This might be a long post... I'll try to summarize as much as possible while trying to keep things understandable.
To cut a long story short, I wanted to be able to Geographically lock HTTP/HTTPS requests towards back-end web servers behind a FortiGate hosting a single WAN IP address. Hum, well, it's really not as easy as it sounds...
The problem being: How could I differentiate which http host as been requested in order to either allow connectivity or deny it based on the Geo location of the visitors.
The answer is two features available on the latest FortiOS. You'll need the Load Balance feature and the Explicit/Transparent Proxy feature with reverse transparent proxy policies.
We will start with the Virtual Servers/Load Balance feature. Enable the feature view within the GUI here: System > Feature Visibility > Load Balance
Once this is done, you'll find a Virtual Server pane within the Policy & Objects > Virtual Servers menu, and that's how some configured Virtual Servers looks like (IPs edited):
A view from the CLI might be more welcome here because there are a few settings dependant towards others. The view below shows the settings for the HTTPS load balancing vIP, the same principles applies to the HTTP Load Balance vIP although without the SSL part and of course addressing port 80. Both are needed if you intend to do HTTP to HTTPS redirections.
config firewall vip edit "vIP-HTTPS-LB-VS1" set type server-load-balance set extip 22.214.171.124 set extintf "any" set server-type https set color 6 set ldb-method http-host set persistence ssl-session-id set extport 443 config realservers edit 1 set ip 10.10.10.50 set port 443 set healthcheck disable set http-host "ghost.reverside.ch" next edit 2 set ip 10.10.10.51 set port 443 set healthcheck disable set http-host "two.reverside.ch" next edit 3 set ip 10.10.10.52 set port 443 set healthcheck disable set http-host "three.reverside.ch" next edit 4 set ip 10.10.10.53 set port 443 set healthcheck disable set http-host "four.reverside.ch" next end set ssl-mode full set ssl-certificate "LE-reverside.ch" next end
So, we ask for a few things here, that vIP object will do "server-load-balance" upon the configured "realservers". Also, note the set lbd-method and http-host settings, this is where we will match the requested host name upon incoming requests.
Once we have our Virtual Servers vIP's in place, we're ready to craft our inbound policies. Note that I'm not NATing traffic here because DNAT take's place upward within my network setup.
There is now one little catch, what we want here is to proxy the traffic hit by those policies toward the FortiGate WAD process; the Explicit Proxy process.
In order to do so, we enable the Proxy HTTP(S) traffic toggle on the policies.
Of course the Explicit Proxy features need's to be enabled on your box. Once we set this up, we need Proxy policies in order to grab that traffic at the WAD level, as illustrated below.
And this is precisely where we will be able to match Geographically locked objects. In my setup, three web services are locked to Switzerland and you've guessed it, the Ghost server on which you're reading this post is opened up globally.
Note that you need to setup Firewall Proxy Addresses in order to match these policies (the ghost.reverside.ch object seen in the policy above). This is how I've configured those objects in my setup:
config firewall proxy-address edit "ghost.reverside.ch" set type host-regex set host-regex "ghost" next edit "two.reverside.ch" set type host-regex set host-regex "two" next edit "three.reverside.ch" set type host-regex set host-regex "three" next edit "four.reverside.ch" set type host-regex set host-regex "four" next end
With this setup, I can control which country can access which resources behind a single WAN IP address.
Well that's it. Hope you've enjoyed the read.