Why is the logfile full of source IPs which are mapped to the wrong countries?
Ally Member
I have an USG firewall, the logfile is full of source IPs which show the wrong country of domain registration / origin. When I look these IPs up with different tools, they may show different partially incomplete or even wrong answers, that is true as well. But using specific tools, the answer is correct.
I refer to IP ranges or subnets which reside in one specific country, but are nevertheless shown as belonging to another country. They have also not changed ownership in the last years or so, so the assignment is pretty static. Nevertheless, they are mistakenly shown as belonging to another country.
The internal countries database (GeoIP database) is updated once per week automatically- as this is the maximum what can be done by the settings…
Why don't you start using the most accurate IP identifying tools first, then write the most accurate finding there?
It is a nice touch showing country flags for own interpretation of IP countries of origin, but if they do not match the reality, what is the point of doing so?….
If you are also aware of that, what are you planning to do to fix this issue?
All Replies
-
Hi @Zyxel_USG_User,
To further investigate this issue, could you please help provide the following details:
- A screenshot of the log entries where the incorrect country flags or mappings appear.
- The model name of your firewall.
- The current firmware version running on the device.
Once we have this information, we can check whether the GeoIP database is being properly applied, or if there might be any other inconsistencies.
Zyxel Tina
0 -
Model: USG Flex 50W (USG20W-VPN)
FW: V5.40(ABAR.0)
GeoIP latest version and current version: 20250803. ('autoupdate weekly' is enabled)
This is one of the many entries which I discover on a constant basis when analysing the logfile. This behaviour happens with IPs from all over the world.
0 -
Hi @Zyxel_USG_User,
Thanks for the feedback!
To help us investigate further, could you please help list the IP addresses with incorrect country flags/mappings? This will allow us to check them in detail and verify against our GeoIP database.
Zyxel Tina
0 -
This is so disappointing. I sent you all the informations requested, and one IP which is displayed wrong. You do nothing about the provided informations, but ask for something else now?… This is not customer friendly at all.
My suggestion- you analyse why the IP above is displayed with the wrong flag. You have the firmware version (latest), the hardware model, and the GeoIP database version (latest).
Please see the above IP. It belongs to .bg, and the flag displayed is from another country, .ro.
Here is another entry, from today's log:
Same story- however I look up the IP address, is in another country than the displayed flag in the logfile.
Your SW resolves it as being in .ro, but is .bg . Different countries, different flags, different IPs.
Basically, you have this whole IP range which is displayed with the wrong country flag. I have seen other ranges as well, when I occasionally look them up.
I can tell as well that this IP range has been displayed in the logs with the wrong country flag for around 1 year already. The domains I have seen mismatched did not change countries, they have always belonged to the same country same owner/provider etc.
Please investigate what is happening with the IPs displayed with wrong country flags and tell me why, and if and when it is going to be fixed.
0 -
Hi @Zyxel_USG_User,
Thank you for the information you provided and maybe I was not clear causing some misunderstanding.
We have reviewed the case and confirmed that on the USG FLEX 50W, the IP you mentioned is indeed shown as originating from .ro, while other lookup tools show it as belonging to .bg.
While we are checking the root cause, we’d also like to confirm if you have noticed any other IPs with the same issue, so we can address them together.
We will keep you posted as soon as we have any updates.
Zyxel Tina
0 -
Here's another candidate, assigned by your systems to .ro flag when it is not based there.
It would be cool when yourselves discover such discrepancies and IPs before your customers do. We also pay for your products and salaries indirectly.
0 -
Hi @Zyxel_USG_User,
Regarding the flag feature, we have already forwarded the issues you raised to our Geo IP signature team for further investigation and correction. They are working on addressing the inaccuracies you pointed out. We appreciate your feedback!
Zyxel Tina
0 -
Here is another one. Look up for this specific subnet and you will see it belongs physically elsewhere. Assumption: it seems that this is part of the problem that the flags are assigned only based on a too big IP range (implying that all subranges belong to them and same country), instead of resolving the smaller and very specific subnets and allocations.
0 -
Another one:
0 -
Hi @Zyxel_USG_User,
The IP addresses you pointed out:
45.142.193.49 has now been corrected to map to the UK instead of Romania. However, the IP 87.120.222.229 shows the correct flag when checked with other IP lookup tools and indeed belongs to Switzerland.
Zyxel Tina
0
Zyxel Employee
Categories
- All Categories
- 438 Beta Program
- 2.7K Nebula
- 188 Nebula Ideas
- 121 Nebula Status and Incidents
- 6.2K Security
- 454 USG FLEX H Series
- 303 Security Ideas
- 1.6K Switch
- 81 Switch Ideas
- 1.3K Wireless
- 44 Wireless Ideas
- 6.8K Consumer Product
- 278 Service & License
- 435 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 91 Security Highlight
