Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

waf geo-block-list

Use this command to define large sets of client IP addresses to block based upon their associated geographical location.

Because network mappings may change as networks grow and shrink, if you use this feature, be sure to periodically update the geography-to-IP mapping database. To download the file, go to the Fortinet Customer Service & Support website:

https://support.fortinet.com

Optionally, you can also specify a list of IP addresses or IP address ranges that are exempt from this blocklist. For details, see waf geo-ip-except.

Alternatively, you can block clients individually (see server-policy custom-application application-policy) or based upon their reputation (see waf ip-intelligence).

To apply the rule, select it in a protection profile. For details, see waf web-protection-profile inline-protection or waf web-protection-profile offline-protection.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf geo-block-list

edit "<geography-to-ip_name>"

set severity {High | Medium | Low | Info}

set trigger "<trigger-policy_name>"

set exception-rule "<geo-ip-except_name>"

config country-list

edit <entry_index>

set country-name "<region_name>"

next

end

next

end

Variable Description Default

"<geography-to-ip_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. Low

trigger "<trigger-policy_name>"

Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

exception-rule "<geo-ip-except_name>"

Enter the name of a list of exceptions to this blocklist. No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

country-name "<region_name>"

Enter the name of a region (Antarctica or Bouvet Island) or country (U.S.) as it is written in English. Surround names with multiple words or apostrophes in double quotes.

The list of locations varies by the currently installed IP-to-geography mapping package. For a current list of locations, use the web UI.

No default.

Example

This example creates a set of North American IP addresses that a server policy can use to block clients with IP addresses belonging to Belize and Canada. FortiWeb does not block the IP addresses specified by the allow-north-america exception list.

config waf geo-block-list

edit "north-america"

set trigger "notification-servers1"

set exception rule "allow-north-america"

set severity Low

config country-list

edit 1

set country-name "Belize"

next

edit 2

set country-name "Canada"

next

end

next

end

Related topics

waf geo-block-list

Use this command to define large sets of client IP addresses to block based upon their associated geographical location.

Because network mappings may change as networks grow and shrink, if you use this feature, be sure to periodically update the geography-to-IP mapping database. To download the file, go to the Fortinet Customer Service & Support website:

https://support.fortinet.com

Optionally, you can also specify a list of IP addresses or IP address ranges that are exempt from this blocklist. For details, see waf geo-ip-except.

Alternatively, you can block clients individually (see server-policy custom-application application-policy) or based upon their reputation (see waf ip-intelligence).

To apply the rule, select it in a protection profile. For details, see waf web-protection-profile inline-protection or waf web-protection-profile offline-protection.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf geo-block-list

edit "<geography-to-ip_name>"

set severity {High | Medium | Low | Info}

set trigger "<trigger-policy_name>"

set exception-rule "<geo-ip-except_name>"

config country-list

edit <entry_index>

set country-name "<region_name>"

next

end

next

end

Variable Description Default

"<geography-to-ip_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. Low

trigger "<trigger-policy_name>"

Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

exception-rule "<geo-ip-except_name>"

Enter the name of a list of exceptions to this blocklist. No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

country-name "<region_name>"

Enter the name of a region (Antarctica or Bouvet Island) or country (U.S.) as it is written in English. Surround names with multiple words or apostrophes in double quotes.

The list of locations varies by the currently installed IP-to-geography mapping package. For a current list of locations, use the web UI.

No default.

Example

This example creates a set of North American IP addresses that a server policy can use to block clients with IP addresses belonging to Belize and Canada. FortiWeb does not block the IP addresses specified by the allow-north-america exception list.

config waf geo-block-list

edit "north-america"

set trigger "notification-servers1"

set exception rule "allow-north-america"

set severity Low

config country-list

edit 1

set country-name "Belize"

next

edit 2

set country-name "Canada"

next

end

next

end

Related topics