Ad – Purchase on Amazon
Last updated on December 1st, 2022 at 10:06 am
Most Next Generation Firewalls (NGFW) allow security policies to include IP geolocation. But what is IP geolocation?
Public IP addresses (within a network and the IP network) are associated with a country. In the US, ARIN maintains a database of IP to location but is not the only source. Many third parties use the ARIN database in some way or manage their own. Unfortunately, there is no central database or central source of truth.
If you want an example of IP geolocation to get an understanding before reading further, use the following link to view your IP address info. You can also type in an IP address or domain, and you will see the country info and what other providers have for a country for that IP address or domain.
Many vendors will use one or multiple sources for IP geolocation information. For reference, in this article, I will refer to firewall vendors.
Firewalls & IP Geolocation
Firewalls can block or allow traffic based on IP geolocation and is standard for security, industry or company compliance, or other requirements. Having worked in healthcare in the US for ten years, I know it’s common practice to block traffic from outside the US for healthcare-related companies.
Palo Alto Networks (PAN) calls IP geolocation “Regions.” I don’t know what other vendors call IP geolocation. If you are interested or need to apply Region Codes on a PAN firewall, click here to read my article on EDL and Region Codes via the CLI. Going forward, I will refer to Regions when referencing this on firewalls.
On PAN firewalls, IP geolocation information is provided and updated with Application & Threats. A subscription will allow updates for the application database, threat services, and IP geolocation (Region Codes).
PAN IP geolocation information is acquired from multiple sources, but PAN maintains its own database. If you want to check how PAN sees an IP address or domain, use their Threat Vault (login may be required).
Although IP geolocation is commonly used on firewalls, it should be used carefully, as valid traffic can be blocked.
Can IP Geolocation be Wrong?
You bet, and I know firsthand what can happen. I’ve experienced both sides of the table with incorrect IP geolocation information.
At one company, some US healthcare providers could not access SFTP servers in our DMZ. Our PAN updates were not updating, so the firewalls had outdated/incorrect IP geolocation for some providers.
In another example, our organization had an ARIN-provided IP subnet that we owned and registered in the U.S. On this one day, support tickets were coming in that users could not get to U.S.-based providers. In troubleshooting, we found that our public IP subnet was associated with another country. These providers were using IP geolocation and blocking our traffic because our source IP subnet was not identified as in the U.S.
Blocking traffic based on Region must be done with care and comes with great responsibility (queue Ben Parker from Spiderman). Having outdated or incorrect information can impact patient care/support, research, data testing, data logging, and research, and have a monetary impact, to mention a few.
With how widely used IP geolocation is, it’s critical that the information is up-to-date and correct.
The Importance of Checking IP Geolocation Info
Getting incorrect IP geolocation information corrected is not easy. Again, there are multiple sources of this information, which comes down to which one has incorrect information. What can make the matter worse is if these sources are sharing information or referencing another, and now that incorrect information has spread.
In both cases I mentioned, the resolution of one was easy; we updated our App & Threat database, which was being done manually. The second and the toughest was when we were accessing another provider who had incorrect IP geolocation info for our public IPs.
Since we did not control that provider’s firewalls, we had to rely on contacting their support or IT. One of about four was very easy to reach and resolved the issue that day. The others were not so easy. For a couple, we could not reach their IT to inform them of the problem, and for another, we could not reach them. So it took about a month for one of them to resolve the issue.
Below is a list of IP geolocation sites that either check or provide this information (usually through a subscription). There are many more, but I have used these in checking and troubleshooting.
https://www.maxmind.com/en/geoip-demo
https://www.home.neustar/resources/tools/ip-geolocation-lookup-tool
https://www.iplocation.net/https://www.countryipblocks.net/index.php
I contacted a couple of sources (not PAN) who maintain their own database and had incorrect IP geolocation information. One responded and said they would fix it, which they did within a couple of days. Another did not respond after a couple of emails and a phone call. So if you experience this issue, your results may vary.
How to Fix IP Geolocation Info with PAN
In my previously mentioned experience, our incorrect IP geolocation info made its way into the Palo Alto Networks database. Not good with how popular PAN firewalls are.
Checking PAN for IP geolocation information can be done on their Threat Vault site (https://threatvault.paloaltonetworks.com/). It can also be checked from the firewalls directly at the CLI. The CLI will show the current IP geolocation for that IP with the current App & Threat database on the firewall.
Use the following command at the firewall’s CLI (8.8.8.8 is for this example).
Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHHCA0
Open a Case With PAN TAC
When we found the incorrect information in PAN, we immediately contacted PAN TAC. We opened the case as a high priority. In the TAC case, we provided the following info:
- IP info involved, including information that we own the public IPs.
- The country the IP subnet should be allocated to. In this case, the U.S.
- The current version of our App & Threat database.
- Screenshots from the CLI output (see above example).
- And a Tech Support file from the firewall.
It’s critical to contact TAC ASAP. Here is a KB article for reporting this issue to TAC.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPtECAW
Fortunately, PAN TAC Support was responsive, looked into the issue, and confirmed the incorrect IP info. Once they confirmed the information was incorrect, unfortunately but understandable, the issue had to be escalated to their development App & Threat team.
After a couple of days, we received an update that the issue would be resolved in an App & Thread update. If I remember correctly, that updated version was scheduled for release that evening or the next day.
Overall, it took about four days for TAC to resolve the issue. After updating the App & Threat database to the fixed release version, the IP geolocation was correct. Hopefully, the providers which whom we had problems connecting would update their firewall databases (if they used PAN firewalls). A couple of days after the corrected App & Threat version was released, we resolved the issue with a few providers. There’s a high probability they had a PAN firewall.
Manual or Temporary Workaround
If a TAC case was opened, but there is a need to resolve the IP geolocation info in the meantime temporarily, there’s a manual workaround. On the PAN firewall, a Region can be created with the correct country and IP. Here is a KB article describing this workaround.
A reminder once the App & Threat database is corrected and tested, remember to remove this temporary/workaround configuration.
PAN Feature Request
PAN added GUI troubleshooting to the firewall (starting with 9.1) and has added or improved with software updates. This feature can be found at Device>Troubleshooting. As of version 10.1.8, I’m impressed with how far this feature has come.
Hopefully, in future releases, they will add IP geolocation testing in the Troubleshooting section in the GUI. If you want to request this or add your vote to this feature, submit a feature request.
Conclusion
IP geolocation is commonly used and has great benefits for security, compliance, and other reasons. Though, there are consequences when there is incorrect information. Currently, there is no responsible and reliable central source of truth to maintain this information. We can hope, and maybe through diligence, the reliability of this information will improve.
With many third parties managing and providing this information, fortunately, PAN uses its own database. This provides a resource to contact when there are discrepancies.
Reference Links:
https://www.arin.net/blog/2018/06/11/ip-geolocation-the-good-the-bad-the-frustrating/
https://live.paloaltonetworks.com/t5/blogs/geolocation-and-geoblocking/ba-p/315433
Copyright © Packet Passers 2024