Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

ip-query (Identity Management Advanced Query)

Syntax

Hierarchy Level

Description

Configure the parameters to be used for the IP query function. When this feature is enabled, the SRX Series Firewall queries the Juniper Identity Management Service (JIMS) server for user identity information based on the IP address of a user’s device.

For example, if information for a user is missing from a flow, the SRX Series Firewall can issue a query request specifying the IP address of the user’s device. Also, If the SRX Series Firewall does not have identity information for a specific user, it can engage captive portal to authenticate the user. After it authenticates the user, the SRX Series Firewall can issue a query request to the Juniper Identity Management Service, specifying the user ID and the IP address of the user’s device to obtain additional information, such as the names of the groups that the user belongs to.

If there are many IP query requests in the queue, the SRX Series Firewall can maintain multiple concurrent HTTP/HTTPS connections with the Juniper Identity Management Service to increase throughput. However, the number of concurrent connections are kept at a reasonable level, which is twenty or less, so as not to impose pressure on the Juniper Identity Management Service.

Note:

IP query is one of three query methods: IP query, batch query, and user query. All three types of queries can occur concurrently. They are not mutually exclusive.

The advanced user identity query feature, to which this configuration statement belongs, relies on the Juniper Identity Management Service that allows you to provision users locally and have their authentication information made available to other sites in your network for policy enforcement and reporting. The feature allows the SRX Series Firewall to query the Juniper Identity Management Service to pull user identity information.

Warning:

Before you use this feature, you must disable active-directory-access and authentication-source options under the user-identification hierarchy. You cannot commit this configuration if active directory authentication or the ClearPass query and webapi functions are configured and committed.

To obtain device information, such as device identity, groups, and the operating system, from the Juniper Identity Management Service server using either the batch-query or ip-query configuration, you must set the device authentication source, as follows.

Options

no-ip-query

Disable IP query. IP query is enabled by default.
query-delay-time

Time after which the SRX Series Firewall sends the query. Rather than allow the SRX Series Firewall to respond automatically by sending a user query immediately, you can set a query-delay-time parameter, specified in seconds, that allows the SRX Series Firewall to wait for a period of time before sending the query.

  • Default: 15

  • Range: 0-60 seconds

Required Privilege Level

  1. services—To view this statement in the configuration.

  2. services-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 15.1X49-D100.

Related Documentation