Recognize anycast addresses in geo-IP blocking
An anycast IP can be advertised from multiple locations and the router selects a path based on latency, distance, cost, number of hops, and so on. This technique is widely used by providers to route users to the closest server. Since the IP is hosted in multiple geographic locations, there is no way to specify one single location to that IP.
In FortiOS 6.2.2, there is an option to bypass anycast IP ranges in geo-IP blocking. The ISDB contains a list of confirmed anycast IP ranges that can be used for this purpose.
When the source or destination is set to geoip
, you can enable the geoip-anycast
option. Once enabled, IPs where the anycast option is set to 1
in geoip_db
are bypassed in country matching and blocking.
You can only use the CLI to configure this feature. |
To enable the geoip-anycast option using the CLI:
config firewall policy
edit 1
set name "policyid-1"
set uuid dfcaec9c-e925-51e8-cf3e-fed9a1d42a1c
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "test-geoip-CA_1"
set action accept
set schedule "always"
set service "ALL"
set geoip-anycast enable
set logtraffic all
set nat enable
next
end
To check the geoip-anycast option for an IP address using the CLI:
diagnose geoip ip2country 1.0.0.1
1.0.0.1 - Australia, is anycast ip
The anycast IP is 1.0.0.1
.