Every once in a while, clients will ask me how to block certain countries (that are known vectors of cyber attacks, such as China or Russia) from accessing their websites. It’s common to only allow US connections to access services, so why allow others who might not be on the up and up? By blocking countries known for cyber attacks, you can drastically reduce security risk.
Of course, most attackers might pivot from compromised computers in the US, and thus bypass this security feature, but either way its not a bad idea to start with. The below gives a good example of how to create a firewall “country” group and then block those countries from accessing any services hosted through the firewall. This will be done in FortiOS 5.4 but the steps are the same for 5.2.
Also, there are many ways to do this. Instead of blocking geographic regions, you could whitelist the ones you want to allow.
Before beginning, it might be a great idea to check out the new FortiView feature to see what countries access your services the most. Under FortiView you can now see the Countries tab.
Great, so in this example let’s block China. I know its not one of the top countries accessing my services.
First, create the address object that we want to block. In this case, I set the name of the address object as the country I want blocked. After creating the country object, I create an address group called “Country blocks” and add it to my firewall policy. In the future, if I want to block another country, I can just add that country object in the group and I am done.
To create the address object for “China”, first go to “Policy & Objects” and create a new object:
Next, fill in the needed info and change the address type to “Geography”:
Now, create that group, and add the “China” object to it:
And now just one more step: creating the firewall policy to block this address group:
Press OK, move this policy to the top of all WAN-LAN or your interfaces policies so it gets hit before anything else.