GeoIP filtering, global allowlist, and global blocklist

You can configure the Security Intelligence process ipfd on the listed devices to fetch GeoIP feeds from Policy Enforcer. The GeoIP feeds help prevent devices from communicating with IP addresses belonging to specific countries. 

You can define: 

•  A profile to dynamically fetch GeoIP feeds. Include the geo-ip rule match country country-name statement at the [edit services web-filter profile profile-name security-intelligence-policy] hierarchy level. 
•  A template to dynamically fetch GeoIP feeds. Include the geo-ip rule match group group-name statement at the [edit services web-filter profile profile-name url-filter-template template-name security-intelligence-policy] hierarchy level. 

You can define a global allowlist by configuring the white-list (IP-address-list | file-name) statement at the edit services web-filter profile profile-name security-intelligence-policy hierarchy level. You can define a global blocklist by configuring the black-list (IP-address-list | file-name) statement at the edit services web-filter profile profile-name security-intelligence-policy hierarchy level. Here, IP-address-list refers to the name of the list specified at the [edit services web-filter] hierarchy level. The file-name option refers to the name of the file where the list of the IP addresses to be allowed or blocked is specified. The file must be in the /var/db/url-filterd directory and must have the same name as in the configuration.