FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vinodhini
Staff
Staff
Article Id 195503

Description


This article explains why Geolocation IP lookup on FortiGuard may show different results for an IP address' location than other sites and provides instructions on how to change how the location is determined.

 

Scope

 

Any currently supported version of FortiGate.

 

Solution

 

Every IP address has two locations: the registered location and the physical location.

The registered location is where the IP address is registered, which is usually the location of the ISP.

The physical location is the actual geographic location where the person using the IP is located.

 

By default, the FortiGuard Geolocation service uses the physical location. Third party sites usually show the registered location of the IP address.

 

It is possible to configure FortiGuard to instead provide the registered location of IP addresses. Follow the instructions in this article to do this.

 

First, ensure FortiGate is updated to the latest geographical IP database:

 

# execute update-geo-ip

diagnose autoupdate versions | grep -A5 Geo

 

There is an option in FortiOS 6.4.0+ to change the default option from the physical location to the registered Location

The new geo-IP match command allows users to match an IP address in an IPv4 policy to its physical or registered location when a geo-IP is used as a source or destination address.


In the following example, the physical location of 220.243.219.10 is CA (Canada), but the registered location is CN (China). The IP address is not anycast.

 

To configure GeoIP matching based on registered location:


1) Create a firewall policy to match the IP.

 

# config firewall policy
    edit 1
        set name "policy_id_1"
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "test-geoip-CA"
        set action accept
        set schedule "always"
        set service "ALL"
        set geoip-match registered-location
        set logtraffic all
        set auto-asic-offload disable
        set nat enable
    next
end

 

Since Canada is supplied as a destination address and registered location IP matching is enabled, this means that traffic will be blocked if the destination IP is 220.243.219.10, due to the fact that the registered location is China.

2) Verify that the policy is blocking traffic from the IP address:

 

# diagnose sniffer packet any icmp 4
interfaces=[any]
filters=[icmp]
5.383798 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
6.381982 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
7.382608 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
^C
3 packets received by filter
0 packets dropped by kernel

 

To configure GeoIP matching based on physical location.

1) Create a firewall policy to match the IP.

 

# config firewall policy
    edit 1
        set name "policy_id_1"
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "test-geoip-CA"
        set action accept
        set schedule "always"
        set service "ALL"
        set geoip-match physical-location
        set logtraffic all
        set auto-asic-offload disable
        set nat enable
    next
end

 

Since CA is applied as a destination address and physical location IP matching is enabled, the traffic will pass through if the destination IP of the traffic is 220.243.219.10.

2) Verify that the policy is allowing traffic from the IP address.

 

# diagnose sniffer packet any icmp 4
interfaces=[any]
filters=[icmp]
5.273985 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
5.274176 wan1 out 172.16.200.10 -> 220.243.219.10: icmp: echo request
6.274426 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
6.274438 wan1 out 172.16.200.10 -> 220.243.219.10: icmp: echo request
7.273978 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
7.273987 wan1 out 172.16.200.10 -> 220.243.219.10: icmp: echo request
^C
6 packets received by filter
0 packets dropped by kernel

 

Different physical and registered locations can occur for a number of reasons. For example: if a person in USA and is using a proxy or VPN to connect to an IP in China and then contact a server in the USA.

In this scenario, the physical location would be the USA but the registered location of the IP would be China.

 

Similarly, a scenario may occur where someone in China is using a USA proxy or VPN to connect to a server in the USA. In this case, the physical location would be China while the registered location of the IP would be the USA.