Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nishtha_Baria
Staff
Staff

Created on ‎09-29-2023 12:23 AM Edited on ‎09-29-2023 12:23 AM By Community Manager

Article Id 276652

Technical Tip: Resolving Geo-IP Location Mismatch in FortiGate

Description This article describes the issue where an IP address is identified as being physically located in one region by FortiGuard, while other name resolution services map the same IP address to a different region 
Scope FortiGate.
Solution

In some cases, FortiGate may map an IP address to its physical location differently from other name resolution services or geolocation providers. This can result in geo-IP blocks impacting users or services even if they are registered in a different region. Users may question why FortiGate's geo-IP mapping differs from other sources.

 

The discrepancy in geo-IP mapping between FortiGate and other services can be attributed to the methodologies used by different geolocation providers to determine IP address locations. FortiGate, like other providers, relies on its own set of data and algorithms to make these determinations.

To address the issue and ensure consistent geolocation information, can configure the firewall policy on FortiGate to use either the registered location or the physical location for geo-IP matching.

 

Steps to Correct the Geo-IP Location Issue:

  1. Access the CLI: Connect to the FortiGate using the Command Line Interface (CLI).
  2. Navigate to the Firewall Policy Configuration: and Edit the Appropriate Policy:

 

config firewall policy
    edit <policy_number>

 

  1. Set Geo-IP Matching to Preferred Location: To use the registered location for geo-IP matching:

 

set geoip-match registered location

 

 To use the physical location for geo-IP matching (default behavior):

 

set geoip-match physical location

 

  1. Exit the Policy Edit Mode:


end

 

Configuring the firewall policy to use the preferred location (either registered or physical), can align FortiGate's geo-IP mapping with expectations and requirements.

 

Understanding the Discrepancy:

It is important to note that different IP-geolocation service providers use varying methodologies to determine IP locations, and results may differ. In some cases, the physical location of an IP address may be influenced by factors such as data center locations and network routing. This can lead to disparities in geolocation results across different providers.

Resolving geo-IP location discrepancies in FortiGate involves configuring the firewall policy to use either the registered or physical location for geo-IP matching. By choosing the preferred location, can ensure that geo-IP blocks and access policies align with intended geographical criteria.
Labels:
3144
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.