Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 5 subscribers
  • Views 5980 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IP Geolocation Strangeness

busthead

Per this post, Sophos uses Maxmind for IP Geolocation. Is this still true?

I ask because Maxmind reports literotica.com as being in the US:

but UTM says otherwise:



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    Good day and thanks for reaching out to Sophos Community

    Yes, UTM/SFOS uses Maxmind for Geolocation, You may submit change request here and it will also be reflected on the FWs

    https://www.maxmind.com/en/geoip-data-correction-request#correcting-a-few-ips

    Many thanks for your time and patience and thank you for choosing Sophos.

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    I'm not asking how to change Maxmind's determination - because it appears to be correct:

    I'm asking why Maxmind says United States and UTM says Uzbekistan.

  • 0 in reply to busthead

    Hey  ,

    Yes on UTM it shows the following:
    geoiplookup 216.150.64.0
    GeoIP Country Edition: UZ, Uzbekistan

    For which you can submit the request here - https://support.maxmind.com/hc/en-us/requests/new

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    A reverse DNS lookup on 216.150.64.0 returns 216-150-64-0-block.reverse.ezzi.net not literotica[.]com.

    Where is the 216.150.64.0 address coming from?

    A nslookup from my UTM command line yields the correct addresses (in the US):

    216.150.64.0 is not what's being blocked:

    /var/log/http/2023/06/http-2023-06-21.log.gz:2023:06:21-22:04:45 Hillary-1 httpproxy[60070]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="CONNECT" srcip="192.168.0.126" dstip="216.150.65.200" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaNULLNetwo2 (Deckernet)" filteraction="REF_DefaultHTTPCFFAction (Default Filter Action)" size="0" request="0x7f60d330cc00" url="">www.literotica[.]com/" referer="" error="" authtime="0" dnstime="3" aptptime="154" cattime="0" avscantime="0" fullreqtime="225340" device="0" auth="0" ua="" exceptions="" overridecategory="1" overridereputation="1" category="112" reputation="trusted" categoryname="Entertainment" country="Uzbekistan"

    /var/log/http.log:2023:06:22-08:24:46 Hillary-1 httpproxy[60070]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="CONNECT" srcip="192.168.0.220" dstip="216.150.65.190" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaNULLNetwo3 (NULL's Devices)" filteraction="REF_HttCffNULLConteFilte (Allow All Filter Action)" size="3280" request="0x2f84000" url="">www.literotica.com/" referer="" error="" authtime="0" dnstime="102595" aptptime="124" cattime="0" avscantime="0" fullreqtime="378884" device="0" auth="0" ua="" exceptions="" overridecategory="1" overridereputation="1" category="112" reputation="trusted" categoryname="Entertainment" country="Uzbekistan"

    How do I force UTM to resync it's Maxmind database?

Reply
  • 0 in reply to Vivek Jagad

    A reverse DNS lookup on 216.150.64.0 returns 216-150-64-0-block.reverse.ezzi.net not literotica[.]com.

    Where is the 216.150.64.0 address coming from?

    A nslookup from my UTM command line yields the correct addresses (in the US):

    216.150.64.0 is not what's being blocked:

    /var/log/http/2023/06/http-2023-06-21.log.gz:2023:06:21-22:04:45 Hillary-1 httpproxy[60070]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="CONNECT" srcip="192.168.0.126" dstip="216.150.65.200" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaNULLNetwo2 (Deckernet)" filteraction="REF_DefaultHTTPCFFAction (Default Filter Action)" size="0" request="0x7f60d330cc00" url="">www.literotica[.]com/" referer="" error="" authtime="0" dnstime="3" aptptime="154" cattime="0" avscantime="0" fullreqtime="225340" device="0" auth="0" ua="" exceptions="" overridecategory="1" overridereputation="1" category="112" reputation="trusted" categoryname="Entertainment" country="Uzbekistan"

    /var/log/http.log:2023:06:22-08:24:46 Hillary-1 httpproxy[60070]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="CONNECT" srcip="192.168.0.220" dstip="216.150.65.190" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaNULLNetwo3 (NULL's Devices)" filteraction="REF_HttCffNULLConteFilte (Allow All Filter Action)" size="3280" request="0x2f84000" url="">www.literotica.com/" referer="" error="" authtime="0" dnstime="102595" aptptime="124" cattime="0" avscantime="0" fullreqtime="378884" device="0" auth="0" ua="" exceptions="" overridecategory="1" overridereputation="1" category="112" reputation="trusted" categoryname="Entertainment" country="Uzbekistan"

    How do I force UTM to resync it's Maxmind database?

Children
Unfiltered HTML