Why is the logfile full of source IPs which are mapped to the wrong countries?

Zyxel_USG_User

I have an USG firewall, the logfile is full of source IPs which show the wrong country of domain registration / origin. When I look these IPs up with different tools, they may show different partially incomplete or even wrong answers, that is true as well. But using specific tools, the answer is correct.

I refer to IP ranges or subnets which reside in one specific country, but are nevertheless shown as belonging to another country. They have also not changed ownership in the last years or so, so the assignment is pretty static. Nevertheless, they are mistakenly shown as belonging to another country.

The internal countries database (GeoIP database) is updated once per week automatically- as this is the maximum what can be done by the settings…

Why don't you start using the most accurate IP identifying tools first, then write the most accurate finding there?

It is a nice touch showing country flags for own interpretation of IP countries of origin, but if they do not match the reality, what is the point of doing so?….

If you are also aware of that, what are you planning to do to fix this issue?

Zyxel_Tina

Hi @Zyxel_USG_User,

To further investigate this issue, could you please help provide the following details:

1. A screenshot of the log entries where the incorrect country flags or mappings appear.
2. The model name of your firewall.
3. The current firmware version running on the device.

Once we have this information, we can check whether the GeoIP database is being properly applied, or if there might be any other inconsistencies.

Zyxel_USG_User

Model: USG Flex 50W (USG20W-VPN)

FW: V5.40(ABAR.0)

GeoIP latest version and current version: 20250803. ('autoupdate weekly' is enabled)

This is one of the many entries which I discover on a constant basis when analysing the logfile. This behaviour happens with IPs from all over the world.

Zyxel_Tina

Hi @Zyxel_USG_User,

Thanks for the feedback!

To help us investigate further, could you please help list the IP addresses with incorrect country flags/mappings? This will allow us to check them in detail and verify against our GeoIP database.

Zyxel_USG_User

This is so disappointing. I sent you all the informations requested, and one IP which is displayed wrong. You do nothing about the provided informations, but ask for something else now?… This is not customer friendly at all.

My suggestion- you analyse why the IP above is displayed with the wrong flag. You have the firmware version (latest), the hardware model, and the GeoIP database version (latest).

Please see the above IP. It belongs to .bg, and the flag displayed is from another country, .ro.

Here is another entry, from today's log:

Same story- however I look up the IP address, is in another country than the displayed flag in the logfile.

Your SW resolves it as being in .ro, but is .bg . Different countries, different flags, different IPs.

Basically, you have this whole IP range which is displayed with the wrong country flag. I have seen other ranges as well, when I occasionally look them up.

I can tell as well that this IP range has been displayed in the logs with the wrong country flag for around 1 year already. The domains I have seen mismatched did not change countries, they have always belonged to the same country same owner/provider etc.

Please investigate what is happening with the IPs displayed with wrong country flags and tell me why, and if and when it is going to be fixed.