Geography based addresses
Geography addresses are those determined by country of origin. This type of address is only available in the IPv4 address category.
Creating a geography address
- Go to Policy & Objects > Addresses.
- Select Create New > Address.
- In the Category field, select Address (this is for IPv4 addresses).
- Input a Name for the address object.
- In the Type field, select Geography from the drop down menu.
- In the Country field, select a single country from the drop down menu.
- In the Interface field, leave as the default any or select a specific interface from the drop down menu.
- Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
- Input any additional information in the Comments field.
- Click OK.
Example: Geography-based address
Configuring the address in the GUI
Your company is US based and has information on its web site that may be considered information that is not allowed to be sent to embargoed countries. In an effort to help reduce the possibility of sensitive information going to those countries you have be asked to set up addresses for those countries so that they can be block in the firewall policies.
- One of the countries you have been asked to block is Cuba.
- You have been asked to add comments to the addresses so that other administrators will know why they have been created.
- Go to Policy & Objects> Objects > Addresses and select Create New > Address.
- Fill out the fields with the following information:
Category Address Name Cuba Type Geography Country Cuba Interface wan1 Visibility <enable> Comments Embargoed - Select OK.
Configuring the address in the CLI
Enter the following CLI commands:
config firewall address
edit Cuba
set type geography
set country CU
set associated-interface wan1
set comment Embargoed
next
end
Overrides
It is possible to assign a specific ip address range to a customized country ID. Generally, geographic addressing is done at the VDOM level; it could be considered global if you are using the root VDOM, but the geoip-override setting is a global setting.
config system geoip-override
edit "test"
set country-id "A0"
config ip-range
edit 1
set start-ip 7.7.7.7
set end-ip 7.7.7.8
next
edit 2
set start-ip 7.7.10.1
set end-ip 7.7.10.255
next
end
next
end
|
After creating a customized Country by using geoip-override command, the New country name has been added automatically to the country list and will be available on the Firewall Address Country field.
Diagnose commands
There are a few diagnose commands used with geographic addresses. The basic syntax is:
diagnose firewall ipgeo [country-list | ip-list | ip2country | override | copyright-notice]
Diagnose command | Description |
---|---|
country-list | Listing of all the countries. |
ip-list | List of the IP addresses associated with the country |
ip2country | Used to determine which country a specific IP address is assigned to. |
override | Listing of user defined geography data - items configured with the config system geoip-override command. |
copyright-notice | Shows the copyright notice. |
Click on the diagnose command in the table to connect to the Fortinet Diagnose Wiki page that deals with the command option, to get more information. |