Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configure the SRX Series and Geolocation IP for Integration with JATP

IP-based Geolocation (GeoIP) is a mapping of an IP address to the geographic location of an Internet connected to a computing device. JATP supports GeoIP, giving you the ability to filter traffic to and from specific geographies in the world.

GeoIP uses a Dynamic Address Entry (DAE) infrastructure. A DAE is a group of IP addresses, not just a single IP prefix. These IP addresses are for specific domains or for entities that have a common attribute such as a particular undesired location that poses a threat. The administrator can then configure security policies to use the DAE within a security policy. When the DAE is updated, the changes automatically become part of the security policy. There is no need to update the policy manually.


The feed URL is set up automatically for you when you run the script to enroll the SRX Series device. Currently, configuring GeoIP and security policies is done completely on the SRX Series device using CLI commands.

To create the GeoIP DAE and security firewall policy:

  1. Create the DAE using the set security dynamic-address CLI command. Set the category to GeoIP and property to country (all lowercase). When specifying the countries, use the two-letter ISO 3166 country code in capital ASCII letters; for example, US or DE. For a complete list of country codes, see ISO 3166-1 alpha-2.

    In the following example, the DAE name is my-geoip and the interested countries are the United States (US) and Great Britain (GB).

  2. Use the show security dynamic-address CLI command to verify your settings. Your output should look similar to the following:
  3. Create the security firewall policy using the set security policies CLI command.

    In the following example, the policy is from the untrust to trust zone, the policy name is my-geoip-policy, the source address is my-geoip created in Step 1, and the action is to deny access from the countries listed in my-geoip.

  4. Use the show security policies CLI command to verify your settings. Your output should look similar to the following: