Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX/Sky ATP] FAQ - Sky ATP GeoIP Feeds

0

0

Article ID: KB32099 KB Last Updated: 21 Nov 2019Version: 4.0
Summary:

This article lists Frequently Asked Questions (FAQ) regarding Sky ATP GeoIP feeds and the respective answers.

Solution:
  1. Where is the GeoIP data stored on the SRX device after download?
    1. The GeoIP information is stored in /var/db.
  2. How can I see the size of this information on disk, to make sure that there is enough space left on the SRX device?
    1. You can use either of two commands: % df -h or show system storage.
  3. Does this database survive device reboot?
    1. Yes. Data is preserved after reboot and when the PE is down.
  4. In case the PE is down and there is no new update, how long will the local GeoIP data stay cached on the SRX device?
    1. Since the data is not cached in memory but in a database file on the SRX device, this will stay in the file system unless it is removed.
  5. If GeoIP rules are configured, but no database is available, will the SRX device fail open or fail close?
    1. From testing, when something goes wrong related to "IPFilter" objects, the reaction is ANY_IP.  For example, the blacklist rule "deny something" turns into "deny all."
  6. How is the GeoIP data stored with the cluster? Is it downloaded to flash on both cluster members, or just an active cluster? If failover happens, does the second cluster member have the GeoIP information instantly (because it was stored on a second node), or is it necessary to download this information again from the PE?
    1. In regards to the SRX HA Cluster, the GeoIP data will be stored on both members of the cluster. If a failover occurs, the active SRX device will use the data available in the GeoIP DB.
  7. Are GeoIP SecIntel Feeds supported on SRX300 and SRX320 platforms?
    1. Starting in Junos OS release 18.3R1, SRX300 and SRX320 platforms support GeoIP feeds from Sky ATP. See the Supported Platforms Guide.
  8. Do JATP400, JATP700, and JATP Virtual Core support GeoIP Feeds?
    1. Yes. You need to configure the SRX device as detailed in the Configuring GeoIP Guide.
  9. Can I use lowercase ASCII letters when configuring a Country Code?
    1. No. Since the feed uses uppercase letters, the configuration for Country Code must match. Please reference the Configuring GeoIP Guide.
  10. Is GeoIP intended only for external to internal threats?
    1. No, the GeoIP Dynamic Address Entry can be implemented in security policies without regard to the direction of traffic. For example (this can reflect external to internal or internal to external zones):
security
     policies
            policy 1 {
                match {
                    source-address geo-ip;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        application-services {
                            security-intelligence-policy secintel;
                        }
                    }
                }
 
  1. Do I require a Sky ATP Subscription to utilize the Sky ATP GeoIP Feature?
    1. Yes. You must obtain either a Basic (Threat Feeds) or Premium Sky ATP Subscription in order to utilize the GeoIP Feed feature. See Licenses For Advanced Threat Prevention.
Modification History:

2019-11-21: Added item 11 to the Solution section

2018-09-28: Updated item 7 answer with new support information.

2019-04-25: added items 8, 9, and 10

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search