Using the menu "VPN Location Map" does show me a nice overview of the currently connected VPN connections (IPSEC, SSL VPN).

However, the locations of the fortigate are most of the time somewhere in the Gulf of Guniea (0°S, 0°E). The physical location of all our fortigates is configured in FortiCloud (product details) with the address (street, ZIP, town, etc.). I did not find a way to set the device location in the fortigate GUI, nor via CLI. 

I checked with dia "geoip geoip-query <IP>" on each fortigate it's own location and it shows a somewhat accurate location (sometimes off by a lot, based on the ISP).

So, I have several questions:

How does the fortigate determine it's own location used for the VPN location map? 

• From the location configuration in FortiCloud? (difficult, if not impossible)
• Via geo-ip query? (most likely)
  • If yes, which IP is used in a milti VDOM environment with several WAN IP's per VDOM?
  • Note: If I use "dia geoip geoip-query <my-wan-ip>, I get the correct location (Berne, Switzerland), yet in the VPM Location Map, the fortigate is located somewhere in Germany.

Two examples:

• fortigate1
  • physical location: Berne, Switzerland
  • location on VPN map: somewhere in southern Germany
  • dia geoip geoip-query: Berne, Switzerland
  • location fortigate 2 (IPSEC) in VPN Location Map: Thun, Switzerland
• fortigate2
  • physical location Thun, Switzerland
  • location on VPN map: Gulf of Guinea
  • dia geoip geoip-query: Berne, Switzerland
  • location fortigate 1 (IPSEC) in VPN Location Map: Berne, Switzerland

How is the location of VPN endpoints (SSL VPN, IPSEC VPN) determined?

• Looking at the maps on several fortigates with active VPN's, it seems that geo-ip is used. 
• IPSEC endpoint location of other fortigate seems not to be the same as location of local fortigate
• SSL VPN endpoint location is clearly via geoip, within it's limits

Thanks

Dan