Thanks for keeping it clean and simple. Appreciate it.

Thank your for the script! I was close to adding it all from the Gui. Coming from a Sophos UTM where you have a convenient GUI page with all countries listed and you just need to click 'select all' I was shocked how Fortinet implemented geoblocking.

GODS WORK!!!! Thank you soo much.

So much help! Thanks!

Thanks useful info in todays climate!

Great video. Keep up the good work.

Awesome vid!🙂

Informative and easy to follow

Nice! Thank you. Was missing match- vip

Great video... to the point. thanks

Doesn't setting trusted hosts essentially do the same thing and in a much less complex way? We have all our Fortigates locked down to just our WAN IP and the local data subnet for admin access.

Thanks for this script. It was looking like I was going to need to make one myself but I figured this has to be a common enough need that someone would have created it already. Honestly it's kind of dumb the way Fortinet executes this feature, and they should just add this script to the KBs or make a better way.

Great!! However, do you have an example for only allowing Unites states IPs on specific policy inbound using VIP? For instance, I have an IPv4 policy (VIP) established that no other country should be hitting, only the US. Should I just change "Source"- from all to the United States? Then in cli set match-vip enable on that particular VIP policy?

dude thank you so much!

Thank you, I was missing the Match-vip enable in policy and was wondering why there were no logs... Per the local in policy, we only allow FMG-Access and Ping on our Wan ports, but we do have SSLVPN turned on. Does the local in alow filter for the SSL users? or only the WAN ports?

Great video

Excellent Video.

very cool video...any thought of using the negate option (so basically you create a rule that says any traffic NOT from the US, block....?

Big Thanks to you bro...

thus Geolocation work on inbound policy who had natted public IP?

does VPN client affected on this setup? just curios if ill be in china and I want to access my internal files in US since all are block should VPN Client be also affected..

Is there the possibility to drop ( drop on floor ) instead of deny? Denial usually means to send a packet back..

sorry I have a doubt, what is the difference blocking IP address by firewall policy than blocking it by local in policy?

Question. If we wanted to allow only for instance Canada. Could we configure Canada as an address and accept only that one. Using Negate Source?

Hi - the set match-vip enable looks to be deprecated or not working on fortios 7.0? Any ideas?

Thanks!!

Nice video...simple and easy to use. Suggestion....in the script you have can you make the Address not visible. The reason I ask is now I need to change the visibility on all the countries in the Address list. I'm always using the Group in Addresses, not the individual country name. I'm changing the country visibility manually. Maybe you have a suggestion for changing the visibility in bulk

Thank you

Thank you, Great video. Script ?