Skip to main content
janonuevo
Staff
janonuevo
Staff
November 19, 2025

Troubleshooting Tip: GeoIP address matching algorithm when using a local-in policy

  • November 19, 2025
  • 0 replies
  • 463 views
Description This article describes the behavior of the GeoIP address matching algorithm when using the local-in policy.
Scope FortiGate.
Solution

In this example, the goal is to block local-in traffic from IP 146.70.65.160.

 

snipping2.png

 

A local-in policy is configured with action 'deny' for traffic originating from the country 'Nigeria / NG'.

 

snipping3.png

 

Note that the default action of the local-in policy is deny, and it will not show on the regular 'show' command.
Use 'show full-configuration local-in-policy' to show default and non-default parameters.

The expected result is a denial; however, it fails because the physical location of the IP is originating from Spain/'ES', not Nigeria/'NG'.

snipping.png

 

The default GeoIP matching when configuring local-in policy and a regular firewall policy uses the physical location and not the registered location in the geography IP database.


It is possible to configure a firewall policy to match the registered location of an IP address.

This method is not supported when configuring local-in policy.
More details can be found in GeoIP matching by registered and physical location.

config firewall policy

    edit 1

        set name "policy_id_1"

        set srcintf "wan2"

        set dstintf "wan1"

        set srcaddr "all"

        set dstaddr "test-geoip-CA"

        set action accept

        set schedule "always"

        set service "ALL"

        set geoip-match registered-location

        set logtraffic all

        set auto-asic-offload disable

        set nat enable

    next

end


Related documents:
Technical Tip: Commands to verify GeoIP information and troubleshoot GeoIP database 
GeoIP matching by registered and physical location 
    Terms & ConditionsAccessibility statement