PAN-OS reporting incorrect geolocation of IP address
61975
Created On 04/30/20 22:33 PM - Last Modified 01/03/24 12:03 PM
Symptom
PAN-OS reporting incorrect geolocation of IP address
Environment
PAN-OS
Cause
It is normal for IP addresses and spaces to change frequently
Resolution
Validate the issue in PAN-OS by:
- Ensuring you are running the latest content update as this is the database PAN-OS leverages for the latest geolocation information.
- Running > show location ip <ip_address> in the CLI
This will indicate what PAN-OS has in its records for the given IP address and its geolocation:
Provide supporting evidence of a discrepancy using common IP address lookup information such as:
- whois
- traceroute
- ping
- asn
- reverse dns
- nslookup
- dig
- viewing a web page's certificate
A TAC case will need to be opened so that Palo Alto Networks may correct this issue and implement it in a future content update. For immediate remediation, we have the capability to create a custom region through the PAN-OS Web GUI > Objects Tab > Regions.
Free supporting resources include:
- Palo Alto Networks' very own Threat Vault provides an IP Feed: http://threatvault.paloaltonetworks.com
- IP2Location: https://www.ip2location.com/
- Maxmind demo: https://www.maxmind.com/en/home
- RiskIQ community version: https://community.riskiq.com/search/8.8.8.8
- VirusTotal: https://www.virustotal.com/gui/home/search
Additional Information
With CDNs and cloud providers, it is important to make the distinction that the geolocation of an IP address is based on the location the IP address is served from (e.g., AWS is hosted by Amazon, with their HQ in Washington, U.S., but one of their data centers maybe in APAC or EU. Therefore, it is important to verify where the IP address is being served out of as this determines its geolocation.)