Knowledge Search


×
 

[Sky ATP] GeoIP output shows zero objects

  [KB35156] Show Article Properties


Summary:

This article explains what to do when traffic filtering using GeoIP dynamic address objects stops working.

Symptoms:

Although the following summary shows that there are many GeoIP objects, dynamic-address shows 0 entries.

> show services security-intelligence category summary
node0:
--------------------------------------------------------------------------

Category name     :GeoIP
  Status          :Enable
  Description     :GeoIP data schema
  Update interval :435600s
  TTL             :157680000s
  Feed name       :geoip_country
    Version       :20190924.1
    Objects number:363448
    Create time   :2019-09-26 07:37:03 MDT
    Update time   :2019-09-26 22:49:04 MDT
    Update status :Store succeeded
    Expired       :No
    Options       :N/A


> show services security-intelligence update status
node0:
--------------------------------------------------------------------------
Current action        :Checking update interval of category GeoIP.
Last update status    :Update interval of category GeoIP is not reached.
Last connection status:succeeded
Last update time      :2019-09-30 14:36:17 MDT

> show security dynamic-address category-name GeoIP            
node0:
--------------------------------------------------------------------------

Total number of matching entries: 0

Cause:

Some issue occurs due to which security intelligence data fails to copy to the PFE for GeoIP data.

Solution:

To quickly resolve this issue, use the following workaround:

> request services security-intelligence uninstall
> request services security-intelligence download

But before you run the above workaround, collect the following data in order for Support and Development to isolate the issue in case the problem persists even after the workaround is attempted:

  1. Enable Security Intelligence traceoptions with level all and flag all (see below for an example):
user@host# set services security-intelligence traceoptions file geoip_trace.log
user@host# set services security-intelligence traceoptions file size 100M
user@host# set services security-intelligence traceoptions level all
user@host# set services security-intelligence traceoptions flag all
  1. Commit the changes and download a new Security Intelligence Manifest by using request services security-intelligence download.

% cat /var/db/geoip/GeoLite2-Country.mmdb
% ls -l /var/db/secinteld
% cat /var/db/secintel/download/download_status.log
  1. To collect PFE (VTY) data, users can utilize the request pfe or cprod shell. Refer to KB21344 - How to check the application timeout for default Junos applications on SRX devices for details on utilizing the cprod command in a High Availability environment on an SRX345 device:

% cprod -A node0.fwdd -c "show usp jsf jbuf_pool stats"
% cprod -A node0.fwdd -c "show usp jsf_secintel show stats"
% cprod -A node0.fwdd -c "show usp jsf_secintel show stats debug"
% cprod -A node0.fwdd -c "show usp jsf_secintel show memory"
% cprod -A node0.fwdd -c "show usp jsf_secintel show policy"
% cprod -A node0.fwdd -c "show usp jsf_secintel show urlfilter"
% cprod -A node0.fwdd -c "show usp jsf_secintel show feed_table"
% cprod -A node0.fwdd -c "show usp dynamic-address geoip"
> show services security-intelligence update status
> show services security-intelligence category summary
> show security dynamic-address category-name GeoIP

When the above details have been retrieved, provide the data to the Support team so that it can be analyzed and Development can attempt to isolate any software issues.

Related Links: