topic Re: Custom region not reflecting in "show location ip xxx.xxx.xxx.xxx" in General Topics

Custom region not reflecting in "show location ip xxx.xxx.xxx.xxx"

AaronAxvig — Mon, 25 Apr 2022 18:37:28 GMT

I have an IP address that is showing up in the wrong region, say AM (Armenia) and should be CN (China). I have a support case open to get that fixed, but it has been open for over a week so I want to do a workaround.

Ideally I could specify to override this IP address to show up in CN. It seems like this could be done via Objects > Regions > Add > Choose CN from the Region drop down > add the IP address in the list below. But "show locations ip x.x.x.x" still shows that the IP is considered to be in Armenia.

So maybe it has to be a custom region? I created a region called "Test" and put the IP address in it. "show locations ip x.x.x.x" still shows that the IP is considered to be in Armenia.

Does the "show locations ip" command only consider the built-in regions?

If I test with some actual traffic would it do the correct thing?

Re: Custom region not reflecting in "show location ip xxx.xxx.xxx.xxx"

Adrian_Jensen — Mon, 25 Apr 2022 19:27:06 GMT

Testing here, it appears that the "show location ip" only queries the PA geolocation database. I have some custom regions defined for CDNs/etc. that get misidentified (or are in a different country but we don't want to allow the entire country) and the custom region is both used in the Security policy and appears as the source/destination region in the Traffic logs.

Re: Custom region not reflecting in "show location ip xxx.xxx.xxx.xxx"

AaronAxvig — Mon, 25 Apr 2022 19:30:29 GMT

Thanks, interesting to hear that result of your testing and I guess that confirms my suspicions.

Do you have any thoughts then on whether the override of the built-in regions would work as I described in the "Ideally..." paragraph?

Re: Custom region not reflecting in "show location ip xxx.xxx.xxx.xxx"

Adrian_Jensen — Mon, 25 Apr 2022 19:40:14 GMT

I don't have it any more, but in 8.1 we were using a custom region rule to rewrite a few IPs into the CN region. Sometime after upgrading to 9.1 I rewrote some Security policies and changed to having my custom regions being unique (i.e. "CDN" for allowed CDNs regardless of geolocation, some custom regions for malware/exploit ranges that are scattered across the world). I assume that adding an IP/range to a predefined region still works the same but I don't have a way to test that easily at the moment.

An easy test might be to take something known, say Google DNS 8.8.8.8, and add it to the custom CN region. Commit and then run some ping/DNS tests and look at the logs, see if it now shows as CN instead of US (or India as kept happening to us, now part of our CDN rule).

Re: Custom region not reflecting in "show location ip xxx.xxx.xxx.xxx"

AaronAxvig — Tue, 26 Apr 2022 20:42:51 GMT

I added the IP address to the region as I described in the "Ideally..." paragraph and that worked. It shows up in the traffic logs as that being the Source Country too, which is nice.

I did not verify that this doesn't wipe out any other addresses that are included in the region out-of-the-box. That is unlikely I think and we don't have any other traffic coming from that region so it would have been a little harder to test.