

  • Pass
  • Deny
  • Redirect (you can specify a redirect URL in the virtual server configuration)
  • Send 403 Forbidden

Note: Layer 4 and TCPS virtual servers do not support Redirect or Send 403 Forbidden. If you apply a configuration that uses these options to a Layer 4 or TCPS virtual server, FortiADC logs the action as Redirect or Send 403 Forbidden, but in fact denies the traffic.

log

Enable/disable logging.

severity

The severity to apply to the event. Severity is useful when you filter and sort logs:

  • low
  • medium
  • high

status

Enable/disable the list.

config geoip-member

region-list

Specify a geolocation object. Type ? to see a list. The list includes countries as well as selections for anonymous proxies and satellite providers.

Example

FortiADC-VM # config load-balance geoip-list

 

FortiADC-VM (geoip-list) # edit demo

Add new entry 'demo' for node 2883

 

FortiADC-VM (demo) # get

log : disable

action : deny

severity : low

status : enable

 

FortiADC-VM (demo) # set log enable

FortiADC-VM (demo) # set severity high

 

FortiADC-VM (demo) # config geoip-member

FortiADC-VM (geoip-member) # edit 1

Add new entry '1' for node 2888

 

FortiADC-VM (1) # set region-list ?

ZZ Reserved

A1 Anonymous Proxy

A2 Satellite Provider

O1 Other Country

AD Andorra

AE United Arab Emirates

AF Afghanistan

AG Antigua and Barbuda

AI Anguilla

AL Albania

AM Armenia

AN Netherlands Antilles

AO Angola

AP Asia/Pacific Region

AQ Antarctica

AR Argentina

AS American Samoa

AT Austria

AU Australia

AW Aruba

AX Aland Islands

AZ Azerbaijan

BA Bosnia and Herzegovina

BB Barbados

BD Bangladesh

BE Belgium

BF Burkina Faso

BG Bulgaria

BH Bahrain

BI Burundi

BJ Benin

BL Saint Bartelemey

BM Bermuda

BN Brunei Darussalam

BO Bolivia

BQ Bonaire, Saint Eustatius and Saba

BR Brazil

BS Bahamas

BT Bhutan

BV Bouvet Island

BW Botswana

BY Belarus

BZ Belize

CA Canada

CC Cocos (Keeling) Islands

CD Congo, The Democratic Republic of the

CF Central African Republic

CG Congo

CH Switzerland

CI Cote d'Ivoire

CK Cook Islands

CL Chile

CM Cameroon

CN China

CO Colombia

CR Costa Rica

CU Cuba

CV Cape Verde

CW Curacao

CX Christmas Island

CY Cyprus

CZ Czech Republic

DE Germany

DJ Djibouti

DK Denmark

DM Dominica

DO Dominican Republic

DZ Algeria

EC Ecuador

EE Estonia

EG Egypt

EH Western Sahara

ER Eritrea

ES Spain

ET Ethiopia

EU Europe

FI Finland

FJ Fiji

FK Falkland Islands (Malvinas)

FM Micronesia, Federated States of

FO Faroe Islands

FR France

GA Gabon

GB United Kingdom

GD Grenada

GE Georgia

GF French Guiana

GG Guernsey

GH Ghana

GI Gibraltar

GL Greenland

GM Gambia

GN Guinea

GP Guadeloupe

GQ Equatorial Guinea

GR Greece

GS South Georgia and the South Sandwich Islands

GT Guatemala

GU Guam

GW Guinea-Bissau

GY Guyana

HK Hong Kong

HM Heard Island and McDonald Islands

HN Honduras

HR Croatia

HT Haiti

HU Hungary

ID Indonesia

IE Ireland

IL Israel

IM Isle of Man

IN India

IO British Indian Ocean Territory

IQ Iraq

IR Iran, Islamic Republic of

IS Iceland

IT Italy

JE Jersey

JM Jamaica

JO Jordan

JP Japan

KE Kenya

KG Kyrgyzstan

KH Cambodia

KI Kiribati

KM Comoros

KN Saint Kitts and Nevis

KP Korea, Democratic People's Republic of

KR Korea, Republic of

KW Kuwait

KY Cayman Islands

KZ Kazakhstan

LA Lao People's Democratic Republic

LB Lebanon

LC Saint Lucia

LI Liechtenstein

LK Sri Lanka

LR Liberia

LS Lesotho

LT Lithuania

LU Luxembourg

LV Latvia

LY Libyan Arab Jamahiriya

MA Morocco

MC Monaco

MD Moldova, Republic of

ME Montenegro

MF Saint Martin

MG Madagascar

MH Marshall Islands

MK Macedonia

ML Mali

MM Myanmar

MN Mongolia

MO Macao

MP Northern Mariana Islands

MQ Martinique

MR Mauritania

MS Montserrat

MT Malta

MU Mauritius

MV Maldives

MW Malawi

MX Mexico

MY Malaysia

MZ Mozambique

NA Namibia

NC New Caledonia

NE Niger

NF Norfolk Island

NG Nigeria

NI Nicaragua

NL Netherlands

NO Norway

NP Nepal

NR Nauru

NU Niue

NZ New Zealand

OM Oman

PA Panama

PE Peru

PF French Polynesia

PG Papua New Guinea

PH Philippines

PK Pakistan

PL Poland

PM Saint Pierre and Miquelon

PN Pitcairn

PR Puerto Rico

PS Palestinian Territory

PT Portugal

PW Palau

PY Paraguay

QA Qatar

RE Reunion

RO Romania

RS Serbia

RU Russian Federation

RW Rwanda

SA Saudi Arabia

SB Solomon Islands

SC Seychelles

SD Sudan

SE Sweden

SG Singapore

SH Saint Helena

SI Slovenia

SJ Svalbard and Jan Mayen

SK Slovakia

SL Sierra Leone

SM San Marino

SN Senegal

SO Somalia

SR Suriname

SS South Sudan

ST Sao Tome and Principe

SV El Salvador

SX Sint Maarten

SY Syrian Arab Republic

SZ Swaziland

TC Turks and Caicos Islands

TD Chad

TF French Southern Territories

TG Togo

TH Thailand

TJ Tajikistan

TK Tokelau

TL Timor-Leste

TM Turkmenistan

TN Tunisia

TO Tonga

TR Turkey

TT Trinidad and Tobago

TV Tuvalu

TW Taiwan

TZ Tanzania, United Republic of

UA Ukraine

UG Uganda

UM United States Minor Outlying Islands

US United States

UY Uruguay

UZ Uzbekistan

VA Holy See (Vatican City State)

VC Saint Vincent and the Grenadines

VE Venezuela

VG Virgin Islands, British

VI Virgin Islands, U.S.

VN Vietnam

VU Vanuatu

WF Wallis and Futuna

WS Samoa

XK Kosovo

YE Yemen

YT Mayotte

ZA South Africa

ZM Zambia

ZW Zimbabwe

CN11 China,Beijing

CN12 China,Tianjin

CN13 China,Hebei

CN14 China,Shanxi(Taiyuan)

CN15 China,Neimenggu

CN21 China,Liaoning

CN22 China,Jilin

CN23 China,Heilongjiang

CN31 China,Shanghai

CN32 China,Jiangsu

CN33 China,Zhejiang

CN34 China,Anhui

CN35 China,Fujian

CN36 China,Jiangxi

CN37 China,Shandong

CN41 China,Henan

CN42 China,Hubei

CN43 China,Hunan

CN44 China,Guangdong

CN45 China,Guangxi

CN46 China,Hainan

CN50 China,Chongqing

CN51 China,Sichuan

CN52 China,Guizhou

CN53 China,Yunnan

CN54 China,Xizang

CN61 China,Shaanxi(Xian)

CN62 China,Gansu

CN63 China,Qinghai

CN64 China,Ningxia

CN65 China,Xinjiang

 

FortiADC-VM (1) # set region-list FM

 

FortiADC-VM (1) # get

region-list : FM

FortiADC-VM (1) # end

 

FortiADC-VM (demo) # get

log : enable

action : deny

severity : high

status : enable

== [ 1 ]

 

FortiADC-VM (demo) # end

 

config load-balance geoip-list

Use this command to configure the Geo IP address block list.

The FortiGuard Geo IP service provides a database that maps IP addresses to countries, satellite providers, and anonymous proxies. The database is updated periodically.

The Geo IP block list is a policy that takes the action you specify when the virtual server receives requests from IP addresses in the blocked country’s IP address space.

For Layer 4 virtual servers, FortiADC blocks access when the first TCP SYN packet arrives. For Layer 7 virtual servers, FortiADC blocks access after the handshake, allowing it to redirect the traffic if you have configured it to do so.

Basic Steps
  1. Configure the connection to FortiGuard so the system can receive periodic Geo IP Database updates.
  2. Create rules to block traffic from locations.
  3. Maintain a allowlist to allow traffic from specified subnets even if they belong to the address space blocked by the Geo IP block list.
  4. Select the Geo IP block list and allowlist in the profiles you associate with virtual servers.

Before you begin:

  • You must have read-write permission for load balancing settings.

Syntax

config load-balance geoip-list

edit <name>

set action {deny | pass | redirect | send-403-forbidden}

set log {enable|disable}

set severity {high | low | medium}

set status {enable|disable}

config geoip-member

edit <No.>

set region-list <country-code>

next

next

end

action

  • Pass
  • Deny
  • Redirect (you can specify a redirect URL in the virtual server configuration)
  • Send 403 Forbidden

Note: Layer 4 and TCPS virtual servers do not support Redirect or Send 403 Forbidden. If you apply a configuration that uses these options to a Layer 4 or TCPS virtual server, FortiADC logs the action as Redirect or Send 403 Forbidden, but in fact denies the traffic.

log

Enable/disable logging.

severity

The severity to apply to the event. Severity is useful when you filter and sort logs:

  • low
  • medium
  • high

status

Enable/disable the list.

config geoip-member

region-list

Specify a geolocation object. Type ? to see a list. The list includes countries as well as selections for anonymous proxies and satellite providers.

Example

FortiADC-VM # config load-balance geoip-list

 

FortiADC-VM (geoip-list) # edit demo

Add new entry 'demo' for node 2883

 

FortiADC-VM (demo) # get

log : disable

action : deny

severity : low

status : enable

 

FortiADC-VM (demo) # set log enable

FortiADC-VM (demo) # set severity high

 

FortiADC-VM (demo) # config geoip-member

FortiADC-VM (geoip-member) # edit 1

Add new entry '1' for node 2888

 

FortiADC-VM (1) # set region-list ?

ZZ Reserved

A1 Anonymous Proxy

A2 Satellite Provider

O1 Other Country

AD Andorra

AE United Arab Emirates

AF Afghanistan

AG Antigua and Barbuda

AI Anguilla

AL Albania

AM Armenia

AN Netherlands Antilles

AO Angola

AP Asia/Pacific Region

AQ Antarctica

AR Argentina

AS American Samoa

AT Austria

AU Australia

AW Aruba

AX Aland Islands

AZ Azerbaijan

BA Bosnia and Herzegovina

BB Barbados

BD Bangladesh

BE Belgium

BF Burkina Faso

BG Bulgaria

BH Bahrain

BI Burundi

BJ Benin

BL Saint Bartelemey

BM Bermuda

BN Brunei Darussalam

BO Bolivia

BQ Bonaire, Saint Eustatius and Saba

BR Brazil

BS Bahamas

BT Bhutan

BV Bouvet Island

BW Botswana

BY Belarus

BZ Belize

CA Canada

CC Cocos (Keeling) Islands

CD Congo, The Democratic Republic of the

CF Central African Republic

CG Congo

CH Switzerland

CI Cote d'Ivoire

CK Cook Islands

CL Chile

CM Cameroon

CN China

CO Colombia

CR Costa Rica

CU Cuba

CV Cape Verde

CW Curacao

CX Christmas Island

CY Cyprus

CZ Czech Republic

DE Germany

DJ Djibouti

DK Denmark

DM Dominica

DO Dominican Republic

DZ Algeria

EC Ecuador

EE Estonia

EG Egypt

EH Western Sahara

ER Eritrea

ES Spain

ET Ethiopia

EU Europe

FI Finland

FJ Fiji

FK Falkland Islands (Malvinas)

FM Micronesia, Federated States of

FO Faroe Islands

FR France

GA Gabon

GB United Kingdom

GD Grenada

GE Georgia

GF French Guiana

GG Guernsey

GH Ghana

GI Gibraltar

GL Greenland

GM Gambia

GN Guinea

GP Guadeloupe

GQ Equatorial Guinea

GR Greece

GS South Georgia and the South Sandwich Islands

GT Guatemala

GU Guam

GW Guinea-Bissau

GY Guyana

HK Hong Kong

HM Heard Island and McDonald Islands

HN Honduras

HR Croatia

HT Haiti

HU Hungary

ID Indonesia

IE Ireland

IL Israel

IM Isle of Man

IN India

IO British Indian Ocean Territory

IQ Iraq

IR Iran, Islamic Republic of

IS Iceland

IT Italy

JE Jersey

JM Jamaica

JO Jordan

JP Japan

KE Kenya

KG Kyrgyzstan

KH Cambodia

KI Kiribati

KM Comoros

KN Saint Kitts and Nevis

KP Korea, Democratic People's Republic of

KR Korea, Republic of

KW Kuwait

KY Cayman Islands

KZ Kazakhstan

LA Lao People's Democratic Republic

LB Lebanon

LC Saint Lucia

LI Liechtenstein

LK Sri Lanka

LR Liberia

LS Lesotho

LT Lithuania

LU Luxembourg

LV Latvia

LY Libyan Arab Jamahiriya

MA Morocco

MC Monaco

MD Moldova, Republic of

ME Montenegro

MF Saint Martin

MG Madagascar

MH Marshall Islands

MK Macedonia

ML Mali

MM Myanmar

MN Mongolia

MO Macao

MP Northern Mariana Islands

MQ Martinique

MR Mauritania

MS Montserrat

MT Malta

MU Mauritius

MV Maldives

MW Malawi

MX Mexico

MY Malaysia

MZ Mozambique

NA Namibia

NC New Caledonia

NE Niger

NF Norfolk Island

NG Nigeria

NI Nicaragua

NL Netherlands

NO Norway

NP Nepal

NR Nauru

NU Niue

NZ New Zealand

OM Oman

PA Panama

PE Peru

PF French Polynesia

PG Papua New Guinea

PH Philippines

PK Pakistan

PL Poland

PM Saint Pierre and Miquelon

PN Pitcairn

PR Puerto Rico

PS Palestinian Territory

PT Portugal

PW Palau

PY Paraguay

QA Qatar

RE Reunion

RO Romania

RS Serbia

RU Russian Federation

RW Rwanda

SA Saudi Arabia

SB Solomon Islands

SC Seychelles

SD Sudan

SE Sweden

SG Singapore

SH Saint Helena

SI Slovenia

SJ Svalbard and Jan Mayen

SK Slovakia

SL Sierra Leone

SM San Marino

SN Senegal

SO Somalia

SR Suriname

SS South Sudan

ST Sao Tome and Principe

SV El Salvador

SX Sint Maarten

SY Syrian Arab Republic

SZ Swaziland

TC Turks and Caicos Islands

TD Chad

TF French Southern Territories

TG Togo

TH Thailand

TJ Tajikistan

TK Tokelau

TL Timor-Leste

TM Turkmenistan

TN Tunisia

TO Tonga

TR Turkey

TT Trinidad and Tobago

TV Tuvalu

TW Taiwan

TZ Tanzania, United Republic of

UA Ukraine

UG Uganda

UM United States Minor Outlying Islands

US United States

UY Uruguay

UZ Uzbekistan

VA Holy See (Vatican City State)

VC Saint Vincent and the Grenadines

VE Venezuela

VG Virgin Islands, British

VI Virgin Islands, U.S.

VN Vietnam

VU Vanuatu

WF Wallis and Futuna

WS Samoa

XK Kosovo

YE Yemen

YT Mayotte

ZA South Africa

ZM Zambia

ZW Zimbabwe

CN11 China,Beijing

CN12 China,Tianjin

CN13 China,Hebei

CN14 China,Shanxi(Taiyuan)

CN15 China,Neimenggu

CN21 China,Liaoning

CN22 China,Jilin

CN23 China,Heilongjiang

CN31 China,Shanghai

CN32 China,Jiangsu

CN33 China,Zhejiang

CN34 China,Anhui

CN35 China,Fujian

CN36 China,Jiangxi

CN37 China,Shandong

CN41 China,Henan

CN42 China,Hubei

CN43 China,Hunan

CN44 China,Guangdong

CN45 China,Guangxi

CN46 China,Hainan

CN50 China,Chongqing

CN51 China,Sichuan

CN52 China,Guizhou

CN53 China,Yunnan

CN54 China,Xizang

CN61 China,Shaanxi(Xian)

CN62 China,Gansu

CN63 China,Qinghai

CN64 China,Ningxia

CN65 China,Xinjiang

 

FortiADC-VM (1) # set region-list FM

 

FortiADC-VM (1) # get

region-list : FM

FortiADC-VM (1) # end

 

FortiADC-VM (demo) # get

log : enable

action : deny

severity : high

status : enable

== [ 1 ]

 

FortiADC-VM (demo) # end