GEO IP - Blocklisting & whitelisting countries & regions
While many websites are truly global in nature, others are specific to a region. Government web applications that provide services only to its residents are one example.
In such cases, when requests appear to originate from other parts of the world, it may not be worth the security risk to accept them.
- DDoS botnets and mercenary hackers might be the predominant traffic source.
- Anonymizing VPN services or Tor may have been used to mask the true source IP of an attacker that is actually within your own country.
Blacklisting clients individually in this case would be time-consuming and difficult to maintain due to PPPoE or other dynamic allocations of public IP addresses, and IP blocks that are re-used by innocent clients.
FortiWeb allows you to block traffic from many IP addresses that are currently known to belong to networks in other regions. It uses a MaxMind GeoLite (HTTPs://www.maxmind.com) database of mappings between geographical regions and all public IP addresses that are known to originate from them.
You can also specify exceptions to the blacklist, which allows you to, block a country or region but allow a geographic location within that country or region. If you configure Known Search Engines in Configuring known bots, blacklisting will also bypass client source IP addresses if they are using a known search engine.
Because network mappings may change as networks grow and shrink, if you use this feature, be sure to periodically update the geography-to-IP mapping database. To download the file, go to the Fortinet Customer Service & Support website:
|Because geographical IP policies are evaluated before many other techniques, defining these IP addresses can be used to improve performance. For details, see Sequence of scans.|
To configure blocking by geography
- Verify that client source IP addresses are visible to FortiWeb in either the X-headers or as the
SRCfield at the IP layer. For details, see Defining your web servers & load balancers.
If FortiWeb is behind an external load balancer that applies SNAT, for example, you may need to configure it to append its and the client’s IP address to
X-Forwarded-For:in the HTTP header so that FortiWeb can apply this feature. Otherwise, all traffic may appear to come from the same client, with a private network IP: the external load balancer.
- If you want to use a trigger to create a log message and/or alert email when a geographically blacklisted client attempts to connect to your web servers, configure the trigger first. For details, see Viewing log messages.
- If you need to exempt some clients’ public IP addresses, configure Geo IP reputation exemptions first:
- Go to IP Protection > Geo IP.
- To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
- Specify a name for the exception item, and then click OK.
- Click Create New to add IPv4/IPv6 addresses (for example,
2001::1) or IPv4/IPv6 ranges (for example,
2001::1-2001::100) to the exception item, as required.
|Name||Type a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.|
When rule violations are recorded in the attack log, each log message contains a Severity Level (
Select the action FortiWeb takes when it detects a blocklisted IP address.
|Exception||If required, select the exceptions configuration you created in If you need to exempt some clients’ public IP addresses, configure Geo IP reputation exemptions first:.|
|Trigger Policy||Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers. For details, see Viewing log messages.|
By default, FortiWeb scans the IP addresses in the X-Forwarded-For header at the HTTP layer. This causes high resource consumption. To enhance the performance, you can enable Ignore X-Forwarded-For so that the IP addresses can be scanned at the TCP layer instead. This avoids HTTP packets being processed unnecessarily.
In addition to countries, the Country list also includes distinct territories within a country, such as Puerto Rico and United States Minor Outlying Islands, and regions that are not associated with any country, such as Antarctica.
The web UI returns to the initial dialog. The countries that you are blocking will appear as individual entries.