Description
This article explains how to work around an issue where FortiGuard shows a different IP geographical location than the expected location.
Scope
FortiGate
Solution
For example: X.X.X.X (X.X.X.0/23) is registered by a US entity. However, the looking-glass server (FortiGuard) in India has a fairly low latency to it (< 8ms RTT) which indicates a relatively close geographic distance. So it’s highly likely that this subnet is actually deployed on some devices in India. It's possible to use independent sources such as perfops.net/ping-from-Pune and https://lg.he.net/ to verify the location.
The IP-Geolocation database by default shows/uses the physical location of an IP, which is not necessarily the same entity that registered the IP. In this case, it doesn’t show 'US' directly. Showing the actual geographic location of the IP is very important in a variety of fields ranging from location-based services to malware detection. However, the database also includes the registration country data, separate from geographic location data. To use the 'registration' location ('US' in this case) of this IP range instead of its physical location ('IN'/India in this case) in firewall policy, if the device is running FortiOS 6.4+, use the following commands to modify the policy configuration:
# config firewall policy
edit 1
set geoip-match [physical location | registered location ]
end
end
Alternatively, set up an exception policy (manual override) for this specific IP range.
