This article describes how to troubleshoot the issue where local in policy is not blocking the expected source address from all countries except the allowed country geo IP address.
Scope
FortiGate.
Solution
Check the full configuration of the local in policy configured:
In this example, the goal is to deny all geo IP addresses except IP addresses from Cambodia. The local in policies has the parameter ‘srcaddr-negate enable’. This will negate the specified source address set on the local in policies, which will return the opposite result of what is expected.
Proceed to correct the configuration in the CLI console :
config firewall local-in-policy edit 1 set srcaddr-negate disable next edit 2 set srcaddr-negate disable next end