Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Juniper Advanced Threat Prevention Cloud With Geolocation IP

To configure Juniper ATP Cloud with GeoIP, you first create the GeoIP DAE and specify the interested countries. Then, create a security firewall policy on the SRX Series Firewall to reference the DAE and define whether to allow or block access.

To create the GeoIP DAE and security firewall policy:

  1. Create the DAE using the set security dynamic-address CLI command. Set the category to GeoIP and property to country (all lowercase). When specifying the countries, use the two-letter ISO 3166 country code in capital ASCII letters; for example, US or DE. For a complete list of country codes, see ISO 3166-1 alpha-2. Table 1 lists the additional codes that are not part of ISO 3166-1 alpha-2.
    Table 1: Additional Codes

    Code

    Country

    Additional Information

    A1

    Anonymous Proxy

    This country code identifies a set of IP addresses used by specific anonymous proxies or VPN services. These types of services may be used to bypass GeoIP restrictions.

    Note:

    This country code does not provide complete coverage of all proxy traffic. It identifies the traffic for specific legal anonymous proxies.

    A2

    Satellite Provider

    This country code identifies a set of IP addresses used by Satellite ISPs to provide Internet service to multiple countries. Examples: Nigeria and Ghana.

    AP

    Asia/Pacific Region

    This country code identifies a set of IP addresses that are spread out through the Asia/Pacific region. The country of origin for this set of IP addresses is unknown.

    Note:

    This country code consists of a small subset of IP addresses in the Asia/Pacific region.

    EU

    Europe

    This country code identifies a set of IP addresses that are spread out through Europe. The country of origin for this set of IP addresses is unknown.

    Note:

    This country code does not cover all IP addresses in Europe.

    VA

    Vatican City State

     

    AS

    Asia

     

    OC

    Oceania

     

    In the following example, the DAE name is my-geoip and the interested countries are the United States (US) and Great Britain (GB).

  2. Use the show security dynamic-address CLI command to verify your settings. Your output should look similar to the following:
  3. Create the security firewall policy using the set security policies CLI command.

    In the following example, the policy is from the untrust to trust zone, the policy name is my-geoip-policy, the source address is my-geoip created in Step 1, and the action is to deny access from the countries listed in my-geoip.

  4. Use the show security policies CLI command to verify your settings. Your output should look similar to the following:
  5. Import the category feeds to the dynamic address using the set dynamic address CLI command.
    In the following example, the source address is my-geoip created in Step 1 and the action is to import feeds under the GeoIP category to the dynamic address.
  6. Use the show security dynamic-address CLI command to verify your settings. Your output should look similar to the following:

    Deleting GeoIP-based Dynamic Addresses for a Single Country Code

    You can delete GeoIP-based dynamic addresses for a single country code using the following step:

    In the following example, the DAE name is my-geoip and the country codes you want to delete are—United States (US) and Great Britain (GB).

    Above step deletes country successfully from the profile without affecting the other country entries.

    After you delete the country code, you can confirm the deletion using the show security dynamic-address command.

    show security dynamic-address

Juniper ATP Cloud with GeoIP provides improved consistency checks and logging from SRX Series Firewalls that are enrolled with Juniper ATP Cloud.

The session deny message includes the following fields:

  • source-country—Displays the country code of the source address with reference to the policy dynamic address match.
  • destination-country—Displays the country code of the destination address with reference to the policy dynamic address match.

The system log message displays the valid country code only if the matched policy includes a dynamic address configured with GeoIP. If the matched policy does not have GeoIP configured, then the source-country and destination-country fields display N/A. See System Log Explorer for more details.