Geolocation

You can view and filter traffic based on country and continent by leveraging a geolocation database (GeoDB). Note that for mobile devices and other hosts detected moving from country to country, the system may report a continent instead of a specific country.

The system comes with an initial GeoDB that maps IP addresses to countries/continents, so that information should always be available. If you update the GeoDB, the system also downloads contextual data. This can include:

Region (state, province, or other country subregion), city, and postal code.
Latitude/longitude, time zone, and clickable maps.
Autonomous System Number (ASN) and additional information about the ASN.
Internet service provider (ISP), connection type, and proxy type.
Home/business, organization, and domain name information.

To view this information, click the small country flag icons and ISO country codes wherever they appear: in events, asset profiles, the Context Explorer, dashboard, and other analysis tools. You cannot view geolocation details for aggregate geolocation information, such as on the Connection Summary dashboard.

Note

We issue periodic updates to the GeoDB. You must regularly update the GeoDB to have accurate geolocation information; see Update the Geolocation Database.

In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains the contextual data. The new country code package has the same file name as the old all-in-one package. This allows s running Version 7.1 and earlier to continue to obtain GeoDB updates. However, because this package now contains only country code mappings, the contextual data is no longer updated and will grow stale. To obtain fresh data, upgrade or reimage to Version 7.2+ and update the GeoDB. Note that this split does not affect geolocation rules or traffic handling in any way—those rules rely only on the data in the country code package.