Services Applications
-
Support for GeoIP filtering, global allowlist, and global blocklist (MX240, MX480, and MX960 )—Starting in Junos OS Release 21.4R1, you can configure the Security Intelligence process ipfd on the listed MX Series routers to fetch GeoIP feeds from Policy Enforcer. The GeoIP feeds help prevent devices from communicating with IP addresses belonging to specific countries.
You can define:
- A profile to dynamically fetch GeoIP feeds. Include the
geo-ip rule match country country-name
statement at the[edit services web-filter profile profile-name security-intelligence-policy]
hierarchy level. - A template to dynamically fetch GeoIP feeds. Include the
geo-ip rule match group group-name
statement at the[edit services web-filter profile profile-name url-filter-template template-name security-intelligence-policy]
hierarchy level.
You can define a global allowlist by configuring the
white-list (IP-address-list | file-name)
statement at theedit services web-filter profile profile-name security-intelligence-policy
hierarchy level. You can define a global blocklist by configuring theblack-list (IP-address-list | file-name)
statement at theedit services web-filter profile profile-name security-intelligence-policy
hierarchy level. Here, IP-address-list refers to the name of the list specified at the[edit services web-filter]
hierarchy level. The file-name option refers to the name of the file where the list of the IP addresses to be allowed or blocked is specified. The file must be in the /var/db/url-filterd directory and must have the same name as in the configuration.[See Integration of Juniper ATP Cloud and Web filtering on MX Routers .]
- A profile to dynamically fetch GeoIP feeds. Include the