filter (Identity Management Advanced Query)
Statement introduced in Junos OS Release 15.1X49-D100.
The advanced user identity query feature enables the SRX Series device to communicate with the Juniper Identity Management Service (JIMS) server to obtain user identity information for an individual user (ip-query) or a group of users (batch query).
Optionally, you can configure filters to convey to the JIMS server at a more granular level the users for whom you want information, based on their IP addresses. The filter statement gives you the flexibility to specify a range of IP addresses to be excluded from the record that the JIMS server sends in response or a range of IP addresses to be included in it. You can also constrain the query target to users in one or more specific active directory domains. Only IPv4 addresses are supported.
You can configure a filter that includes all three specifications: include-ip, exclude-ip, and domain.
Filters are contextual. That is, you can use a different filter configuration for different requests. If you change the filter configuration, the new filter applies to subsequent user identity requests exclusively. It has no bearing on prior query requests
Use of the JIMS allows you to provision users locally and have their authentication information made available to other sites in your network for policy enforcement and reporting.
Before you use this feature, you must disable active-directory-access and authentication-source options under the user-identification hierarchy. You cannot commit this configuration if active directory authentication or the ClearPass query and webapi functions are configured and committed.
The following are the two behaviors when an include-ip is configured:
Batch query—An SRX Series device sends a request to JIMS with the include list of IP addresses.
IP query—If the IP address to be queried is included, then the SRX Series device queries JIMS only for those IP addresses that need to be included and does not query for other IP addresses; based on the IP query, JIMS does not trigger the PC probe for the IP addresses that are not included in the IP query.
A filter can include up to twenty IP address ranges. Therefore, an address set that contains more than twenty ranges will cause the filter configuration to fail. To specify the ranges, specify the name of a predefined address set which includes them and which is included in an existing address book.
The filter for IP addresses does not support nested address sets in an address book. If an address book contains nested address sets, it is ignored.
Here is an include-ip address configuration:
The following are the two behaviors when an exclude-ip is configured:
Batch query—An SRX Series device sends a request to JIMS with the exclude list of IP addresses.
IP query—If the IP address to be queried is excluded, then no request is sent from an SRX Series device to JIMS.
To specify the ranges, specify the name of a predefined address set which includes them and which is included in an existing address book. The address set must not include more than twenty IP addresses, otherwise the exclude-ip filter will fail. Here is an exclude-ip address configuration similar to that of the include-ip filter:
Starting in Junos OS Release 18.3R1, you can include or exclude IPv6 addresses for filtering the IP addresses, in addition to IPv4 addresses.
Required Privilege Level
services—To view this statement in the configuration.
services-control—To add this statement to the configuration.