Description
This article explains how to work around an issue where FortiGuard shows a different IP geographical location than the expected location.
Scope
FortiGate
Solution
For example: X.X.X.X (X.X.X.0/23) is registered by a US entity. However, the looking-glass server (FortiGuard) in India has a fairly low latency to it (< 8ms RTT) which indicates a relatively close geographic distance. So it’s highly likely that this subnet is deployed on some devices in India. It's possible to use independent sources such as perfops.net/ping-from-Pune and https://lg.he.net/ to verify the location.
The IP-Geolocation database by default shows/uses the physical location of an IP, which is not necessarily the same entity that registered the IP. In this case, it doesn’t show 'US' directly. Showing the actual geographic location of the IP is very important in a variety of fields ranging from location-based services to malware detection. However, the database also includes the registration country data, separate from geographic location data. To use the 'registration' location ('US' in this case) of this IP range instead of its physical location ('IN'/India in this case) in a firewall policy, if the device is running FortiOS 6.4+, use the following commands to modify the policy configuration:
config firewall policy
edit 1
set geoip-match [physical location | registered location ]
end
end
To be able to verify the GeoIP of a specific IP address in FortiGate and how it is recognized, the following commands are helpful:
diagnose geoip ip2country <public ip>
diagnose firewall ipgeo ip2country x.x.x.x
The second command is useful to find the physical location and the registered location of the public IP address in question.
Note:
The geoip-match option will only be available if the geoIP location is used either source or destination. Alternatively, set up an exception policy (manual override) for this specific IP range.
