Fortinet black logo

Administration Guide

GEO IP - Blocklisting & whitelisting countries & regions

GEO IP - Blocklisting & whitelisting countries & regions

While many websites are truly global in nature, others are specific to a region. Government web applications that provide services only to its residents are one example.

In such cases, when requests appear to originate from other parts of the world, it may not be worth the security risk to accept them.

  • DDoS botnets and mercenary hackers might be the predominant traffic source.
  • Anonymizing VPN services or Tor may have been used to mask the true source IP of an attacker that is actually within your own country.

Blacklisting clients individually in this case would be time-consuming and difficult to maintain due to PPPoE or other dynamic allocations of public IP addresses, and IP blocks that are re-used by innocent clients.

FortiWeb allows you to block traffic from many IP addresses that are currently known to belong to networks in other regions. It uses a MaxMind GeoLite (HTTPs://www.maxmind.com) database of mappings between geographical regions and all public IP addresses that are known to originate from them.

You can also specify exceptions to the blacklist, which allows you to, block a country or region but allow a geographic location within that country or region. If you configure Known Search Engines in Configuring known bots, blacklisting will also bypass client source IP addresses if they are using a known search engine.

Because network mappings may change as networks grow and shrink, if you use this feature, be sure to periodically update the geography-to-IP mapping database. To download the file, go to the Fortinet Customer Service & Support website:

HTTPs://support.fortinet.com

Because geographical IP policies are evaluated before many other techniques, defining these IP addresses can be used to improve performance. For details, see Sequence of scans.
To configure blocking by geography
  1. Verify that client source IP addresses are visible to FortiWeb in either the X-headers or as the SRC field at the IP layer. For details, see Defining your web servers & load balancers.
    If FortiWeb is behind an external load balancer that applies SNAT, for example, you may need to configure it to append its and the client’s IP address to X-Forwarded-For: in the HTTP header so that FortiWeb can apply this feature. Otherwise, all traffic may appear to come from the same client, with a private network IP: the external load balancer.
  2. If you want to use a trigger to create a log message and/or alert email when a geographically blacklisted client attempts to connect to your web servers, configure the trigger first. For details, see Viewing log messages.
  3. If you need to exempt some clients’ public IP addresses, configure Geo IP reputation exemptions first:
  • Go to IP Protection > Geo IP.
  • To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  • Specify a name for the exception item, and then click OK.
  • Click Create New to add IPv4/IPv6 addresses (for example, 192.168.0.1 or 2001::1) or IPv4/IPv6 ranges (for example, 192.168.0.1-192.168.0.256 or 2001::1-2001::100) to the exception item, as required.
  • Go to IP Protection > Geo IP.
  • Click Create New.
  • Configure these settings:
  • Name Type a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when a blacklisted IP address attempts to connect to your web servers:

    • Informative
    • Low
    • Medium
    • High
    Action

    Select the action FortiWeb takes when it detects a blocklisted IP address.

    • Alert & Deny — Block the request (or reset the connection) and generate an alert email and/or log message.

    • Deny (no log) —Blocks the requests from the IP address without sending an alert email and/or log message.

    • Period Block—Blocks the requests from the IP address for a certain period of time. The valid range is 1-600 seconds.

    Exception If required, select the exceptions configuration you created in If you need to exempt some clients’ public IP addresses, configure Geo IP reputation exemptions first:.
    Trigger Policy Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers. For details, see Viewing log messages.

    Ignore X-Forwarded-For

    By default, FortiWeb scans the IP addresses in the X-Forwarded-For header at the HTTP layer. This causes high resource consumption. To enhance the performance, you can enable Ignore X-Forwarded-For so that the IP addresses can be scanned at the TCP layer instead. This avoids HTTP packets being processed unnecessarily.

  • Click OK.
  • Click Create New.
  • From the Country list on the left, select one or more geographical regions that you want to block, then click the right arrow to move them to the Selected Country list on the right.
    In addition to countries, the Country list also includes distinct territories within a country, such as Puerto Rico and United States Minor Outlying Islands, and regions that are not associated with any country, such as Antarctica.
  • Click OK.
    The web UI returns to the initial dialog. The countries that you are blocking will appear as individual entries.
  • Click OK.
  • To apply your geographical blocking rule, select it in a protection profile that a server policy is using. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
  • See also

    GEO IP - Blocklisting & whitelisting countries & regions

    While many websites are truly global in nature, others are specific to a region. Government web applications that provide services only to its residents are one example.

    In such cases, when requests appear to originate from other parts of the world, it may not be worth the security risk to accept them.

    • DDoS botnets and mercenary hackers might be the predominant traffic source.
    • Anonymizing VPN services or Tor may have been used to mask the true source IP of an attacker that is actually within your own country.

    Blacklisting clients individually in this case would be time-consuming and difficult to maintain due to PPPoE or other dynamic allocations of public IP addresses, and IP blocks that are re-used by innocent clients.

    FortiWeb allows you to block traffic from many IP addresses that are currently known to belong to networks in other regions. It uses a MaxMind GeoLite (HTTPs://www.maxmind.com) database of mappings between geographical regions and all public IP addresses that are known to originate from them.

    You can also specify exceptions to the blacklist, which allows you to, block a country or region but allow a geographic location within that country or region. If you configure Known Search Engines in Configuring known bots, blacklisting will also bypass client source IP addresses if they are using a known search engine.

    Because network mappings may change as networks grow and shrink, if you use this feature, be sure to periodically update the geography-to-IP mapping database. To download the file, go to the Fortinet Customer Service & Support website:

    HTTPs://support.fortinet.com

    Because geographical IP policies are evaluated before many other techniques, defining these IP addresses can be used to improve performance. For details, see Sequence of scans.
    To configure blocking by geography
    1. Verify that client source IP addresses are visible to FortiWeb in either the X-headers or as the SRC field at the IP layer. For details, see Defining your web servers & load balancers.
      If FortiWeb is behind an external load balancer that applies SNAT, for example, you may need to configure it to append its and the client’s IP address to X-Forwarded-For: in the HTTP header so that FortiWeb can apply this feature. Otherwise, all traffic may appear to come from the same client, with a private network IP: the external load balancer.
    2. If you want to use a trigger to create a log message and/or alert email when a geographically blacklisted client attempts to connect to your web servers, configure the trigger first. For details, see Viewing log messages.
    3. If you need to exempt some clients’ public IP addresses, configure Geo IP reputation exemptions first:
    • Go to IP Protection > Geo IP.
    • To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
    • Specify a name for the exception item, and then click OK.
    • Click Create New to add IPv4/IPv6 addresses (for example, 192.168.0.1 or 2001::1) or IPv4/IPv6 ranges (for example, 192.168.0.1-192.168.0.256 or 2001::1-2001::100) to the exception item, as required.
  • Go to IP Protection > Geo IP.
  • Click Create New.
  • Configure these settings:
  • Name Type a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when a blacklisted IP address attempts to connect to your web servers:

    • Informative
    • Low
    • Medium
    • High
    Action

    Select the action FortiWeb takes when it detects a blocklisted IP address.

    • Alert & Deny — Block the request (or reset the connection) and generate an alert email and/or log message.

    • Deny (no log) —Blocks the requests from the IP address without sending an alert email and/or log message.

    • Period Block—Blocks the requests from the IP address for a certain period of time. The valid range is 1-600 seconds.

    Exception If required, select the exceptions configuration you created in If you need to exempt some clients’ public IP addresses, configure Geo IP reputation exemptions first:.
    Trigger Policy Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers. For details, see Viewing log messages.

    Ignore X-Forwarded-For

    By default, FortiWeb scans the IP addresses in the X-Forwarded-For header at the HTTP layer. This causes high resource consumption. To enhance the performance, you can enable Ignore X-Forwarded-For so that the IP addresses can be scanned at the TCP layer instead. This avoids HTTP packets being processed unnecessarily.

  • Click OK.
  • Click Create New.
  • From the Country list on the left, select one or more geographical regions that you want to block, then click the right arrow to move them to the Selected Country list on the right.
    In addition to countries, the Country list also includes distinct territories within a country, such as Puerto Rico and United States Minor Outlying Islands, and regions that are not associated with any country, such as Antarctica.
  • Click OK.
    The web UI returns to the initial dialog. The countries that you are blocking will appear as individual entries.
  • Click OK.
  • To apply your geographical blocking rule, select it in a protection profile that a server policy is using. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
  • See also