PAN-OS reporting incorrect geolocation of IP address

Validate the issue in PAN-OS by: 

1. Ensure you are running the latest content update, as this is the database PAN-OS leverages for the latest geolocation information.  
2. Running > show location ip <ip_address> in the CLI 

This will indicate what PAN-OS has in its records for the given IP address and its geolocation:

Provide supporting evidence of a discrepancy using common IP address lookup information, such as:

• whois
• traceroute
• ping
• asn
• reverse dns
• nslookup 
• dig 
• viewing a web page's certificate

A TAC case will need to be opened so that Palo Alto Networks may correct this issue and implement it in a future content update. 

For immediate remediation, the firewall has the capability to create a custom region via the PAN-OS Web GUI: Objects > Regions.  

Here you will be able to select the region, define an optional Longitude and Latitude coordinates, or input a list of IP addresses

(Note) Free supporting resources include: 

• Palo Alto Networks' very own Threat Vault provides an IP Feed: https://threatvault.paloaltonetworks.com
• Whois DomainTools: https://whois.domaintools.com/
• IP2Location: https://www.ip2location.com/
• Maxmind demo: https://www.maxmind.com/en/home
• VirusTotal: https://www.virustotal.com/gui/home/search

A combination of these results provides considerable confidence and insight into where an IP address is being served from. Please utilize these resources to confirm and verify the region to which the IP address belongs.

• With CDNs and cloud providers, it is important to make the distinction that the geolocation of an IP address is based on the location the IP address is served from (e.g., AWS is hosted by Amazon, with their HQ in Washington, U.S., but one of their data centers maybe in APAC or EU.  Therefore, it is important to verify where the IP address is being served out of as this determines its geolocation.)