An anycast IP can be advertised from multiple locations and the router selects a path based on latency, distance, cost, number of hops, and so on. This technique is widely used by providers to route users to the closest server. Since the IP is hosted in multiple geographic locations, there is no way to specify one single location to that IP.
In FortiOS 6.2.2, there is an option to bypass anycast IP ranges in geo-IP blocking. The ISDB contains a list of confirmed anycast IP ranges that can be used for this purpose.
When the source or destination is set to
geoip, you can enable the
geoip-anycast option. Once enabled, IPs where the anycast option is set to
geoip_db are bypassed in country matching and blocking.
You can only use the CLI to configure this feature.
config firewall policy
set name "policyid-1"
set uuid dfcaec9c-e925-51e8-cf3e-fed9a1d42a1c
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "test-geoip-CA_1"
set action accept
set schedule "always"
set service "ALL"
set geoip-anycast enable
set logtraffic all
set nat enable
diagnose geoip ip2country 18.104.22.168
22.214.171.124 - Australia, is anycast ip
The anycast IP is