Issues with geolocation IP addresses

Reply
L4 Transporter

Issues with geolocation IP addresses

Hello,

We have policies (geolocation) which only allow connection from Spain and Andorra.

In many cases the IP addresses identified by geolocation, is not properly updated and sometimes Palo Alto identifies an IP like another country rather than as Spain or vice versa.

How does a query to get that information Palo Alto?

What are the files that query PA?

Is the firewall establishes a connection to servers in Palo Alto?

Regards,

L0 Member

Hello,

On Palo Alto Networks, a certain set of regions are pre-defined. Each IP can be matched to their belonging zone by using the CLI command:

show location ip <IP Address>.

For example:

> show location ip 54.12.11.211

   54.12.11.211

   United States

The pre-defined regions database that Palo Alto Networks uses is the one defined by the Internet Assigned Numbers Authority (IANA) per globe zones that can be found at the following locations:

You can find more information here Palo Alto Networks Pre-defined Regions

L4 Transporter

So this query to know the country, its done by the Palo Alto or the PA connect to any server in order to take the info

there is any way to force this refresh????

Sometimes PA thinks that an ip is coming from foreign country and this ip is from my country......

L0 Member

PA takes this information from IANA (Internet Assigned Numbers Authority) -  from relevant national registries.

L4 Transporter

how often the PA query IANA to get the info?????

any way to force this queries????


thanks

L0 Member

AFAIK there is not way to refresh manually but this information is updated through dynamic content updates.

L5 Sessionator

Hello COS,

how often the PA query IANA to get the info?????

This is updated through dynamic updates(Apps&Threats) installed on the firewall.


any way to force this queries????

No


Regards,

Hari Yadavalli

L4 Transporter

My customer has a streaming service that not foreign countries can access to this streaming.....(only can access SPAIN and ANDORRA).

Sometimes palo alto erroneously detects an ip is out of Spain when it really is from Spain.

-Does the Firewall try in any point after downloading these updates, direct access to these ftp sites we return addresses DNS resolving those addresses first and then accessing? or conversely, that information download to your computer and consultation locally, later to consult the geo. how you do in this case?

Is there any way to tell accessing other repositories of geolocation that has these latest data more updated/personalized? if not it will it be available in later PANOS versions?

We observed that in other documentations PaloAlto the access to geolocation databases have changed in over time, I guess that changes in the IANA did it,. This ftp access that you gave us, are they applicable to the version we have (5.0.8) or later versions differ? There is any changes in new versions (6.x.x) to improve the PA geolocation?????

Regards....

L7 Applicator

To answer your first question, how often is the ip geo location updated, you should contact your Sales engineer or open a support case.  As a general rule if the a feature setting is not in the documentation PA does not post the answer in a public forum so you have to use one of these inside communications channels.

You should check the IANA database to see if they do correctly identify the subnets in questions as being from Spain or Andorra.  Because if the IANA db is wrong then this is not a refresh interval issue with Palo Alto but the time to update from the service providers to IANA.

What is your security policies architecture?

I would create a new address group for the incorrectly classified addresses that you can populate with with the incorrectly classified addresses as they are discovered.

If you block other countries at the top of the policy then create your server allow rules, I would add a permit rule above the block with this new address group.

If your server allow rules are constructed using the geo ip address groups then I would add this new address group to these rules.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L4 Transporter

Yes we have a white-list permitting the "not well-categorized" ips by Palo Alto, but its a bit annoying to do this all the weeks, errors in geolocation happens every week....

i guess PA only can use this DB for geolocation, it cant use another source for geolocation , right?

thanks a lot.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!