IP-based Geolocation (GeoIP) is a mapping of an IP address to
the geographic location of an Internet connected to a computing device.
JATP supports GeoIP, giving you the ability to filter traffic to and
from specific geographies in the world.
GeoIP uses a Dynamic Address Entry (DAE) infrastructure. A DAE
is a group of IP addresses, not just a single IP prefix. These IP
addresses are for specific domains or for entities that have a common
attribute such as a particular undesired location that poses a threat.
The administrator can then configure security policies to use the
DAE within a security policy. When the DAE is updated, the changes
automatically become part of the security policy. There is no need
to update the policy manually.
Note: The feed URL is set up automatically for you when you
run the script to enroll the SRX Series device. Currently, configuring
GeoIP and security policies is done completely on the SRX Series device
using CLI commands.
To create the GeoIP DAE and security firewall policy:
- Create the DAE using the
set security dynamic-address CLI command. Set the category to GeoIP and property to country (all lowercase). When specifying the countries, use
the two-letter ISO 3166 country code in capital ASCII letters; for
example, US or DE. For a complete list of country codes, see ISO 3166-1
alpha-2.In the following example, the DAE name is my-geoip and the interested countries are the United States (US) and Great
Britain (GB).
root@host# set security dynamic-address address-name my-geoip profile category GeoIP property country string US
root@host# set security dynamic-address address-name my-geoip profile category GeoIP property country string GB
- Use the
show security dynamic-address CLI command
to verify your settings. Your output should look similar to the following:root@host# show security dynamic-address
address-name my-geoip {
profile {
category GeoIP {
property country {
string US;
string GB;
}
}
}
}
[edit]
- Create the security firewall policy using the
set
security policies CLI command.In the following example, the policy is from the untrust to
trust zone, the policy name is my-geoip-policy, the source
address is my-geoip created in Step 1, and the action is
to deny access from the countries listed in my-geoip.
root@host# set security policies from-zone untrust to-zone trust policy my-geoip-policy match source-address my-geoip destination-address any application any
root@host# set security policies from-zone untrust to-zone trust policy my-geoip-policy then deny
- Use the
show security policies CLI command
to verify your settings. Your output should look similar to the following:root@host# show security policies
...
from-zone untrust to-zone trust {
policy my-geoip-policy {
match {
source-address my-geoip;
destination-address any;
application any;
}
then {
deny;
}
}
}
...
