Help Center User GuideGetting StartedFAQRelease Notes
User Guide
Getting Started
Release Notes

Threat Map Overview

The threat map allows you to visualize geographical regions for incoming and outgoing traffic. You can view blocked and allowed threat events based on feeds from IPS, antivirus, and antispam engines. Unsuccessful login attempts for devices are also displayed. An event count for each attack object can be viewed by clicking a specific geographical location. This is useful for viewing unusual activity that could indicate a possible attack. If you have deployed your firewall devices across the globe, you can find the country that is attacking your firewall devices the most by using the threat map.

Note The devices can be root device or logical system (LSYS) device.

Threats are color-coded and can be seen at the bottom of the page. You also get a quick view of total number of threats blocked and allowed, an individual count of threats blocked and allowed for each event, as well as the top targeted devices, top destination countries, and top source countries.

You can click any individual source or destination point on the map to review information about the threat events, including the number of threat events, type of threat, time of events, source IP, and destination IP. You can also perform further analysis of the attack by clicking the attack type and viewing the filtered list of events from the Event Viewer.

Starting in Junos Space Security Director Release 16.1, you can click a country on the threat map to bring up the respective country page. You can view the total threat events since midnight, followed by inbound and outbound threat events. You see the highest top five inbound and outbound IP addresses. You can also view all IP addresses with the option to block one or more of them. In addition, you can block all traffic or only the inbound and outbound traffic for the selected country.

Click View Details to see more details for the country on the right panel. In addition, you can see total number of inbound and outbound threats for each event.

Table 54 describes different types of threats blocked and allowed.

Table 54: Types of Threats



IPS Threat Events

Intrusion detection and prevention (IDP) attacks detected by the IDP module.

The information reported about the attack includes:

  • Source of attack

  • Destination of attack

  • Type of attack

  • Session information

  • Severity

  • Policy information that permitted the traffic.

  • Action: traffic permitted or dropped.

Spam Events

E-mail spam that is detected based on the blacklist spam e-mails.

The information reported about the attack includes:

  • Source

  • Action: E-mail is rejected or allowed.

  • Reason for identifying as e-mail spam.

Virus Events

Virus attacks detected by the antivirus engine.

The information reported about the attack includes:

  • Source of the infected file

  • Destination

  • Filename

  • URL used for accessing the file

Device Authentications

The firewall authentication messages generated due to unauthorized attempts to access the network. The reported information contains the reason for authentication failure and the source of the request.


A type of threat detected by SRX Series devices. The information reported about the attack includes:

  • Attack name

  • Action taken

  • Source of the attack

  • Destination of the attack


A type of threat detected by SRX Series devices in collaboration with Sky ATP software. The information reported about the attack includes:

  • Malware name

  • Action taken

  • Infected host

  • Source of the attack

  • Destination of the attack

Note Threats with unknown geographical IP addresses are displayed as undefined.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      

Additional Comments

800 characters remaining

May we contact you if necessary?


Need product assistance? Contact Juniper Support