FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff
Article Id 190341

Description

 

This article provides commands to verify GeoIP information and change or troubleshoot the GeoIP database. IP addresses in the GeoIP database have both a physical and a registered location; an IP may be registered in a country and used in another. IP Addresses in the GeoIP database also have an attribute indicating if they are anycast addresses. Anycast addresses are typically be used in multiple locations that may span multiple countries.

 

Note if you are using VDOM configuration in your FortiGate, commands of type "diagnose firewall" are to be executed in a VDOM in which you can apply a security policy (i.e. not in the Global VDOM).

 

Scope


FortiGate.


Solution


Use the below command to identify the complete Geo-location of a specific IP address from FortiGuard IP Geography DB. This will initiate a query to FortiGuard and will provide added information under city/continent/country/subdivision/location/postal categories.

 

# diagnose geoip geoip-query <public ip>

 

Use the below command to identify the physical and registered locations of the Public IP as well and if the type is anycast. This will query the "local" GeoIP database (local is Fortiguard provided DB + geoip-override [more on that below] or if there are no communication to FortiGuard, this is the DB included from the firmware + geoip-override).

 

# diagnose geoip ip2country <public ip>

 

Use the below command to identify the physical location of the Public IP as well as if the type is anycast. This will query the "local" GeoIP database.


# diagnose geoip ip2country <public ip>

 

Use the below command to do a look up of the physical-location (the actual geographic location where the person using the IP is located) and registered-location (where the IP address is registered) of the Public IP :

      

        #  diagnose firewall ipgeo ip2country x.x.x.x

 

mercury-kvm26 # mercury-kvm26 # diagnose firewall ipgeo ip2country 208.91.112.52
208.91.112.52 is in country: CA, registered country is US, is anycast ip.

In FortiGuard database, this IP has physical location of CA (based on FortiGuard detection tools) and registration location in US (based on public registration IP info)

 

Use the below command to know the IPs or IP ranges belonging to a specific country. This will query the "local" GeoIP database. Note that IPv4 will be provided, you need to use the keyword "iprange6" for IPv6. The "country name" should start with a capital letter and space need to be leaded with a backslash character ("\").

 

# diagnose geoip iprange <country name>

 

Example:

 

# diagnose geoip iprange Canada
# diagnose geoip iprange United\ States
# diagnose geoip iprange Brunei\ Drarussalam

 

Use the below command to know the IPs or IP ranges belonging to a specific country. This will query the "local" GeoIP database.

 

# diagnose firewall ipgeo ip-list <country 2 letter code>

 

Use the below command to see the simplified list of the 2 letters country code (mostly based on ISO 3166).

 

# diagnose firewall ipgeo country-list

 

Use the below command to see the IPs or IP ranges overriding the GeoIP database.

 

# diagnose firewall ipgeo override

 

To move a specific IP or range to a different Geo-location in FortiGate, follow the below steps. Note this will create an override that is local to the FortiGate and have priority over the GeoIP database corresponding entry (if any). The override will apply to both the physical and the registered locations.

 

Example 1: Address is overridden and moved from Canada to India

 

# diagnose geoip ip2country 208.91.112.52
208.91.112.52-Canada, is not anycast IP.

 

# config system geoip-override
   edit India
      config ip-range
         edit 1
            set start-ip 208.91.112.52
            set end-ip 208.91.112.52
        next
      end
   next
end

 

# diagnose firewall ipgeo override

Location: India, code: A0 (ip-ranges 1) (ip6-ranges 0)
   ip-range 1: 208.91.112.52 - 208.91.112.52

# diagnose geoip iprange India | grep 208.91.112.52
208.91.112.52 -- 208.91.112.52

 

# diagnose firewall ipgeo ip-list IN | grep 208.91.112.52
      208.91.112.52 - 208.91.112.52

 

Example 2: Address is overridden and moved from Canada to India in a multi-VDOM configuration

Note in multi-VDOM configuration, the override is applied in the Global VDOM.

 

FG3H (global) # diagnose geoip ip2country 208.91.112.52
208.91.112.52 - Canada, is not anycast ip

FG3H (global) # config system geoip-override

FG3H (geoip-override) # edit India
new entry 'India' added

FG3H (India) # config ip-range

FG3H (ip-range) # edit 1
new entry '1' added

FG3H (1) # set start-ip 208.91.112.52

FG3H (1) # set end-ip 208.91.112.52

FG3H (1) # next

FG3H (ip-range) # end

FG3H (India) # next

FG3H (geoip-override) # end

FG3H (global) # end

FG3H # config vdom

FG3H (vdom) # edit root
current vf=root:0

FG3H (root) # diagnose firewall ipgeo override

Location: India, code: A0 (ip-ranges 1) (ip6-ranges 0)
ip-range 1: 208.91.112.52 - 208.91.112.52

FG3H (root) # diagnose geoip iprange India | grep 208.91.112.52
208.91.112.52 -- 208.91.112.52

FG3H (root) # diagnose firewall ipgeo ip-list IN | grep 208.91.112.52
208.91.112.52 - 208.91.112.52

 

Example 3: Address is overridden and moved from Canada to a new "invented" country

 

# diagnose geoip ip2country 208.91.112.53
208.91.112.53 - Canada, is not anycast ip

 

# config system geoip-override

   edit NoCountryForOldMan
      config ip-range

         edit 1
            set start-ip 208.91.112.53

            set end-ip 208.91.112.53

         next

      end

   next

end

 

# diagnose geoip ip2country 208.91.112.53
208.91.112.53 - NoCountryForOldMan, is not anycast ip

 

# diagnose firewall ipgeo override

Location: NoCountryForOldMan, code: A0 (ip-ranges 1) (ip6-ranges 0)
   ip-range 1: 208.91.112.53 - 208.91.112.53

 

# diagnose firewall ipgeo ip-list A0
      208.91.112.53 - 208.91.112.53
Country name:A0 Total IP Range:1

 

Geo-location identification of the public IP in FortiGate is dependent on FortiGuard IP Geography DB.


Use the below command to trigger the update of FortiGuard IP Geography DB in FortiGate, use below command:

 

# execute update-geo-ip

 

Use the below command to know the current FortiGuard IP Geography DB version in the FortiGate.

 

# diagnose autoupdate versions | grep -A5 Geo
IP Geography DB
---------
Version: 3.00071
Contract Expiry Date: n/a
Last Updated using scheduled update on Sat Feb 20 12:28:26 2021
Last Update Attempt: Sun Feb 21 06:28:18 2021

 

In case a particular IP shows a different result (different Geo location country) on https://www.fortiguard.com/services/ipge and other public IP lookup websites.

 

Fill the IP Geo-location Appeal Form to re-validate the IP address on:
https://www.fortiguard.com/faq/ipge