Configure Juniper Advanced Threat Prevention Cloud With Geolocation IP
To configure Juniper ATP Cloud with GeoIP, you first create the GeoIP DAE and specify the interested countries. Then, create a security firewall policy on the SRX Series Firewall to reference the DAE and define whether to allow or block access.
To create the GeoIP DAE and security firewall policy:
-
Create the DAE using the
set security dynamic-addressCLI command. Set the category toGeoIPand property tocountry(all lowercase). When specifying the countries, use the two-letter ISO 3166 country code in capital ASCII letters; for example, US or DE. For a complete list of country codes, see ISO 3166-1 alpha-2. Table 1 lists the additional codes that are not part of ISO 3166-1 alpha-2.Table 1: Additional Codes Code
Country
Additional Information
A1
Anonymous Proxy
This country code identifies a set of IP addresses used by specific anonymous proxies or VPN services. These types of services may be used to bypass GeoIP restrictions.
Note:This country code does not provide complete coverage of all proxy traffic. It identifies the traffic for specific legal anonymous proxies.
A2
Satellite Provider
This country code identifies a set of IP addresses used by Satellite ISPs to provide Internet service to multiple countries. Examples: Nigeria and Ghana.
AP
Asia/Pacific Region
This country code identifies a set of IP addresses that are spread out through the Asia/Pacific region. The country of origin for this set of IP addresses is unknown.
Note:This country code consists of a small subset of IP addresses in the Asia/Pacific region.
EU
Europe
This country code identifies a set of IP addresses that are spread out through Europe. The country of origin for this set of IP addresses is unknown.
Note:This country code does not cover all IP addresses in Europe.
VA
Vatican City State
AS
Asia
OC
Oceania
In the following example, the DAE name is
my-geoipand the interested countries are the United States (US) and Great Britain (GB).user@host# set security dynamic-address address-name my-geoip profile category GeoIP property country string US root@host# set security dynamic-address address-name my-geoip profile category GeoIP property country string GB
-
Use the
show security dynamic-addressCLI command to verify your settings. Your output should look similar to the following:user@host# show security dynamic-address address-name my-geoip { profile { category GeoIP { property country { string US; string GB; } } } } [edit] -
Create the security firewall policy using the
set security policiesCLI command.In the following example, the policy is from the untrust to trust zone, the policy name is
my-geoip-policy, the source address ismy-geoipcreated in Step 1, and the action is to deny access from the countries listed inmy-geoip.user@host# set security policies from-zone untrust to-zone trust policy my-geoip-policy match source-address my-geoip destination-address any application any user@host# set security policies from-zone untrust to-zone trust policy my-geoip-policy then deny
-
Use the
show security policiesCLI command to verify your settings. Your output should look similar to the following:user@host# show security policies ... from-zone untrust to-zone trust { policy my-geoip-policy { match { source-address my-geoip; destination-address any; application any; } then { deny; } } } ... -
Import the category feeds to the dynamic address using the
set dynamic addressCLI command.In the following example, the source address ismy-geoipcreated in Step 1 and the action is to import feeds under the GeoIP category to the dynamic address.user@host# set security dynamic-address address-name my-geoip profile category GeoIP feed fd property country string US
-
Use the
show security dynamic-addressCLI command to verify your settings. Your output should look similar to the following:user@host# show security dynamic-address ... address-name my-geoip { profile { category GeoIP { property country { string US; } } } } address-name my-geoip { profile { category GeoIP { feed fd; property country { string US; } } } }Deleting GeoIP-based Dynamic Addresses for a Single Country Code
You can delete GeoIP-based dynamic addresses for a single country code using the following step:
user@host# delete security dynamic-address address-name address-name profile category GeoIP property country string CA
In the following example, the DAE name is
my-geoipand the country codes you want to delete are—United States (US) and Great Britain (GB).user@host# delete security dynamic-address address-name my-geoip profile category GeoIP property country string US user@host# delete security dynamic-address address-name my-geoip profile category GeoIP property country string GB
Above step deletes country successfully from the profile without affecting the other country entries.
After you delete the country code, you can confirm the deletion using the
show security dynamic-addresscommand.user@host> show security dynamic-addressnode0: -------------------------------------------------------------------------- Instance default Total number of matching entries: 0 No. IP-start IP-end Feed Address CountryCode 1 1.0.0.0 1.0.0.255 geoip_country my-geoip1 AU 2 1.0.0.0 1.0.0.255 geoip_country my-geoip2 CN
Juniper ATP Cloud with GeoIP provides improved consistency checks and logging from SRX Series Firewalls that are enrolled with Juniper ATP Cloud.
The session deny message includes the following fields:
source-country—Displays the country code of the source address with reference to the policy dynamic address match.destination-country—Displays the country code of the destination address with reference to the policy dynamic address match.
The system log message displays the valid country code only if the matched policy
includes a dynamic address configured with GeoIP. If the matched policy does not
have GeoIP configured, then the source-country and
destination-country fields display N/A. See
System Log Explorer for more details.