Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Policy Enforcer] How to configure GeoIP only on Security Director

0

0

Article ID: KB35812 KB Last Updated: 21 May 2020Version: 1.0
Summary:

This article provides the steps to configure GeoIP using Policy Enforcer in Security Director.

Solution:
  1. Add Policy Enforcer to Security Director:

Security Director, Administration

Select "Cloud Feeds Only"

Do not use wizard. (Prompts to configure unnecessary items)

  1. Add Feed Source:

Security Director, Configure, Threat Prevention, Feed Sources, SkyATP, Add

Create SkyATP Realm if needed (follow instructions in UI).

  1. Add Device to Secure Fabric:

Security Director, Devices, Secure Fabric

Create a Site, then Add your device to the site.

After completing the Add device operation, Policy Enforcer will add configuration to the SRX and commit. (May not run if Feed Source is not configured yet.)

Monitoring Device configuration Process:

Wait for the configuration to be added to the device before continuing, this may take some time.

The Configuration Job can be seen in Space Platform, Job Manager. ExecRPC Job type

The following lines will be added:

  • set services security-intelligence url  <PE System IP + URL>
  • set services security-intelligence authentication auth-token <configured by PE>

"Show system commit" should show 1 update (More commits occur when using SkyATP mode)

  1. Create Geo IP Object:

Configure, Shared Objects, Geo IP

Click "+"  To create a new GeoIP object

Note:  Assign to groups is not needed in Cloud Feeds only mode.  

  1. Use GeoIP Address object in Security Policy:

Edit Security Policy, create/edit Firewall rule that includes the GeoIP Address object as source or destination address object

  1. Publish and update to device

  2. (Optional) Verify on SRX

show security dynamic-address summary

In the output, look for the Address Name that was created in Step 4. Check to ensure that IPv4 Address objects exist.

> show security dynamic-address summary

Example:

    Address name          : US
    Address id            : 11
      IPv4 entries        : 72277 <-- Here
      IPv6 entries        : 0
      Category/feed       : GeoIP   / ---
            property name : country
                    value : UM
                    value : US                    

It may take the system a few minutes to complete loading the data.
 

Troubleshooting

If dynamic object contents is not seen after 5-10 minutes, check that the SRX is downloading feeds

  1. Check SRX Download status from PE
show services security-intelligence update status

Example:
> show services security-intelligence update status
node1:
--------------------------------------------------------------------------
Current action        :Checking update interval of category GeoIP.
Last update status    :Update interval of category GeoIP is not reached.
Last connection status:succeeded
Last update time      :2020-05-14 19:36:37 UTC
 
  1. Trigger download and check on status:

Start manual Download:

request services security-intelligence download

Check Status:

request services security-intelligence download status

Examples:

> request services security-intelligence download

node1:
--------------------------------------------------------------------------
Use command "request services security-intelligence download status" to check the download and install status.
{primary:node1}
> request services security-intelligence download status
node1:
------------------------------------------------------------------
Security intelligence feed download status:
Start time:Thu May 14 19:37:21 2020
Start downloading the latest manifest.
Start parsing manifest file.
Parse manifest succeeded, version:06a4149fb12dfa55053db1f5776fbcc1.
Checking update interval of category GeoIP.
Start checking feed geoip_country of category GeoIP.
Updating feed geoip_country (20200512.1) of category GeoIP.
Feed geoip_country (20200512.1) of category GeoIP not changed
End time:Thu May 14 19:37:21 2020


If setup steps fail,

check PE logs for errors (Add Device problems)
/srv/feeder/log/controller.log
(filename differs on older versions)

Browser Developer tools, console (Connection issues to SkyATP server)
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search