Description
This article describes how to troubleshoot GeoIP database.
Geography based addressing feature requires that the GeoIP database is loaded onto the FortiGate from the FDS servers. When a GeoIP address is configured and associated to a firewall policy, the geography based address list corresponding to the country is loaded in memory.
Scope
FortiGate.
Solution
To load the GeoIP database on the FortiGate, it is mandatory to have:
- A valid firmware and support contract
- DNS resolution (on the FortiGate management VDOM)
- Access to the Internet using TCP port 443 or to FortiManager using TCP port 9443 (from the management VDOM)
GeoIp update uses the same mechanism to load the database from FDS as the update of AV or IPS database. Some troubleshooting KB are provided in the field 'Related Articles'.
Here is a summary of troubleshooting commands for GeoIP database.
DNS resolution from management VDOM:
exec ping update.fortiguard.net
TCP port 443 allowed on interface management VDOM to Internet:
diagnose sniff packet <interface-name> 'port 443'
To check the communication between FortiGate and FDS:
diagnose debug application update 255
diagnose debug enable
To disable:
diagnose debug application update 0
diagnose debug disable
To force the FortiGate to retrieve the GeoIp database:
execute update-geo-ip
To list the current database version:
diagnose autoupdate versions | grep "IP Geography" -A 6
IP Geography DB
---------
Version: 3.00027
Contract Expiry Date: n/a
Last Updated using manual update on Tue Nov 6 00:45:00 2018
Last Update Attempt: Sun Sep 29 12:59:19 2019
To check if an Ip is part of the GeoIP loaded database:
diagnose firewall ipgeo ip2country <Ip address>
Example:
FGT1# diagnose firewall ipgeo ip2country 8.8.8.8
8.8.8.8 is in country:US
Related article:
Troubleshooting Tip: Diagnosing FortiGuard problems of Antivirus, Intrusion Prevention, Web Filterin...
