Fortinet black logo

Administration Guide

Matching GeoIP by registered and physical location

Matching GeoIP by registered and physical location

IP addresses have both a physical and registered location in the geography IP database. Sometimes these two locations are different. The geoip-match command allows users to match an IPv4 address in an firewall policy to its physical or registered location when a GeoIP is used as a source or destination address. IPv6 policies currently support geography address objects but do not support geoip-match.

In the following example, the physical location of 220.243.219.10 is CA (Canada), the registered location is CN (China), and it is not an anycast IP.

To configure GeoIP matching based on registered location:
  1. Create a firewall policy to match the IP:
    config firewall policy
        edit 1
            set name "policy_id_1"
            set srcintf "wan2"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "test-geoip-CA"
            set action accept
            set schedule "always"
            set service "ALL"
            set geoip-match registered-location
            set logtraffic all
            set auto-asic-offload disable
            set nat enable
        next
    end

    Since CA is applied as a destination address and registered location IP matching is enabled, if the destination IP of the traffic is 220.243.219.10, then the traffic will be blocked because the registered location is CN.

  2. Verify that the policy is blocking traffic from the IP address:
    # diagnose sniffer packet any icmp 4
    interfaces=[any]
    filters=[icmp]
    5.383798 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
    6.381982 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
    7.382608 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
    ^C
    3 packets received by filter
    0 packets dropped by kernel
To configure GeoIP matching based on physical location:
  1. Create a firewall policy to match the IP:
    config firewall policy
        edit 1
            set name "policy_id_1"
            set srcintf "wan2"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "test-geoip-CA"
            set action accept
            set schedule "always"
            set service "ALL"
            set geoip-match physical-location
            set logtraffic all
            set auto-asic-offload disable
            set nat enable
        next
    end

    Since CA is applied as a destination address and physical location IP matching is enabled, if the destination IP of the traffic is 220.243.219.10, then the traffic will pass through.

  2. Verify that the policy is allowing traffic from the IP address:
    # diagnose sniffer packet any icmp 4
    interfaces=[any]
    filters=[icmp]
    5.273985 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
    5.274176 wan1 out 172.16.200.10 -> 220.243.219.10: icmp: echo request
    6.274426 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
    6.274438 wan1 out 172.16.200.10 -> 220.243.219.10: icmp: echo request
    7.273978 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
    7.273987 wan1 out 172.16.200.10 -> 220.243.219.10: icmp: echo request
    ^C
    6 packets received by filter
    0 packets dropped by kernel

Matching GeoIP by registered and physical location

IP addresses have both a physical and registered location in the geography IP database. Sometimes these two locations are different. The geoip-match command allows users to match an IPv4 address in an firewall policy to its physical or registered location when a GeoIP is used as a source or destination address. IPv6 policies currently support geography address objects but do not support geoip-match.

In the following example, the physical location of 220.243.219.10 is CA (Canada), the registered location is CN (China), and it is not an anycast IP.

To configure GeoIP matching based on registered location:
  1. Create a firewall policy to match the IP:
    config firewall policy
        edit 1
            set name "policy_id_1"
            set srcintf "wan2"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "test-geoip-CA"
            set action accept
            set schedule "always"
            set service "ALL"
            set geoip-match registered-location
            set logtraffic all
            set auto-asic-offload disable
            set nat enable
        next
    end

    Since CA is applied as a destination address and registered location IP matching is enabled, if the destination IP of the traffic is 220.243.219.10, then the traffic will be blocked because the registered location is CN.

  2. Verify that the policy is blocking traffic from the IP address:
    # diagnose sniffer packet any icmp 4
    interfaces=[any]
    filters=[icmp]
    5.383798 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
    6.381982 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
    7.382608 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
    ^C
    3 packets received by filter
    0 packets dropped by kernel
To configure GeoIP matching based on physical location:
  1. Create a firewall policy to match the IP:
    config firewall policy
        edit 1
            set name "policy_id_1"
            set srcintf "wan2"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "test-geoip-CA"
            set action accept
            set schedule "always"
            set service "ALL"
            set geoip-match physical-location
            set logtraffic all
            set auto-asic-offload disable
            set nat enable
        next
    end

    Since CA is applied as a destination address and physical location IP matching is enabled, if the destination IP of the traffic is 220.243.219.10, then the traffic will pass through.

  2. Verify that the policy is allowing traffic from the IP address:
    # diagnose sniffer packet any icmp 4
    interfaces=[any]
    filters=[icmp]
    5.273985 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
    5.274176 wan1 out 172.16.200.10 -> 220.243.219.10: icmp: echo request
    6.274426 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
    6.274438 wan1 out 172.16.200.10 -> 220.243.219.10: icmp: echo request
    7.273978 wan2 in 10.1.100.41 -> 220.243.219.10: icmp: echo request
    7.273987 wan1 out 172.16.200.10 -> 220.243.219.10: icmp: echo request
    ^C
    6 packets received by filter
    0 packets dropped by kernel