Fortinet black logo

Handbook

Geography based addresses

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:166162
Download PDF

Geography based addresses

Geography addresses are those determined by country of origin. This type of address is only available in the IPv4 address category.

Creating a geography address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New > Address.
  3. In the Category field, select Address (this is for IPv4 addresses).
  4. Input a Name for the address object.
  5. In the Type field, select Geography from the drop down menu.
  6. In the Country field, select a single country from the drop down menu.
  7. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
  8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  9. Input any additional information in the Comments field.
  10. Click OK.

Example: Geography-based address

Configuring the address in the GUI

Your company is US based and has information on its web site that may be considered information that is not allowed to be sent to embargoed countries. In an effort to help reduce the possibility of sensitive information going to those countries you have be asked to set up addresses for those countries so that they can be block in the firewall policies.

  • One of the countries you have been asked to block is Cuba.
  • You have been asked to add comments to the addresses so that other administrators will know why they have been created.
  1. Go to Policy & Objects> Objects > Addresses and select Create New > Address.
  2. Fill out the fields with the following information:
    CategoryAddress
    NameCuba
    Type Geography
    CountryCuba
    Interfacewan1
    Visibility<enable>
    CommentsEmbargoed
  3. Select OK.
Configuring the address in the CLI

Enter the following CLI commands:

config firewall address

edit Cuba

set type geography

set country CU

set associated-interface wan1

set comment Embargoed

next

end

Overrides

It is possible to assign a specific ip address range to a customized country ID. Generally, geographic addressing is done at the VDOM level; it could be considered global if you are using the root VDOM, but the geoip-override setting is a global setting.

config system geoip-override

edit "test"

set country-id "A0"

config ip-range

edit 1

set start-ip 7.7.7.7

set end-ip 7.7.7.8

next

edit 2

set start-ip 7.7.10.1

set end-ip 7.7.10.255

next

end

next

end

note icon
  • While the setting exists in the configuration file, the system assigns the country-id option automatically.
  • While you can use "edit 1" and "edit 2", it is simpler to use "edit 0" and let the system automatically assign an ID number.

After creating a customized Country by using geoip-override command, the New country name has been added automatically to the country list and will be available on the Firewall Address Country field.

Diagnose commands

There are a few diagnose commands used with geographic addresses. The basic syntax is:

diagnose firewall ipgeo [country-list | ip-list | ip2country | override | copyright-notice]

Diagnose command Description
country-list Listing of all the countries.
ip-list List of the IP addresses associated with the country
ip2country Used to determine which country a specific IP address is assigned to.
override Listing of user defined geography data - items configured with the config system geoip-override command.
copyright-notice Shows the copyright notice.
note icon Click on the diagnose command in the table to connect to the Fortinet Diagnose Wiki page that deals with the command option, to get more information.

Geography based addresses

Geography addresses are those determined by country of origin. This type of address is only available in the IPv4 address category.

Creating a geography address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New > Address.
  3. In the Category field, select Address (this is for IPv4 addresses).
  4. Input a Name for the address object.
  5. In the Type field, select Geography from the drop down menu.
  6. In the Country field, select a single country from the drop down menu.
  7. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
  8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  9. Input any additional information in the Comments field.
  10. Click OK.

Example: Geography-based address

Configuring the address in the GUI

Your company is US based and has information on its web site that may be considered information that is not allowed to be sent to embargoed countries. In an effort to help reduce the possibility of sensitive information going to those countries you have be asked to set up addresses for those countries so that they can be block in the firewall policies.

  • One of the countries you have been asked to block is Cuba.
  • You have been asked to add comments to the addresses so that other administrators will know why they have been created.
  1. Go to Policy & Objects> Objects > Addresses and select Create New > Address.
  2. Fill out the fields with the following information:
    CategoryAddress
    NameCuba
    Type Geography
    CountryCuba
    Interfacewan1
    Visibility<enable>
    CommentsEmbargoed
  3. Select OK.
Configuring the address in the CLI

Enter the following CLI commands:

config firewall address

edit Cuba

set type geography

set country CU

set associated-interface wan1

set comment Embargoed

next

end

Overrides

It is possible to assign a specific ip address range to a customized country ID. Generally, geographic addressing is done at the VDOM level; it could be considered global if you are using the root VDOM, but the geoip-override setting is a global setting.

config system geoip-override

edit "test"

set country-id "A0"

config ip-range

edit 1

set start-ip 7.7.7.7

set end-ip 7.7.7.8

next

edit 2

set start-ip 7.7.10.1

set end-ip 7.7.10.255

next

end

next

end

note icon
  • While the setting exists in the configuration file, the system assigns the country-id option automatically.
  • While you can use "edit 1" and "edit 2", it is simpler to use "edit 0" and let the system automatically assign an ID number.

After creating a customized Country by using geoip-override command, the New country name has been added automatically to the country list and will be available on the Firewall Address Country field.

Diagnose commands

There are a few diagnose commands used with geographic addresses. The basic syntax is:

diagnose firewall ipgeo [country-list | ip-list | ip2country | override | copyright-notice]

Diagnose command Description
country-list Listing of all the countries.
ip-list List of the IP addresses associated with the country
ip2country Used to determine which country a specific IP address is assigned to.
override Listing of user defined geography data - items configured with the config system geoip-override command.
copyright-notice Shows the copyright notice.
note icon Click on the diagnose command in the table to connect to the Fortinet Diagnose Wiki page that deals with the command option, to get more information.