Troubleshooting Tip: Fixing GeoDB IP addresses that are appearing from the wrong country in analytics and are triggering rules
| Description | This article describes how to resolve an issue where GeoDB IP addresses show up as the wrong country. |
| Scope | FortiSIEM, FortiGuard. |
| Solution | FortiSIEM works with Fortiguard GEODB IP to display the correct Geolocation for an IP. Sometimes, an IP can be shown to be incorrect by the display flag in analytics or due to incorrect GEODB information. These incorrect geolocations may cause rules to trigger erroneously, including:
Check the Country Home is correctly configured: Many rules and reports use the My Home CMDB Object as defined in RESOURCES -> Country Groups -> My Home. By default, this is set to United States of America.
After, check the IP against https://www.fortiguard.com/services/ipge to see if the IP is up to date or if the FortiGuard is lagging behind the other GeoDB.
The latest GeoDB updates can be downloaded under ADMIN -> Content Update. If this still does not correct the issue, the IP can be contested here: https://www.fortiguard.com/faq/ipge. |