Junos OS

 View Only
last person joined: 5 hours ago 

Ask questions and share experiences about Junos OS.
  • 1.  Blocking IP addresses by country in SRX Series

    Posted 11-17-2018 23:53

    I want to block visitors by certain country. I can export and save the list https://www.ip2location.com/free/visitor-blocker by selecting the country and file format. What should I do next to enable the blocking in firewall?

     

    Below is the sample list:

    # -------------------------------------------------------
    # Free IP2Location Firewall List by Country
    # Source: https://www.ip2location.com/free/visitor-blocker
    # Last Generated: 18 Nov 2018 07:50:16 GMT
    # [Important] Please update this list every month
    # -------------------------------------------------------
    set 202.144.196.0/24


  • 2.  RE: Blocking IP addresses by country in SRX Series
    Best Answer

    Posted 11-18-2018 06:13

    Create a security policy with the address set containing the ip address list.

     

    --address entry per prefix

    set security zones security-zone untrust address-book address country1 192.168.1.0/24

     

    --add all to the address set

    set security zones security-zone untrust address-book address-set CountryBlock address country1

     

    ---create block policy and put first on the untrust to trust  (or whatever internal zone) policy list

    set security policies from-zone untrust to-zone trust policy CountryBlock match source-address CountryBlock
    set security policies from-zone untrust to-zone trust policy CountryBlock then reject

     

     



  • 3.  RE: Blocking IP addresses by country in SRX Series

    Posted 12-28-2022 10:37
    Hello there, Apologize to revisit this post, but it seems the new way to go about this is:  Configure the SRX Series and Geolocation IP for Integration with JATP | Juniper Advanced Threat Prevention Appliance Integration with the SRX Series Device | Juniper Networks TechLibrary It looks to me though that it needs security director for it to work: https://www.juniper.net/documentation/en_US/release-independent/spotlight-secure/topics/concept/secure-secint-dae-overview.html
     
    Have you guys apply or play with DAE?

    set security dynamic-address address-name my-geoip profile category GeoIP property countries string US
    set security dynamic-address address-name my-geoip profile category GeoIP property countries string GB
    set security policies from-zone NET-LAB to-zone EVE-NG policy TESTING-GeoIP match source-address my-geoip
    set security policies from-zone NET-LAB to-zone EVE-NG policy TESTING-GeoIP match destination-address any
    set security policies from-zone NET-LAB to-zone EVE-NG policy TESTING-GeoIP match application any
    set security policies from-zone NET-LAB to-zone EVE-NG policy TESTING-GeoIP then deny

    the policy is not getting hit:

    run show security policies hit-count from-zone NET-LAB to-zone EVE-NG
    Logical system: root-logical-system
    Index From zone To zone Name Policy count Action
    1 NET-LAB EVE-NG TESTING-GeoIP 0 Deny
    2 NET-LAB EVE-NG ALLOW-WEB 5184 Permit

    Thanks in advance!