topic Re: Issues with geolocation IP addresses in General Topics

Issues with geolocation IP addresses

SOC_CSG — Thu, 05 Mar 2015 13:28:01 GMT

Hello,

We have policies (geolocation) which only allow connection from Spain and Andorra.

In many cases the IP addresses identified by geolocation, is not properly updated and sometimes Palo Alto identifies an IP like another country rather than as Spain or vice versa.

How does a query to get that information Palo Alto?

What are the files that query PA?

Is the firewall establishes a connection to servers in Palo Alto?

Regards,

Re: Issues with geolocation IP addresses

gbogojevic — Thu, 05 Mar 2015 15:04:38 GMT

Hello,

On Palo Alto Networks, a certain set of regions are pre-defined. Each IP can be matched to their belonging zone by using the CLI command:

show location ip <IP Address>.

For example:

> show location ip 54.12.11.211

54.12.11.211

United States

The pre-defined regions database that Palo Alto Networks uses is the one defined by the Internet Assigned Numbers Authority (IANA) per globe zones that can be found at the following locations:

AfriNIC Africa Region --> ftp://ftp.afrinic.net/pub/stats/afrinic/
APNIC Asia/Pacific Region --> http://ftp.apnic.net/stats/apnic/
ARIN North America Region --> ftp://ftp.arin.net/pub/stats/arin/
LACNIC Latin America and some Caribbean Islands --> http://bgp.potaroo.net/stats/lacnic/delegated << direct link
RIPE NCC (Europe, Russia, Middle East, Central Asia) --> http://ftp.apnic.net/stats/ripe-ncc/

You can find more information here Palo Alto Networks Pre-defined Regions

Re: Issues with geolocation IP addresses

SOC_CSG — Thu, 05 Mar 2015 15:10:51 GMT

So this query to know the country, its done by the Palo Alto or the PA connect to any server in order to take the info

there is any way to force this refresh????

Sometimes PA thinks that an ip is coming from foreign country and this ip is from my country......

Re: Issues with geolocation IP addresses

gbogojevic — Thu, 05 Mar 2015 15:38:17 GMT

PA takes this information from IANA (Internet Assigned Numbers Authority) - from relevant national registries.

Re: Issues with geolocation IP addresses

SOC_CSG — Thu, 05 Mar 2015 15:39:23 GMT

how often the PA query IANA to get the info?????

any way to force this queries????

thanks

Re: Issues with geolocation IP addresses

gbogojevic — Thu, 05 Mar 2015 15:45:38 GMT

AFAIK there is not way to refresh manually but this information is updated through dynamic content updates.

Re: Issues with geolocation IP addresses

hyadavalli — Thu, 05 Mar 2015 23:41:50 GMT

Hello COS,

how often the PA query IANA to get the info?????

This is updated through dynamic updates(Apps&Threats) installed on the firewall.

any way to force this queries????

Regards,

Hari Yadavalli

Re: Issues with geolocation IP addresses

SOC_CSG — Fri, 06 Mar 2015 13:28:54 GMT

My customer has a streaming service that not foreign countries can access to this streaming.....(only can access SPAIN and ANDORRA).

Sometimes palo alto erroneously detects an ip is out of Spain when it really is from Spain.

-Does the Firewall try in any point after downloading these updates, direct access to these ftp sites we return addresses DNS resolving those addresses first and then accessing? or conversely, that information download to your computer and consultation locally, later to consult the geo. how you do in this case?

Is there any way to tell accessing other repositories of geolocation that has these latest data more updated/personalized? if not it will it be available in later PANOS versions?

We observed that in other documentations PaloAlto the access to geolocation databases have changed in over time, I guess that changes in the IANA did it,. This ftp access that you gave us, are they applicable to the version we have (5.0.8) or later versions differ? There is any changes in new versions (6.x.x) to improve the PA geolocation?????

Regards....

Re: Issues with geolocation IP addresses

pulukas — Sat, 07 Mar 2015 12:47:31 GMT

To answer your first question, how often is the ip geo location updated, you should contact your Sales engineer or open a support case. As a general rule if the a feature setting is not in the documentation PA does not post the answer in a public forum so you have to use one of these inside communications channels.

You should check the IANA database to see if they do correctly identify the subnets in questions as being from Spain or Andorra. Because if the IANA db is wrong then this is not a refresh interval issue with Palo Alto but the time to update from the service providers to IANA.

What is your security policies architecture?

I would create a new address group for the incorrectly classified addresses that you can populate with with the incorrectly classified addresses as they are discovered.

If you block other countries at the top of the policy then create your server allow rules, I would add a permit rule above the block with this new address group.

If your server allow rules are constructed using the geo ip address groups then I would add this new address group to these rules.

Re: Issues with geolocation IP addresses

SOC_CSG — Mon, 09 Mar 2015 15:07:42 GMT

Yes we have a white-list permitting the "not well-categorized" ips by Palo Alto, but its a bit annoying to do this all the weeks, errors in geolocation happens every week....

i guess PA only can use this DB for geolocation, it cant use another source for geolocation , right?

thanks a lot.

Re: Issues with geolocation IP addresses

pulukas — Mon, 09 Mar 2015 21:48:49 GMT

There may be other other sources, but certainly IANA is the official and final authority on the assignment of addresses.

I'm sure as we continue to deal with ipv4 address depletion these movements of address blocks will become more common.