Hello there, Apologize to revisit this post, but it seems the new way to go about this is:
Configure the SRX Series and Geolocation IP for Integration with JATP | Juniper Advanced Threat Prevention Appliance Integration with the SRX Series Device | Juniper Networks TechLibrary It looks to me though that it needs security director for it to work:
https://www.juniper.net/documentation/en_US/release-independent/spotlight-secure/topics/concept/secure-secint-dae-overview.html Have you guys apply or play with DAE?
set security dynamic-address address-name my-geoip profile category GeoIP property countries string US
set security dynamic-address address-name my-geoip profile category GeoIP property countries string GB
set security policies from-zone NET-LAB to-zone EVE-NG policy TESTING-GeoIP match source-address my-geoip
set security policies from-zone NET-LAB to-zone EVE-NG policy TESTING-GeoIP match destination-address any
set security policies from-zone NET-LAB to-zone EVE-NG policy TESTING-GeoIP match application any
set security policies from-zone NET-LAB to-zone EVE-NG policy TESTING-GeoIP then deny
the policy is not getting hit:
run show security policies hit-count from-zone NET-LAB to-zone EVE-NG
Logical system: root-logical-system
Index From zone To zone Name Policy count Action
1 NET-LAB EVE-NG TESTING-GeoIP 0 Deny
2 NET-LAB EVE-NG ALLOW-WEB 5184 Permit
Thanks in advance!
Original Message:
Sent: 11-18-2018 06:13
From: STEVE PULUKA
Subject: Blocking IP addresses by country in SRX Series
Create a security policy with the address set containing the ip address list.
--address entry per prefix
set security zones security-zone untrust address-book address country1 192.168.1.0/24
--add all to the address set
set security zones security-zone untrust address-book address-set CountryBlock address country1
---create block policy and put first on the untrust to trust (or whatever internal zone) policy list
set security policies from-zone untrust to-zone trust policy CountryBlock match source-address CountryBlock
set security policies from-zone untrust to-zone trust policy CountryBlock then reject