Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure the SRX Series and Geolocation IP for Integration with ATP Appliance

IP-based Geolocation (GeoIP) is a mapping of an IP address to the geographic location of an Internet connected to a computing device. ATP Appliance supports GeoIP, giving you the ability to filter traffic to and from specific geographies in the world.

GeoIP uses a Dynamic Address Entry (DAE) infrastructure. A DAE is a group of IP addresses, not just a single IP prefix. These IP addresses are for specific domains or for entities that have a common attribute such as a particular undesired location that poses a threat. The administrator can then configure security policies to use the DAE within a security policy. When the DAE is updated, the changes automatically become part of the security policy. There is no need to update the policy manually.

Note:

The feed URL is set up automatically for you when you run the script to enroll the SRX Series Firewall. Currently, configuring GeoIP and security policies is done completely on the SRX Series Firewall using CLI commands.

To create the GeoIP DAE and security firewall policy:

  1. Create the DAE using the set security dynamic-address CLI command. Set the category to GeoIP and property to country (all lowercase). When specifying the countries, use the two-letter ISO 3166 country code in capital ASCII letters; for example, US or DE. For a complete list of country codes, see ISO 3166-1 alpha-2.

    In the following example, the DAE name is my-geoip1 and the interested countries are the United States (US) and Great Britain (GB).

  2. Use the show security dynamic-address CLI command to verify your settings. Your output should look similar to the following:
  3. Create the security firewall policy using the set security policies CLI command.

    In the following example, the policy is from the untrust to trust zone, the policy name is my-geoip-policy, the source address is my-geoip1 created in Step 1, and the action is to deny access from the countries listed in my-geoip1.

  4. Use the show security policies CLI command to verify your settings. Your output should look similar to the following:

Deleting GeoIP-based Dynamic Addresses for a Single Country Code

You can delete GeoIP-based dynamic addresses for a single country code using the following step:

In the following example, the DAE name is my-geoip1 and the country codes you want to delete are—United States (US) and Great Britain (GB).

Above step deletes country successfully from the profile without affecting the other country entries.

After you delete the country code, you can confirm the deletion using the show security dynamic-address command.

user@host> show security dynamic-address
Note:

You can display the show security dynamic-address summary command output as Junos XML tag elements by including the | display xml option after the command.

Starting in Junos OS Release 23.4R1, we have introduced a new entity da-summary-dynamic-address-information that appears multiple times in case if there are any duplicate IP addresses present in the configuration. You can use this command output to remove duplicate entries.

Related Documentation