Fortinet 332 FortiWeb 5.0 Patch 6 Administration Guide
In such cases, when requests appear to originate from other parts of the world, it may not be
worth the security risk to accept them.
• DDoS botnets and mercenary hackers might be the predominant traffic source.
• Anonymizing VPN services or Tor may have been used to mask the true source IP of an
attacker that is actually within your own country.
Blacklisting clients individually in this case would be
time-consuming and difficult to maintain due to PPPoE or
other dynamic allocations of public IP addresses, and IP
blocks that are re-used by innocent clients.
If you want to block traffic from many IP addresses that
are currently known to belong to networks in other
regions, FortiWeb can help you to do so. It uses a
MaxMind GeoLite database of mappings between
geographical regions and all public IP addresses that are
known to originate from them.
To configure blocking by geography
1. Verify that client source IP addresses are visible to FortiWeb in either the X-headers or as the
SRC field at the IP layer (see “Defining your web servers & load balancers” on page 248).
If FortiWeb is behind an external load balancer that applies SNAT, for example, you may
need to configure it to append its and the client’s IP address to X-Forwarded-For: in the
HTTP header so that FortiWeb will be able to apply this feature. Otherwise, all traffic may
appear to come from the same client, with a private network IP: the external load balancer.
2. If you want to use a trigger to create a log message and/or alert email when a geographically
blacklisted client attempts to connect to your web servers, configure the trigger first. See
“Configuring triggers” on page 557.
3. Go to Web Protection> Access > Geo IP.
To access this part of the web UI, your administrator’s account access profile must have
Read and Write permission to items in the Web Protection Configuration category. For
details, see “Permissions” on page 47.
X-header-derived client source IPs (see “Defining your proxies, clients, & X-headers” on
page 266) do not support this feature in this release. If FortiWeb is deployed behind a load
balancer or other web proxy that applies source NAT, this feature will not work.
Because network mappings may change as networks grow and shrink, if you use this feature,
be sure to periodically update the geography-to-IP mapping database. To download the file, go
to the Fortinet Technical Support web site.
Because geographical IP policies are evaluated before many other techniques, defining these
IP addresses can be used to improve performance. For details, see “Sequence of scans” on
page 23.