We have policies (geolocation) which only allow connection from Spain and Andorra.
In many cases the IP addresses identified by geolocation, is not properly updated and sometimes Palo Alto identifies an IP like another country rather than as Spain or vice versa.
How does a query to get that information Palo Alto?
What are the files that query PA?
Is the firewall establishes a connection to servers in Palo Alto?
On Palo Alto Networks, a certain set of regions are pre-defined. Each IP can be matched to their belonging zone by using the CLI command:
show location ip <IP Address>.
> show location ip 184.108.40.206
The pre-defined regions database that Palo Alto Networks uses is the one defined by the Internet Assigned Numbers Authority (IANA) per globe zones that can be found at the following locations:
You can find more information here Palo Alto Networks Pre-defined Regions
So this query to know the country, its done by the Palo Alto or the PA connect to any server in order to take the info
there is any way to force this refresh????
Sometimes PA thinks that an ip is coming from foreign country and this ip is from my country......
how often the PA query IANA to get the info?????
This is updated through dynamic updates(Apps&Threats) installed on the firewall.
any way to force this queries????
My customer has a streaming service that not foreign countries can access to this streaming.....(only can access SPAIN and ANDORRA).
Sometimes palo alto erroneously detects an ip is out of Spain when it really is from Spain.
-Does the Firewall try in any point after downloading these updates, direct access to these ftp sites we return addresses DNS resolving those addresses first and then accessing? or conversely, that information download to your computer and consultation locally, later to consult the geo. how you do in this case?
Is there any way to tell accessing other repositories of geolocation that has these latest data more updated/personalized? if not it will it be available in later PANOS versions?
We observed that in other documentations PaloAlto the access to geolocation databases have changed in over time, I guess that changes in the IANA did it,. This ftp access that you gave us, are they applicable to the version we have (5.0.8) or later versions differ? There is any changes in new versions (6.x.x) to improve the PA geolocation?????
To answer your first question, how often is the ip geo location updated, you should contact your Sales engineer or open a support case. As a general rule if the a feature setting is not in the documentation PA does not post the answer in a public forum so you have to use one of these inside communications channels.
You should check the IANA database to see if they do correctly identify the subnets in questions as being from Spain or Andorra. Because if the IANA db is wrong then this is not a refresh interval issue with Palo Alto but the time to update from the service providers to IANA.
What is your security policies architecture?
I would create a new address group for the incorrectly classified addresses that you can populate with with the incorrectly classified addresses as they are discovered.
If you block other countries at the top of the policy then create your server allow rules, I would add a permit rule above the block with this new address group.
If your server allow rules are constructed using the geo ip address groups then I would add this new address group to these rules.
Yes we have a white-list permitting the "not well-categorized" ips by Palo Alto, but its a bit annoying to do this all the weeks, errors in geolocation happens every week....
i guess PA only can use this DB for geolocation, it cant use another source for geolocation , right?
thanks a lot.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!