Fortinet white logo
Fortinet white logo

Cookbook

Recognize anycast addresses in geo-IP blocking

Recognize anycast addresses in geo-IP blocking

An anycast IP can be advertised from multiple locations and the router selects a path based on latency, distance, cost, number of hops, and so on. This technique is widely used by providers to route users to the closest server. Since the IP is hosted in multiple geographic locations, there is no way to specify one single location to that IP.

In FortiOS 6.2.2, there is an option to bypass anycast IP ranges in geo-IP blocking. The ISDB contains a list of confirmed anycast IP ranges that can be used for this purpose.

When the source or destination is set to geoip, you can enable the geoip-anycast option. Once enabled, IPs where the anycast option is set to 1 in geoip_db are bypassed in country matching and blocking.

Note

You can only use the CLI to configure this feature.

To enable the geoip-anycast option using the CLI:

config firewall policy

edit 1

set name "policyid-1"

set uuid dfcaec9c-e925-51e8-cf3e-fed9a1d42a1c

set srcintf "wan2"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "test-geoip-CA_1"

set action accept

set schedule "always"

set service "ALL"

set geoip-anycast enable

set logtraffic all

set nat enable

next

end

To check the geoip-anycast option for an IP address using the CLI:

diagnose geoip ip2country 1.0.0.1

1.0.0.1 - Australia, is anycast ip

The anycast IP is 1.0.0.1.

Recognize anycast addresses in geo-IP blocking

Recognize anycast addresses in geo-IP blocking

An anycast IP can be advertised from multiple locations and the router selects a path based on latency, distance, cost, number of hops, and so on. This technique is widely used by providers to route users to the closest server. Since the IP is hosted in multiple geographic locations, there is no way to specify one single location to that IP.

In FortiOS 6.2.2, there is an option to bypass anycast IP ranges in geo-IP blocking. The ISDB contains a list of confirmed anycast IP ranges that can be used for this purpose.

When the source or destination is set to geoip, you can enable the geoip-anycast option. Once enabled, IPs where the anycast option is set to 1 in geoip_db are bypassed in country matching and blocking.

Note

You can only use the CLI to configure this feature.

To enable the geoip-anycast option using the CLI:

config firewall policy

edit 1

set name "policyid-1"

set uuid dfcaec9c-e925-51e8-cf3e-fed9a1d42a1c

set srcintf "wan2"

set dstintf "wan1"

set srcaddr "all"

set dstaddr "test-geoip-CA_1"

set action accept

set schedule "always"

set service "ALL"

set geoip-anycast enable

set logtraffic all

set nat enable

next

end

To check the geoip-anycast option for an IP address using the CLI:

diagnose geoip ip2country 1.0.0.1

1.0.0.1 - Australia, is anycast ip

The anycast IP is 1.0.0.1.