Configure the SRX Series and Geolocation IP for Integration with ATP Appliance
IP-based Geolocation (GeoIP) is a mapping of an IP address to the geographic location of an Internet connected to a computing device. ATP Appliance supports GeoIP, giving you the ability to filter traffic to and from specific geographies in the world.
GeoIP uses a Dynamic Address Entry (DAE) infrastructure. A DAE is a group of IP addresses, not just a single IP prefix. These IP addresses are for specific domains or for entities that have a common attribute such as a particular undesired location that poses a threat. The administrator can then configure security policies to use the DAE within a security policy. When the DAE is updated, the changes automatically become part of the security policy. There is no need to update the policy manually.
The feed URL is set up automatically for you when you run the script to enroll the SRX Series Firewall. Currently, configuring GeoIP and security policies is done completely on the SRX Series Firewall using CLI commands.
To create the GeoIP DAE and security firewall policy:
- Create the DAE using the
set security dynamic-address
CLI command. Set the category toGeoIP
and property tocountry
(all lowercase). When specifying the countries, use the two-letter ISO 3166 country code in capital ASCII letters; for example, US or DE. For a complete list of country codes, see ISO 3166-1 alpha-2.In the following example, the DAE name is
my-geoip1
and the interested countries are the United States (US) and Great Britain (GB).user@host# set security dynamic-address address-name my-geoip1 profile category GeoIP property country string US user@host# set security dynamic-address address-name my-geoip1 profile category GeoIP property country string GB user@host# set security dynamic-address address-name my-geoip1 profile category GeoIP property country string AU
- Use the
show security dynamic-address
CLI command to verify your settings. Your output should look similar to the following:user@host# show security dynamic-address address-name my-geoip1 { profile { category GeoIP { property country { string US; string GB; string AU; } } } } [edit]
- Create the security firewall policy using the
set security policies
CLI command.In the following example, the policy is from the untrust to trust zone, the policy name is
my-geoip-policy
, the source address ismy-geoip1
created in Step 1, and the action is to deny access from the countries listed inmy-geoip1
.user@host# set security policies from-zone untrust to-zone trust policy my-geoip-policy match source-address my-geoip destination-address any application any user@host# set security policies from-zone untrust to-zone trust policy my-geoip-policy then deny
- Use the
show security policies
CLI command to verify your settings. Your output should look similar to the following:user@host# show security policies ... from-zone untrust to-zone trust { policy my-geoip-policy { match { source-address my-geoip; destination-address any; application any; } then { deny; } } } ...
Deleting GeoIP-based Dynamic Addresses for a Single Country Code
You can delete GeoIP-based dynamic addresses for a single country code using the following step:
user@host# delete security dynamic-address address-name address-name profile category GeoIP property country string CA
In
the following example, the DAE name is my-geoip1
and the country
codes you want to delete are—United States (US) and Great Britain
(GB).
user@host# delete security dynamic-address address-name my-geoip1 profile category GeoIP property country string US user@host# delete security dynamic-address address-name my-geoip1 profile category GeoIP property country string GB
Above step deletes country successfully from the profile without affecting the other country entries.
After you delete the country code, you
can confirm the deletion using the
show security dynamic-address
command.
user@host> show security
dynamic-address
node0: -------------------------------------------------------------------------- Instance default Total number of matching entries: 0 No. IP-start IP-end Feed Address CountryCode 1 1.0.0.0 1.0.0.255 geoip_country my-geoip1 AU 2 1.0.0.0 1.0.0.255 geoip_country my-geoip2 CN
You can display the show security dynamic-address
summary
command output as Junos XML tag elements by including the
| display xml
option after the command.
da-summary-dynamic-address-information
that appears multiple
times in case if there are any duplicate IP addresses present in the configuration.
You can use this command output to remove duplicate
entries.user@host> show security dynamic-address summary | display xml <rpc-reply xmlns:junos="http://"> <security-dynamic-address> <security-dynamic-address-summary> <da-summary-sscan> <da-sscan-status>Disable</da-sscan-status> <da-sscan-hold-interval>10 seconds</da-sscan-hold-interval> </da-summary-sscan> <da-summary-server> </da-summary-server> <da-summary-dynamic-address> <da-summary-dynamic-address-information> </da-summary-dynamic-address-information> <da-summary-dynamic-address-information> </da-summary-dynamic-address-information> </da-summary-dynamic-address> <da-summary-dynamic-address-total> <da-instance-name>default</da-instance-name> <da-cnt-total-v4>0</da-cnt-total-v4> <da-cnt-total-feed-v4>0</da-cnt-total-feed-v4> <da-cnt-total-v6>0</da-cnt-total-v6> <da-cnt-total-feed-v6>0</da-cnt-total-feed-v6> </da-summary-dynamic-address-total> <da-summary-dynamic-address> <da-summary-dynamic-address-information> <da-name>geoip1</da-name> <da-id>11</da-id> <da-entry-cnt-v4>39</da-entry-cnt-v4> <da-entry-cnt-v6>56</da-entry-cnt-v6> <da-sscan-entry-status>Disable</da-sscan-entry-status> <da-mapping-feed> </da-mapping-feed> <da-rule> <da-category-name>GeoIP</da-category-name> <da-category-feed>---</da-category-feed> </da-rule> <da-property> <da-property-name>country</da-property-name> <da-property-value>KP</da-property-value> </da-property> </da-summary-dynamic-address-information> <da-summary-dynamic-address-information> <da-name>geoip2</da-name> <da-id>12</da-id> <da-entry-cnt-v4>88</da-entry-cnt-v4> <da-entry-cnt-v6>38</da-entry-cnt-v6> <da-sscan-entry-status>Disable</da-sscan-entry-status> <da-mapping-feed> </da-mapping-feed> <da-rule> <da-category-name>GeoIP</da-category-name> <da-category-feed>---</da-category-feed> </da-rule> <da-property> <da-property-name>country</da-property-name> <da-property-value>VC</da-property-value> </da-property> </da-summary-dynamic-address-information> </da-summary-dynamic-address> <da-summary-dynamic-address-total> <da-instance-name>geoip</da-instance-name> <da-cnt-total-v4>127</da-cnt-total-v4> <da-cnt-total-v6>94</da-cnt-total-v6> </da-summary-dynamic-address-total> </security-dynamic-address-summary> <security-dynamic-address-summary> <da-summary-dynamic-address-total> <da-instance-name>advanced-anti-malware</da-instance-name> <da-cnt-total-v4>0</da-cnt-total-v4> <da-cnt-total-v6>0</da-cnt-total-v6> </da-summary-dynamic-address-total> </security-dynamic-address-summary> </security-dynamic-address>