Fortinet white logo
Fortinet white logo

Administration Guide

Geography based addresses

Geography based addresses

Geography addresses are those determined by country of origin. The IP for the country or region is automatically determined from the Geography IP database.

To view IP Geography database:
#diagnose autoupdate versions | grep -A 6 "IP Geography DB"
IP Geography DB
---------
Version: 3.00152
Contract Expiry Date: n/a
Last Updated using manual update on Thu Nov 17 17:52:00 2022
Last Update Attempt: Wed Nov 23 10:56:46 2022
Result: No Updates
Note

Without a valid license, local IP geography database will continue to work. However the FortiGate will stop receiving geography IP updates from the FortiGuard servers and the geography IP database will no longer be updated. IP geolocation service is part of base services included with all FortiCare support contracts. See FortiGuard Security Services for more information.

To create a geography address:
  1. Go to Policy & Objects > Addresses and select Address.

  2. Select Create new.

  3. Enter a Name for the address object.

  4. In the Type field, select Geography from the dropdown menu.

  5. In the Country/Region field, select a single country from the dropdown menu.

  6. In the Interface field, leave as the default any or select a specific interface from the dropdown menu.

  7. Enter any additional information in the Comments field.

  8. Click OK.

Overrides

It is possible to assign a specific IP address range to a customized country ID. Generally, geographic addressing is done at the VDOM level; it could be considered global if you are using the root VDOM, but the geoip-override setting is a global setting.

To configure a geography IP override:
  1. Assign a specific IP address range to a customized country ID:

    config system geoip-override
        edit "MyCustomCountry"
            config ip-range
                edit 1
                    set start-ip 1.1.1.1
                    set end-ip 1.1.1.2
                next
            end
        next
    end
  2. Use get sys geoip-country XX to determine the name corresponding to the custom 2-digit country code A0:

    # get sys geoip-country A0
    id                  : A0
    name                : MyCustomCountry 
    
  3. Show the full configuration of the geography IP override just created to show that it corresponds to country code A0:

    # show full sys geoip-override
    config system geoip-override
        edit "MyCustomCountry"
            set description ''
            set country-id "A0"
            config ip-range
                edit 1
                    set start-ip 1.1.1.1
                    set end-ip 1.1.1.2
                next
            end
        next
    end
    
To configure a geography address:
  1. Enable debug to display the CLI commands running on the backend in response to certain GUI configuration:

    # diagnose debug enable
    # diagnose debug cli 7
    Debug messages will be on for 30 minutes.
    
  2. Go to Policy & Objects > Addresses and create a geography address using the previously created custom country code:

  3. Observe the corresponding CLI commands run on the backend:

    FGT # 0: config firewall address
    0: edit "TestGeoAddress"
    0: set type geography
    0: set country "A0"
    0: end
    

Diagnose commands

There are a few diagnose commands used with geographic addresses:

diagnose firewall ipgeo [country-list | ip-list | ip2country | override | copyright-notice]

Diagnose command

Description

country-list

List of all countries.

ip-list

List of the IP addresses associated with the country.

ip2country

Used to determine the physical and registered locations of the IP address as well and if the type is anycast.

override

List of user defined geography data; items configured with the config system geoip-override command.

copyright-notice

Shows the copyright notice.

diagnose geoip [geoip-query | ip2country | iprange]

Diagnose command

Description

geoip-query

Used to determine the complete geolocation of a specific IP address from the FortiGuard IP Geography DB.

ip2country

Used to determine which country a specific IP address is assigned to.

Iprange

List the IP addresses or IP ranges associated with the country.

For more details and examples using these diagnose commands, see the Fortinet Community article Technical Tip: Commands to verify GeoIP information and troubleshoot GeoIP database.

Geography based addresses

Geography based addresses

Geography addresses are those determined by country of origin. The IP for the country or region is automatically determined from the Geography IP database.

To view IP Geography database:
#diagnose autoupdate versions | grep -A 6 "IP Geography DB"
IP Geography DB
---------
Version: 3.00152
Contract Expiry Date: n/a
Last Updated using manual update on Thu Nov 17 17:52:00 2022
Last Update Attempt: Wed Nov 23 10:56:46 2022
Result: No Updates
Note

Without a valid license, local IP geography database will continue to work. However the FortiGate will stop receiving geography IP updates from the FortiGuard servers and the geography IP database will no longer be updated. IP geolocation service is part of base services included with all FortiCare support contracts. See FortiGuard Security Services for more information.

To create a geography address:
  1. Go to Policy & Objects > Addresses and select Address.

  2. Select Create new.

  3. Enter a Name for the address object.

  4. In the Type field, select Geography from the dropdown menu.

  5. In the Country/Region field, select a single country from the dropdown menu.

  6. In the Interface field, leave as the default any or select a specific interface from the dropdown menu.

  7. Enter any additional information in the Comments field.

  8. Click OK.

Overrides

It is possible to assign a specific IP address range to a customized country ID. Generally, geographic addressing is done at the VDOM level; it could be considered global if you are using the root VDOM, but the geoip-override setting is a global setting.

To configure a geography IP override:
  1. Assign a specific IP address range to a customized country ID:

    config system geoip-override
        edit "MyCustomCountry"
            config ip-range
                edit 1
                    set start-ip 1.1.1.1
                    set end-ip 1.1.1.2
                next
            end
        next
    end
  2. Use get sys geoip-country XX to determine the name corresponding to the custom 2-digit country code A0:

    # get sys geoip-country A0
    id                  : A0
    name                : MyCustomCountry 
    
  3. Show the full configuration of the geography IP override just created to show that it corresponds to country code A0:

    # show full sys geoip-override
    config system geoip-override
        edit "MyCustomCountry"
            set description ''
            set country-id "A0"
            config ip-range
                edit 1
                    set start-ip 1.1.1.1
                    set end-ip 1.1.1.2
                next
            end
        next
    end
    
To configure a geography address:
  1. Enable debug to display the CLI commands running on the backend in response to certain GUI configuration:

    # diagnose debug enable
    # diagnose debug cli 7
    Debug messages will be on for 30 minutes.
    
  2. Go to Policy & Objects > Addresses and create a geography address using the previously created custom country code:

  3. Observe the corresponding CLI commands run on the backend:

    FGT # 0: config firewall address
    0: edit "TestGeoAddress"
    0: set type geography
    0: set country "A0"
    0: end
    

Diagnose commands

There are a few diagnose commands used with geographic addresses:

diagnose firewall ipgeo [country-list | ip-list | ip2country | override | copyright-notice]

Diagnose command

Description

country-list

List of all countries.

ip-list

List of the IP addresses associated with the country.

ip2country

Used to determine the physical and registered locations of the IP address as well and if the type is anycast.

override

List of user defined geography data; items configured with the config system geoip-override command.

copyright-notice

Shows the copyright notice.

diagnose geoip [geoip-query | ip2country | iprange]

Diagnose command

Description

geoip-query

Used to determine the complete geolocation of a specific IP address from the FortiGuard IP Geography DB.

ip2country

Used to determine which country a specific IP address is assigned to.

Iprange

List the IP addresses or IP ranges associated with the country.

For more details and examples using these diagnose commands, see the Fortinet Community article Technical Tip: Commands to verify GeoIP information and troubleshoot GeoIP database.