Description
This article describes how to override FortiGate's Geo-IP address database.
FortiGate's Geo-IP address database shows and uses the physical location of an IP address by default, but in some cases, an IP address can be physically set on a device in one country, but that address is registered to a different country. The geo IP database can be overridden with the commands outlined below.
Scope
All FortiOS.
Solution
Note: For the purpose of this article, a Canadian Fortinet IP address of 173.243.138.81 will be used and overridden to show as being a United States address
Note: If VDOMs are enabled on the FortiGate, the ipgeo override feature is configured from the 'global' VDOM:
config vdom
edit global
config system geoip-override
edit "United States"
config ip-range
edit 1
set start-ip 173.243.138.81
set end-ip 173.243.138.81
next
end
next
end
Note: If VDOMs are not enabled on the FortiGate, there is no need to specify the VDOM when entering the ipgeo override commands:
config system geoip-override
edit "United States"
config ip-range
edit 1
set start-ip 173.243.138.81
set end-ip 173.243.138.81
next
end
next
end
To confirm that the above configuration was successful, use any of the below commands:
Note: If VDOMs are enabled on the FortiGate, the 'diagnose firewall ipgeo override' command must be run from the 'global' VDOM, but all others can be run from any VDOM:
diagnose firewall ipgeo override
Location: USA, code: A0 (ip-ranges 0) (ip6-ranges 0)
Location: United States, code: A1 (ip-ranges 1) (ip6-ranges 0)
ip-range 1: 173.243.138.81 - 173.243.138.81
diagnose geoip ip2country 173.243.138.81 <----- This CLI also can run in global--->config global.
173.243.138.81 - United States, is not anycast ip
diagnose geoip iprange United\ States | grep 173.243.138.81 <----- This CLI also can run in global--->config global.
173.243.138.81 -- 173.243.138.81
diagnose firewall ipgeo ip-list US | grep 173.243.138.81
173.243.138.81 - 173.243.138.81
Related article:
