Description
This article explains why Geolocation IP lookup on FortiGuard may show different results for an IP address' location than other sites and provides instructions on how to change how the location is determined.
Scope
Any currently supported version of FortiGate.
Solution
Every IP address has two locations: the registered location and the physical location.
The registered location is where the IP address is registered, which is usually the location of the ISP.
The physical location is the actual geographic location where the person using the IP is located.
By default, the FortiGuard Geolocation service uses the physical location. Third party sites usually show the registered location of the IP address.
It is possible to configure FortiGuard to instead provide the registered location of IP addresses. Follow the instructions in this article to do this.
First, ensure FortiGate is updated to the latest geographical IP database:
# execute update-geo-ip
diagnose autoupdate versions | grep -A5 Geo
There is an option in FortiOS 6.4.0+ to change the default option from the physical location to the registered Location
The new geo-IP match command allows users to match an IP address in an IPv4 policy to its physical or registered location when a geo-IP is used as a source or destination address.
In the following example, the physical location of 220.243.219.10 is CA (Canada), but the registered location is CN (China). The IP address is not anycast.
To configure GeoIP matching based on registered location:
1) Create a firewall policy to match the IP.
# config firewall policy
edit 1
set name "policy_id_1"
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "test-geoip-CA"
set action accept
set schedule "always"
set service "ALL"
set geoip-match registered-location
set logtraffic all
set auto-asic-offload disable
set nat enable
next
end
Since Canada is supplied as a destination address and registered location IP matching is enabled, this means that traffic will be blocked if the destination IP is 220.243.219.10, due to the fact that the registered location is China.
2) Verify that the policy is blocking traffic from the IP address:
# diagnose sniffer packet any icmp 4
interfaces=[any]
filters=[icmp]
5.383798 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
6.381982 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
7.382608 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
^C
3 packets received by filter
0 packets dropped by kernel
To configure GeoIP matching based on physical location.
1) Create a firewall policy to match the IP.
# config firewall policy
edit 1
set name "policy_id_1"
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "test-geoip-CA"
set action accept
set schedule "always"
set service "ALL"
set geoip-match physical-location
set logtraffic all
set auto-asic-offload disable
set nat enable
next
end
Since CA is applied as a destination address and physical location IP matching is enabled, the traffic will pass through if the destination IP of the traffic is 220.243.219.10.
2) Verify that the policy is allowing traffic from the IP address.
# diagnose sniffer packet any icmp 4
interfaces=[any]
filters=[icmp]
5.273985 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
5.274176 wan1 out 172.16.200.10 -> 220.243.219.10: icmp: echo request
6.274426 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
6.274438 wan1 out 172.16.200.10 -> 220.243.219.10: icmp: echo request
7.273978 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
7.273987 wan1 out 172.16.200.10 -> 220.243.219.10: icmp: echo request
^C
6 packets received by filter
0 packets dropped by kernel
Different physical and registered locations can occur for a number of reasons. For example: if a person in USA and is using a proxy or VPN to connect to an IP in China and then contact a server in the USA.
In this scenario, the physical location would be the USA but the registered location of the IP would be China.
Similarly, a scenario may occur where someone in China is using a USA proxy or VPN to connect to a server in the USA. In this case, the physical location would be China while the registered location of the IP would be the USA.
