Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Dynamic Address Group Overview

 

Manually adding address entries into a policy can be time consuming. There are external sources that provide lists of IP addresses that have a specific purpose (such as a blocklist) or that have a common attribute (such as a particular location or behavior that might pose a threat). The administrator can leverage this external intelligence in the cloud to identify threat sources by their IP address, then group those addresses into a dynamic address entry, and reference that entry in a security policy, thereby controlling the traffic to and from those addresses. Each such group of IP addresses is referred to as a dynamic address entry.

Note

A dynamic address entry is a group of IP addresses, not a single IP prefix. A dynamic address entry is different from the security address concepts of address books and address entry addresses.

There are major benefits to deploying dynamic address entries in security policies:

  • The network administrator has more control over the traffic to and from groups of IP addresses.

  • The network administrator can leverage the external intelligence (IP address feeds) that exists in the cloud.

  • The external server provides updated IP address feeds to the SRX Series device.

  • The administrator’s efforts are dramatically reduced. For example, in a legacy security policy configuration, adding 1000 address entries for a policy to reference would require some 2000 lines of configuration. By defining a dynamic address entry and referencing it in a security policy, up to millions of entries could flow into the SRX Series device without much additional configuration effort.

  • No commit process is required to add new addresses. Adding thousands of addresses to a configuration through a legacy method takes a long time to commit. Alternatively, IP addresses in a dynamic address entry come from an external feed, so no commit process is required when the addresses in an entry change.

Figure 1 illustrates a functional overview of how the dynamic address entry in a security policy works.

Figure 1: Functional Components of the Dynamic Address Entry in a Security Policy
Functional Components of
the Dynamic Address Entry in a Security Policy

The Spotlight Secure process (daemon) periodically retrieves an IP address feed file or an update to the file from the external source (or server) and decodes the server data into a dynamic address entry. A dynamic address entry contains many IP addresses that share a common purpose or attribute, such as a geographical origin, a threat type, or a threat level.

A security policy then references the dynamic address entry in a source address or destination address field (in much the same way that a security policy references a legacy address entry).

Figure 2 illustrates a policy that uses a dynamic address entry in the Destination-address field.

Figure 2: A Dynamic Address Entry in a Security Policy
A Dynamic Address Entry in a Security
Policy

In Figure 2, Policy 1 uses the destination address 10.10.1.1, which is a legacy security address entry. Policy 2 uses the destination address Vendor blocklist, which is a dynamic address entry named by the network administrator. Its content is the list of IP addresses retrieved from an external feed file. Packets that match all five criteria (the From-zone named untrust, the To-zone named engineer, any source address, a destination IP address that belongs to the Vendor blocklist dynamic address entry, and the mail application) are handled according to the policy actions, which are to deny and log the packet.

Note

The dynamic address entry names share the same name space as legacy security address entries, so do not use the same name for more than one entry. The Junos OS commit process checks that names are not duplicated to avoid a conflict.

Dynamic address groups support the following data feeds:

  • Custom lists (allowlists and blocklists)

  • GeoIP

Figure 3 shows the dialog box for creating a dynamic address group in Security Director.

Figure 3: Creating a Dynamic Address Group
Creating a Dynamic Address
Group

Related Documentation