Sky ATP
Published
2020-07-01
Juniper Sky Advanced Threat Prevention
Administration Guide
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks
are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publication without notice.
Sky ATP Juniper Sky Advanced Threat Prevention Administration Guide
Copyright © 2020 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
ii
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related
limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)
Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement
(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you
agree to the terms and conditions of that EULA.
Table of Contents
1
About the Documentation | x
Documentation and Release Notes | x
Documentation Conventions | x
Documentation Feedback | xiii
Requesting Technical Support | xiii
Self-Help Online Tools and Resources | xiv
Creating a Service Request with JTAC | xiv
Overview and Installation
Juniper Sky Advanced Threat Prevention Overview | 2
iii
Juniper Sky Advanced Threat Prevention | 2
About Juniper Sky Advanced Threat Prevention | 2
Juniper Sky ATP Features | 4
How the SRX Series Device Remediates Traffic | 6
Juniper Sky ATP Use Cases | 7
Licensing | 8
How is Malware Analyzed and Detected? | 9
Analyzing and Detecting Malware | 9
Cache Lookup | 10
Antivirus Scan | 10
Static Analysis | 10
Dynamic Analysis | 11
Machine Learning Algorithm | 11
Threat Levels | 11
Licensing | 12
About Policy Enforcer | 12
2
Policy Enforcer | 12
Install Juniper Sky Advanced Threat Prevention | 15
Juniper Sky Advanced Threat Prevention Installation Overview | 15
Managing the Juniper Sky Advanced Threat Prevention License | 15
Obtaining the Premium License Key | 16
License Management and SRX Series Devices | 17
Juniper Sky ATP Premium Evaluation License for vSRX | 17
License Management and vSRX Deployments | 17
High Availability | 19
Registering a Juniper Sky Advanced Threat Prevention Account | 20
Downloading and Running the Juniper Sky Advanced Threat Prevention Script | 24
The Web Portal and Enrolling SRX Series Devices
iv
The Juniper Sky ATP Web Portal | 31
Juniper Sky Advanced Threat Prevention Configuration Overview | 31
Juniper Sky Advanced Threat Prevention Web UI Overview | 34
Accessing the Web UI | 34
Dashboard Overview | 37
Reset Password | 38
Recover Realm Name | 40
Enroll SRX Series Devices | 43
Enrolling an SRX Series Device With Juniper Sky Advanced Threat Prevention | 43
Enrolling an SRX Series Device without the Juniper Sky ATP Web Portal | 47
Removing an SRX Series Device From Juniper Sky Advanced Threat Prevention | 49
Searching for SRX Series Devices Within Juniper Sky Advanced Threat Prevention | 50
Juniper Sky Advanced Threat Prevention RMA Process | 53
Device Information | 53
Cloud Feeds for Juniper Sky Advanced Threat Prevention: More Information | 54
Configure
3
Whitelists and Blacklists | 57
Whitelist and Blacklist Overview | 57
Creating Whitelists and Blacklists | 59
Email Scanning: Juniper Sky ATP | 65
Email Management Overview | 65
Email Management: Configure SMTP | 67
Email Management: Configure IMAP | 70
Email Scanning: SRX Series Device | 74
Configuring the SMTP Email Management Policy on the SRX Series Device | 74
Configuring the IMAP Email Management Policy on the SRX Series Device | 80
v
Configuring Reverse Proxy on the SRX Series Device | 88
File Inspection Profiles | 92
File Inspection Profiles Overview | 92
Creating File Inspection Profiles | 94
Adaptive Threat Profiling | 97
Adaptive Threat Profiling Overview | 97
Overview | 97
Configure Adaptive Threat Profiling | 99
Deploy Adaptive Threat Profiling | 101
Use Case Examples | 103
Threat Detection Use Case | 103
Asset Classification Use Case | 107
Create an Adaptive Threat Profiling Feed | 108
Third Party Threat Feeds | 110
Enabling Third Party Threat Feeds | 110
Global Configurations | 116
4
Global Configuration for Infected Hosts | 116
Configuring Threat Intelligence Sharing | 119
Configuring Trusted Proxy Servers | 121
Realm Overview | 122
Realms and Tenant Systems | 122
Configuration Overview | 123
SRX Series and Tenant System Enrollment | 123
Realm Management | 124
Tenant Systems: Security-Intelligence and Anti-Malware Policies | 126
Tenant System Support for SecIntel Feeds | 126
Tenant System Support for AAMW | 127
Security Profile CLI | 129
vi
Monitor and Take Action
Reports | 131
Reports Overview | 131
Configure Report Definitions | 135
Hosts | 137
Hosts Overview | 137
Host Details | 140
Identifying Infected Hosts | 142
Compromised Hosts: More Information | 142
About Block Drop and Block Close | 146
Host Details | 147
Automatic Lowering of Host Threat Level or Removal from Infected Hosts Feed | 148
Configuring the SRX Series Devices to Block Infected Hosts | 149
Command and Control Servers | 153
Command and Control Servers Overview | 153
Command and Control Server Details | 154
Identify Hosts Communicating with Command and Control Servers | 158
Command and Control Servers: More Information | 158
Configuring the SRX Series Device to Block Outbound Requests to a C&C Host | 161
File Scanning | 164
HTTP File Download Overview | 164
HTTP File Download Details | 166
File Summary | 167
HTTP Downloads | 168
Sample STIX Report | 169
Manual Scanning Overview | 169
File Scanning Limits | 171
Email Scanning | 173
vii
Email Attachments Scanning Overview | 173
Email Attachments Scanning Details | 174
File Summary | 176
SMTP Quarantine Overview: Blocked Emails | 177
IMAP Block Overview | 179
Telemetry | 181
Telemetry Overview | 181
Telemetry Details | 183
Encrypted Traffic Analysis | 185
Encrypted Traffic Analysis Overview | 185
Encrypted Traffic Analysis and Detection | 186
Workflow | 187
Configurations on SRX Series Devices | 188
Encrypted Traffic Analysis Details | 189
Policies on the SRX Series Device
5
6
7
Configure Juniper Sky ATP Policies on the SRX Series Device | 193
Juniper Sky Advanced Threat Prevention Policy Overview | 193
Enabling Juniper Sky ATP for Encrypted HTTPS Connections | 196
Example: Configuring a Juniper Sky Advanced Threat Prevention Policy Using the CLI | 197
Unified Policies | 202
Explicit Web Proxy Support | 204
Configure IP-Based Geolocations on the SRX Series Device | 206
Geolocation IPs and Juniper Sky Advanced Threat Prevention | 206
Configuring Juniper Sky Advanced Threat Prevention With Geolocation IP | 207
Administration
Juniper Sky ATP Administration | 210
viii
Modifying My Profile | 210
Creating and Editing User Profiles | 211
Application Tokens Overview | 213
Creating Application Tokens | 213
Multi-Factor Authentication Overview | 215
Configure Multi-Factor Authentication for Administrators | 215
Enable Multi-Factor Authentication | 216
Verification Codes for Multi-Factor Authentication: Mobile SMS | 217
Verification Codes for Multi-Factor Authentication: Email | 217
Unlock a User | 218
Troubleshoot
Troubleshooting Topics | 220
Juniper Sky Advanced Threat Prevention Troubleshooting Overview | 220
Troubleshooting Juniper Sky Advanced Threat Prevention: Checking DNS and Routing
Configurations | 221
Troubleshooting Juniper Sky Advanced Threat Prevention: Checking Certificates | 224
Troubleshooting Juniper Sky Advanced Threat Prevention: Checking the Routing Engine Status | 226
request services advanced-anti-malware data-connection | 228
request services advanced-anti-malware diagnostic | 230
Troubleshooting Juniper Sky Advanced Threat Prevention: Checking the application-identification
8
License | 234
Viewing Juniper Sky Advanced Threat Prevention System Log Messages | 235
Configuring traceoptions | 236
Viewing the traceoptions Log File | 238
Turning Off traceoptions | 238
Juniper Sky Advanced Threat Prevention Dashboard Reports Not Displaying | 239
Juniper Sky Advanced Threat Prevention RMA Process | 240
More Documentation
Sky ATP Tech Library Page Links | 242
Links to Documentation on Juniper.net | 242
ix
About the Documentation
IN THIS SECTION
Documentation and Release Notes | x
Documentation Conventions | x
Documentation Feedback | xiii
Requesting Technical Support | xiii
Use this guide to configure, monitor, and manage Juniper Sky ATP features to protect all hosts in your
network against evolving security threats.
x
Documentation and Release Notes
To obtain the most current version of all Juniper Networks®technical documentation, see the product
documentation page on the Juniper Networks website at https://www.juniper.net/documentation/.
If the information in the latest release notes differs from the information in the documentation, follow the
product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts.
These books go beyond the technical documentation to explore the nuances of network architecture,
deployment, and administration. The current list can be viewed at https://www.juniper.net/books.
Documentation Conventions
Table 1 on page xi defines notice icons used in this guide.
Table 1: Notice Icons
xi
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Caution
Indicates a situation that might result in loss of data or hardware
damage.
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page xi defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
Fixed-width text like this
Italic text like this
Represents text that you type.Bold text like this
Represents output that appears on
the terminal screen.
Introduces or emphasizes important
•
new terms.
Identifies guide names.
•
Identifies RFC and Internet draft
•
titles.
To enter configuration mode, type
the configure command:
user@host> configure
user@host> show chassis alarms
No alarms currently active
A policy term is a named structure
•
that defines match conditions and
actions.
Junos OS CLI User Guide
•
RFC 1997, BGP Communities
•
Attribute
Table 2: Text and Syntax Conventions (continued)
xii
ExamplesDescriptionConvention
Italic text like this
Text like this
< > (angle brackets)
| (pipe symbol)
Represents variables (options for
which you substitute a value) in
commands or configuration
statements.
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy
levels; or labels on routing platform
components.
variables.
Indicates a choice between the
mutually exclusive keywords or
variables on either side of the symbol.
The set of choices is often enclosed
in parentheses for clarity.
Configure the machine’s domain
name:
[edit]
root@# set system domain-name
domain-name
To configure a stub area, include
•
the stub statement at the [edit
protocols ospf area area-id]
hierarchy level.
The console port is labeled
•
CONSOLE.
stub <default-metric metric>;Encloses optional keywords or
broadcast | multicast
(string1 | string2 | string3)
# (pound sign)
[ ] (square brackets)
Indention and braces ( { } )
; (semicolon)
GUI Conventions
Indicates a comment specified on the
same line as the configuration
statement to which it applies.
Encloses a variable for which you can
substitute one or more values.
Identifies a level in the configuration
hierarchy.
Identifies a leaf statement at a
configuration hierarchy level.
rsvp { # Required for dynamic MPLS
only
community name members [
community-ids ]
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
Table 2: Text and Syntax Conventions (continued)
xiii
ExamplesDescriptionConvention
Bold text like this
> (bold right angle bracket)
Represents graphical user interface
(GUI) items you click or select.
Separates levels in a hierarchy of
menu selections.
In the Logical Interfaces box, select
•
All Interfaces.
To cancel the configuration, click
•
Cancel.
In the configuration editor hierarchy,
select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback so that we can improve our documentation. You can use either
of the following methods:
Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the Juniper
•
Networks TechLibrary site, and do one of the following:
Click the thumbs-up icon if the information on the page was helpful to you.
•
Click the thumbs-down icon if the information on the page was not helpful to you or if you have
•
suggestions for improvement, and use the pop-up form to provide feedback.
E-mail—Send your comments to techpubs-comments@juniper.net. Include the document or topic name,
•
URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC).
If you are a customer with an active Juniper Care or Partner Support Services support contract, or are
covered under warranty, and need post-sales technical support, you can access our tools and resources
online or open a case with JTAC.
JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User
•
Guide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
Product warranties—For product warranty information, visit https://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week,
•
365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called
the Customer Support Center (CSC) that provides you with the following features:
Find CSC offerings: https://www.juniper.net/customers/support/
•
Search for known bugs: https://prsearch.juniper.net/
•
xiv
Find product documentation: https://www.juniper.net/documentation/
•
Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
•
Download the latest versions of software and review release notes:
•
https://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:
•
https://kb.juniper.net/InfoCenter/
Join and participate in the Juniper Networks Community Forum:
•
https://www.juniper.net/company/communities/
Create a service request online: https://myjuniper.juniper.net
•
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:
https://entitlementsearch.juniper.net/entitlementsearch/
Creating a Service Request with JTAC
You can create a service request with JTAC on the Web or by telephone.
Visit https://myjuniper.juniper.net.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
•
For international or direct-dial options in countries without toll-free numbers, see
https://support.juniper.net/support/requesting-support/.
1
PART
Overview and Installation
Juniper Sky Advanced Threat Prevention Overview | 2
Install Juniper Sky Advanced Threat Prevention | 15
CHAPTER 1
Juniper Sky Advanced Threat Prevention Overview
IN THIS CHAPTER
Juniper Sky Advanced Threat Prevention | 2
How is Malware Analyzed and Detected? | 9
About Policy Enforcer | 12
Juniper Sky Advanced Threat Prevention
2
IN THIS SECTION
About Juniper Sky Advanced Threat Prevention | 2
Juniper Sky ATP Features | 4
How the SRX Series Device Remediates Traffic | 6
Juniper Sky ATP Use Cases | 7
Licensing | 8
About Juniper Sky Advanced Threat Prevention
Juniper Sky™ Advanced Threat Prevention (Juniper Sky ATP) is a security framework that protects all hosts
in your network against evolving security threats by employing cloud-based threat detection software
with a next-generation firewall system. See Figure 1 on page 3.
Figure 1: Juniper Sky ATP Overview
3
Juniper Sky ATP protects your network by performing the following tasks:
The SRX Series device extracts potentially malicious objects and files and sends them to the cloud for
•
analysis.
Known malicious files are quickly identified and dropped before they can infect a host.
•
Multiple techniques identify new malware, adding it to the known list of malware.
•
Correlation between newly identified malware and known Command and Control (C&C) sites aids analysis.
•
The SRX Series device blocks known malicious file downloads and outbound C&C traffic.
•
Juniper Sky ATP supports the following modes:
Layer 3 mode
•
Tap mode
•
Transparent mode using MAC address. For more information, see Transparent mode on SRX Series
•
devices.
Secure wire mode (high-level transparent mode using the interface to directly passing traffic, not by
•
MAC address.) For more information, see Understanding Secure Wire.
Juniper Sky ATP Features
Juniper Sky ATP is a cloud-based solution. Cloud environments are flexible and scalable, and a shared
environment ensures that everyone benefits from new threat intelligence in near real-time. Your sensitive
data is secured even though it is in a cloud shared environment. Security analysts can update their defense
when new attack techniques are discovered and distribute the threat intelligence with very little delay.
In addition, Juniper Sky ATP offers the following features:
Integrated with the SRX Series device to simplify deployment and enhance the anti-threat capabilities
•
of the firewall.
Delivers protection against “zero-day” threats using a combination of tools to provide robust coverage
•
against sophisticated, evasive threats.
4
Checks inbound and outbound traffic with policy enhancements that allow users to stop malware,
•
quarantine infected systems, prevent data exfiltration, and disrupt lateral movement.
High availability to provide uninterrupted service.
•
Scalable to handle increasing loads that require more computing resources, increased network bandwidth
•
to receive more customer submissions, and a large storage for malware.
Provides deep inspection, actionable reporting, and inline malware blocking.
•
APIs for C&C feeds, whitelist and blacklist operations, and file submission. See the Threat Intelligence
•
Open API Setup Guide for more information.
Figure 2 on page 5 lists the Juniper Sky ATP components.
Figure 2: Juniper Sky ATP Components
5
Table 3 on page 5 briefly describes each Juniper Sky ATP component’s operation.
Table 3: Juniper Sky ATP Components
OperationComponent
Command and control (C&C) cloud
feeds
GeoIP cloud feeds
Infected host cloud feeds
Whitelists, blacklists and custom
cloud feeds
C&C feeds are essentially a list of servers that are known command and control
for botnets. The list also includes servers that are known sources for malware
downloads.
GeoIP feeds is an up-to-date mapping of IP addresses to geographical regions.
This gives you the ability to filter traffic to and from specific geographies in
the world.
Infected hosts indicate local devices that are potentially compromised because
they appear to be part of a C&C network or other exhibit other symptoms.
A whitelist is simply a list of known IP addresses that you trust and a blacklist
is a list that you do not trust.
NOTE: Custom feeds are not supported in this release.
Table 3: Juniper Sky ATP Components (continued)
OperationComponent
6
SRX Series device
Service portal (Web UI)
Submits extracted file content for analysis and detected C&C hits inside the
customer network.
Performs inline blocking based on verdicts from the analysis cluster.
Performs malware analysis and threat detection.Malware inspection pipeline
Inspects files, metadata, and other information.Internal compromise detection
Graphics interface displaying information about detected threats inside the
customer network.
Configuration management tool where customers can fine-tune which file
categories can be submitted into the cloud for processing.
How the SRX Series Device Remediates Traffic
The SRX Series devices use intelligence provided by Juniper Sky ATP to remediate malicious content
through the use of security policies. If configured, security policies block that content before it is delivered
to the destination address.
For inbound traffic, security policies on the SRX Series device look for specific types of files, like .exe files,
to inspect. When one is encountered, the security policy sends the file to the Juniper Sky ATP cloud for
inspection. The SRX Series device holds the last few KB of the file from the destination client while Juniper
Sky ATP checks if this file has already been analyzed. If so, a verdict is returned and the file is either sent
to the client or blocked depending on the file’s threat level and the user-defined policy in place. If the
cloud has not inspected this file before, the file is sent to the client while Juniper Sky ATP performs an
exhaustive analysis. If the file’s threat level indicates malware (and depending on the user-defined
configurations) the client system is marked as an infected host and blocked from outbound traffic. For
more information, see “How is Malware Analyzed and Detected?” on page 9.
Figure 3 on page 7 shows an example flow of a client requesting a file download with Juniper Sky ATP.
Figure 3: Inspecting Inbound Files for Malware
7
DescriptionStep
1
2
4
5
A client system behind an SRX Series devices requests a file download from the Internet. The SRX Series
device forwards that request to the appropriate server.
The SRX Series device receives the downloaded file and checks its security profile to see if any additional
action must be performed.
The downloaded file type is on the list of files that must be inspected and is sent to the cloud for analysis.3
Juniper Sky ATP has inspected this file before and has the analysis stored in cache. In this example, the
file is not malware and the verdict is sent back to the SRX Series device.
Based on user-defined policies and because this file is not malware, the SRX Series device sends the file
to the client.
For outbound traffic, the SRX Series device monitors traffic that matches C&C feeds it receives, blocks
these C&C requests, and reports them to Juniper Sky ATP. A list of infected hosts is available so that the
SRX Series device can block inbound and outbound traffic.
Juniper Sky ATP Use Cases
Juniper Sky ATP can be used anywhere in an SRX Series deployment. See Figure 4 on page 8.
Figure 4: Juniper Sky ATP Use Cases
8
Campus edge firewall—Juniper Sky ATP analyzes files downloaded from the Internet and protects
•
end-user devices.
Data center edge—Like the campus edge firewall, Juniper Sky ATP prevents infected files and application
•
malware from running on your computers.
Branch router—Juniper Sky ATP provides protection from split-tunneling deployments. A disadvantage
•
of split-tunneling is that users can bypass security set in place by your company’s infrastructure.
Licensing
Juniper Sky ATP has three service levels: Free, Basic (feed only), and Premium. No license is required for
the free version, but you must obtain a license for Basic and Premium levels.
To understand more about Juniper Sky ATP licenses, see Licenses for Juniper Sky Advanced Threat
Prevention (ATP). Please refer to the Licensing Guide for general information about License Management.
Please refer to the product Data Sheets for further details, or contact your Juniper Account Team or
Juniper Partner.
How is Malware Analyzed and Detected?
IN THIS SECTION
Analyzing and Detecting Malware | 9
Cache Lookup | 10
Antivirus Scan | 10
Static Analysis | 10
Dynamic Analysis | 11
Machine Learning Algorithm | 11
Threat Levels | 11
Licensing | 12
9
Analyzing and Detecting Malware
Juniper Sky ATP uses a pipeline approach to analyzing and detecting malware. If an analysis reveals that
the file is absolutely malware, it is not necessary to continue the pipeline to further examine the malware.
See Figure 5 on page 9.
Figure 5: Example Juniper Sky ATP Pipeline Approach for Analyzing Malware
Each analysis technique creates a verdict number, which is combined to create a final verdict number
between 1 and 10. A verdict number is a score or threat level. The higher the number, the higher the
malware threat. The SRX Series device compares this verdict number to the policy settings and either
permits or denies the session. If the session is denied, a reset packet is sent to the client and the packets
are dropped from the server.
Cache Lookup
When a file is analyzed, a file hash is generated, and the results of the analysis are stored in a database.
When a file is uploaded to the Juniper Sky ATP cloud, the first step is to check whether this file has been
looked at before. If it has, the stored verdict is returned to the SRX Series device and there is no need to
re-analyze the file. In addition to files scanned by Juniper Sky ATP, information about common malware
files is also stored to provide faster response.
Cache lookup is performed in real time. All other techniques are done offline. This means that if the cache
lookup does not return a verdict, the file is sent to the client system while the Juniper Sky ATP cloud
continues to examine the file using the remaining pipeline techniques. If a later analysis returns a malware
verdict, then the file and host are flagged.
10
Antivirus Scan
The advantage of antivirus software is its protection against a large number of potential threats, such as
viruses, trojans, worms, spyware, and rootkits. The disadvantage of antivirus software is that it is always
behind the malware. The virus comes first and the patch to the virus comes second. Antivirus is better at
defending familiar threats and known malware than zero-day threats.
Juniper Sky ATP utilizes multiple antivirus software packages, not just one, to analyze a file. The results
are then fed into the machine learning algorithm to overcome false positives and false negatives.
Static Analysis
Static analysis examines files without actually running them. Basic static analysis is straightforward and
fast, typically around 30 seconds. The following are examples of areas static analysis inspects:
Metadata information—Name of the file, the vendor or creator of this file, and the original data the file
•
was compiled on.
Categories of instructions used—Is the file modifying the Windows registry? Is it touching disk I/O APIs?.
•
File entropy—How random is the file? A common technique for malware is to encrypt portions of the
•
code and then decrypt it during runtime. A lot of encryption is a strong indication a this file is malware.
The output of the static analysis is fed into the machine learning algorithm to improve the verdict accuracy.
Dynamic Analysis
The majority of the time spent inspecting a file is in dynamic analysis. With dynamic analysis, often called
sandboxing, a file is studied as it is executed in a secure environment. During this analysis, an operating
system environment is set up, typically in a virtual machine, and tools are started to monitor all activity.
The file is uploaded to this environment and is allowed to run for several minutes. Once the allotted time
has passed, the record of activity is downloaded and passed to the machine learning algorithm to generate
a verdict.
Sophisticated malware can detect a sandbox environment due to its lack of human interaction, such as
mouse movement. Juniper Sky ATP uses a number of deception techniques to trick the malware into
determining this is a real user environment. For example, Juniper Sky ATP can:
Generate a realistic pattern of user interaction such as mouse movement, simulating keystrokes, and
•
installing and launching common software packages.
Create fake high-value targets in the client, such as stored credentials, user files, and a realistic network
•
with Internet access.
11
Create vulnerable areas in the operating system.
•
Deception techniques by themselves greatly boost the detection rate while reducing false positives. They
also boosts the detection rate of the sandbox the file is running in because they get the malware to perform
more activity. The more the file runs the more data is obtained to detect whether it is malware.
Machine Learning Algorithm
Juniper Sky ATP uses its own proprietary implementation of machine learning to assist in analysis. Machine
learning recognizes patterns and correlates information for improved file analysis. The machine learning
algorithm is programmed with features from thousands of malware samples and thousands of goodware
samples. It learns what malware looks like, and is regularly re-programmed to get smarter as threats evolve.
Threat Levels
Juniper Sky ATP assigns a number between 0-10 to indicate the threat level of files scanned for malware
and the threat level for infected hosts. See Table 4 on page 11.
Table 4: Threat Level Definitions
DefinitionThreat Level
Clean; no action is required.0
Low threat level.1 - 3
Medium threat level.4 - 6
Table 4: Threat Level Definitions (continued)
DefinitionThreat Level
High threat level.7 -10
For more information on threat levels, see the Juniper Sky ATP Web UI online help.
Licensing
Juniper Sky ATP has three service levels: Free, Basic (feed only), and Premium. No license is required for
the free version, but you must obtain a license for Basic and Premium levels.
To understand more about Juniper Sky ATP licenses, see Licenses for Juniper Sky Advanced Threat
Prevention (ATP). Please refer to the Licensing Guide for general information about License Management.
Please refer to the product Data Sheets for further details, or contact your Juniper Account Team or
Juniper Partner.
12
RELATED DOCUMENTATION
Juniper Sky Advanced Threat Prevention | 2
Dashboard Overview | 37
About Policy Enforcer
IN THIS SECTION
Policy Enforcer | 12
Policy Enforcer
View the Policy Enforcer data sheet (This takes you out of the help center to the Juniper web site):
https://www.juniper.net/assets/fr/fr/local/pdf/datasheets/1000602-en.pdf
Policy Enforcer provides centralized, integrated management of all your security devices (both physical
and virtual), giving you the ability to combine threat intelligence from different solutions and act on that
intelligence from one management point.
It also automates the enforcement of security policies across the network and quarantines infected
endpoints to prevent threats across firewalls and switches. It works with cloud-based Juniper Sky Advanced
Threat Prevention (Juniper Sky ATP) to protect both perimeter-oriented threats as well as threats within
the network. For example, if a user downloads a file from the Internet and that file passes through an SRX
firewall, the file can be sent to the Juniper Sky ATP cloud for malware inspection (depending on your
configuration settings.) If the file is determined to be malware, Policy Enforcer identifies the IP address
and MAC address of the host that downloaded the file. Based on a user-defined policy, that host can be
put into a quarantine VLAN or blocked from accessing the Internet.
Policy Enforcer provides the following:
Pervasive Security—Combine security features and intelligence from devices across your network,
•
including switches, routers, firewalls, to create a “secure fabric” that leverages information you can use
to create policies that address threats in real-time and into the future. With monitoring capabilities, it
can also act as a sensor, providing visibility for intra- and inter-network communications.
User Intent-Based Policies—Create policies according to logical business structures such as users, user
•
groups, geographical locations, sites, tenants, applications, or threat risks. This allows network devices
(switches, routers, firewalls and other security devices) to share information, resources, and when threats
are detected, remediation actions within the network.
13
Threat Intelligence Aggregation—Gather threat information from multiple locations and devices, both
•
physical and virtual, as well as third party solutions.
Figure 6 on page 14 illustrates the flow diagram of Policy Enforcer over a traditional SRX configuration.
Figure 6: Comparing Traditional SRX Customers to Policy Enforcer Customers
14
RELATED DOCUMENTATION
Hosts Overview | 137
Host Details | 140
Dashboard Overview | 37
CHAPTER 2
Install Juniper Sky Advanced Threat Prevention
IN THIS CHAPTER
Juniper Sky Advanced Threat Prevention Installation Overview | 15
Managing the Juniper Sky Advanced Threat Prevention License | 15
Registering a Juniper Sky Advanced Threat Prevention Account | 20
Downloading and Running the Juniper Sky Advanced Threat Prevention Script | 24
15
Juniper Sky Advanced Threat Prevention Installation Overview
Although Juniper Sky ATP is a free add-on to an SRX Series device, you must still enable it prior to using
it. To enable Juniper Sky ATP, perform the following tasks:
1. (Optional) Obtain a Juniper Sky ATP premium license. See Licenses for Juniper Sky Advanced Threat
Prevention (ATP). This link takes you to the Juniper Licensing Guide.
2. Register an account on the Juniper Sky ATP cloud Web portal. See “Registering a Juniper Sky Advanced
Threat Prevention Account” on page 20.
3. Download and run the Juniper Sky ATP script on your SRX Series device. See “Downloading and Running
the Juniper Sky Advanced Threat Prevention Script” on page 24.
Managing the Juniper Sky Advanced Threat Prevention License
IN THIS SECTION
Obtaining the Premium License Key | 16
License Management and SRX Series Devices | 17
Juniper Sky ATP Premium Evaluation License for vSRX | 17
License Management and vSRX Deployments | 17
High Availability | 19
This topic describes how to install the Juniper Sky ATP premium license onto your SRX Series devices and
vSRX deployments. You do not need to install the Juniper Sky ATP free license as these are included your
base software. Note that the free license has a limited feature set (see Juniper Sky Advanced Threat Prevention
License Types and Sky Advanced Threat Prevention File Limitations).
When installing the license key, you must use the license that is specific your device type. For example,
the Juniper Sky ATP premium license available for the SRX Series device cannot be used on vSRX
deployments.
Obtaining the Premium License Key
16
The Juniper Sky ATP premium license can be found on the Juniper Networks product price list. The
procedure for obtaining the premium license entitlement is the same as for all other Juniper Network
products. The following steps provide an overview.
1. Contact your local sales office or Juniper Networks partner to place an order for the Juniper Sky ATP
premium license.
After your order is complete, an authorization code is e-mailed to you. An authorization code is a unique
16-digit alphanumeric used in conjunction with your device serial number to generate a premium license
entitlement.
2. (SRX Series devices only) Use the show chassis hardware CLI command to find the serial number of
the SRX Series devices that are to be tied to the Juniper Sky ATP premium license.
[edit]
root@SRX# run show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis CM1915AK0326 SRX1500
Midplane REV 09 750-058562 ACMH1590 SRX1500
Pseudo CB 0
Routing Engine 0 BUILTIN BUILTIN SRX Routing Engine
FPC 0 REV 08 711-053832 ACMG3280 FEB
PIC 0 BUILTIN BUILTIN 12x1G-T-4x1G-SFP-4x10G
Look for the serial number associated with the chassis item. In the above example, the serial number
is CM1915AK0326.
3. Open a browser window and go to https://license.juniper.net.
4. Click Login to Generate License Keys and follow the instructions.
NOTE: You must have a valid Juniper Networks Customer Support Center (CSC) account to
log in.
License Management and SRX Series Devices
Unlike other Juniper Networks products, Juniper Sky ATP does not require you to install a license key
onto your SRX Series device. Instead, your entitlement for a specific serial number is automatically
transferred to the cloud server when you generate your license key. It may take up to 24 hours for your
activation to be updated in the Juniper Sky ATP cloud server.
17
Juniper Sky ATP Premium Evaluation License for vSRX
The 30-day Juniper Sky ATP countdown premium evaluation license allows you to protect your network
from advanced threats with Juniper Sky ATP. The license allows you to use Juniper Sky ATP premium
features for 30-days without having to install a license key. After the trial license expires, the connection
to the Juniper Sky ATP cloud is broken and you will no longer be able to use any Juniper Sky ATP features.
Instructions for downloading the trial license are here: https://www.juniper.net/us/en/dm/free-vsrx-trial/.
NOTE: The 30-day trial license period begins on the day you install the evaluation license.
To continue using Juniper Sky ATP features after the optional 30-day period, you must purchase
and install the date-based license; otherwise, the features are disabled.
After installing your trial license, set up your realm and contact information before using Juniper Sky ATP.
For more information, see Registering a Juniper Sky Advanced Threat Prevention Account.
License Management and vSRX Deployments
Unlike with physical SRX Series devices, you must install Juniper Sky ATP premium licenses onto your
vSRX. Installing the Juniper Sky ATP license follows the same procedure as with most standard vSRX
licenses.
The following instructions describe how to install a license key from the CLI. You can also add a new license
key with J-Web (see Managing Licenses for vSRX.)
NOTE: If you are reinstalling a Juniper Sky ATP license key on your vSRX, you must first remove
the existing Juniper Sky ATP license. For information on removing licenses on the vSRX, see
Managing Licenses for vSRX.
To install a license key from the CLI:
1. Use the request system license add command to manually paste the license key in the terminal.
user@vsrx> request system license add terminal
[Type ^D at a new line to end input,
enter blank line between each license key]
18
JUNOS123456 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff
cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa
aaaaaa bbbbbb cccccc dddddd eeeeee ffffff
cccccc bbbbbb dddddd aaaaaa ffffff
JUNOS123456: successfully added
add license complete (no errors)
NOTE: You can save the license key to a file and upload the file to the vSRX file system
through FTP or Secure Copy (SCP), and then use the request system license add file-name
command to install the license.
2. (Optional) Use the show system license command to view details of the licenses.
Example of a premium license output:
root@host> show system license
License identifier: JUNOS123456
License version: 4
Software Serial Number: 1234567890
Customer ID: JuniperTest
Features:
Sky ATP - Sky ATP: Cloud Based Advanced Threat Prevention on SRX
firewalls
date-based, 2016-07-19 17:00:00 PDT - 2016-07-30 17:00:00 PDT
Example of a free license output:
root@host> show system license
License identifier: JUNOS123456
License version: 4
Software Serial Number: 1234567890
Customer ID: JuniperTest
Features:
Virtual Appliance - Virtual Appliance permanent
19
3. The license key is installed and activated on your vSRX.
High Availability
Before enrolling your devices with the Juniper Sky ATP cloud, set up your HA cluster as described in your
product documentation. For vSRX deployments, make sure the same license key is used on both cluster
nodes. When enrolling your devices, you only need to enroll one node. The Juniper Sky ATP cloud will
recognize this is an HA cluster and will automatically enroll the other node.
Registering a Juniper Sky Advanced Threat Prevention Account
To create a Juniper Sky ATP account, you must first have a Customer Support Center (CSC) user account.
For more information, see Creating a User Account.
When setting up your Juniper Sky ATP account, you must come up with a realm name that uniquely
identifies you and your company. For example, you can use your company name and your location, such
as Juniper-Mktg-Sunnyvale, for your realm name. Realm names can only contain alphanumeric characters
and the dash (“-”) symbol.
To create a Juniper Sky ATP administrator account:
1. Open a Web browser, type your location specific URL and press Enter. (This example is for the United
States. See “Juniper Sky Advanced Threat Prevention Web UI Overview” on page 34 for all portal
hostnames by location.)
https://amer.sky.junipersecurity.net
The management interface login page appears. See Figure 7 on page 20.
20
Figure 7: Juniper Sky ATP Login
2. Click Create a security realm.
The authentication window appears. See Figure 8 on page 21.
3. Enter your single sign-on (SSO) or CSC username and password and click Next. This is the same username
and password as your CSC account.
The security realm window appears. See Figure 8 on page 21.
Figure 8: Creating Your Juniper Sky ATP Realm Name
21
4. Enter your unique realm name, company name, and optionally a description. Then press Next.
NOTE: Verify your realm name before clicking Next. Currently there is no way to delete
realms through the Web UI.
The contact information window appears. See Figure 9 on page 22.
Figure 9: Entering Your Juniper Sky ATP Contact Information
22
5. Enter your contact information and click Next. Should Juniper Networks need to contact you, the
information you enter here is used as your contact information.
The credentials window appears. See Figure 10 on page 23.
Figure 10: Creating Your Juniper Sky ATP Credentials
23
6. Enter a valid e-mail address and password. This will be your log in information to access the Juniper
Sky ATP management interface.
7. Click Finish.
You are automatically logged in and taken to the dashboard.
If you forget your password, you have two options:
Create a new account on a new realm and re-enroll your devices.
•
Contact Juniper Technical Support to reset your password.
•
RELATED DOCUMENTATION
Enrolling an SRX Series Device without the Juniper Sky ATP Web Portal | 47
Downloading and Running the Juniper Sky Advanced Threat Prevention Script
The Juniper Sky ATP uses a Junos OS operation (op) script to help you configure your SRX Series device
to connect to the Juniper Sky ATP cloud service. This script performs the following tasks:
Downloads and installs certificate authority (CAs) licenses onto your SRX Series device.
•
Creates local certificates and enrolls them with the cloud server.
•
Performs basic Juniper Sky ATP configuration on the SRX Series device.
•
Establishes a secure connection to the cloud server.
•
24
NOTE: Juniper Sky ATP requires that both your Routing Engine (control plane) and Packet
Forwarding Engine (data plane) can connect to the Internet but the “to-cloud” connection should
not go through the management interface, for example, fxp0. You do not need to open any ports
on the SRX Series device to communicate with the cloud server. However, if you have a device
in the middle, such as a firewall, then that device must have ports 8080 and 443 open.
Juniper Sky ATP requires that your SRX Series device host name contain only alphanumeric
ASCII characters (a-z, A-Z, 0-9), the underscore symbol ( _ ) and the dash symbol ( - ).
For SRX340, SRX345 and SRX500M Series devices, you must run the set security forwarding-process
enhanced-services-mode command and reboot the device before running the op script or before running
the request services advanced-anti-malware enroll command.
user@host# set security forwarding-process enhanced-services-mode
To download and run the Juniper Sky ATP script:
NOTE: As of Junos Release 19.3R1, there is another way to enroll the SRX series device without
having to interact with the Sky ATP Web Portal. You run the “enroll” command from the SRX
and it performs all the necessary enrollment steps. See “Enrolling an SRX Series Device without
the Juniper Sky ATP Web Portal” on page 47
1. In the Web UI, click Devices and then click Enroll.
The Enroll window appears. See Figure 11 on page 25.
Figure 11: Enrolling Your SRX Series Device
25
2. Copy the highlighted contents to your clipboard and click OK.
NOTE: When enrolling devices, Juniper Sky ATP generates a unique op script for each request.
Each time you click Enroll, you’ll get slightly different parameters in the ops script. The
screenshot above is just an example. Do not copy the above example onto your SRX device.
Instead, copy and paste the output you receive from your Web UI and use that to enroll your
SRX devices.
3. Paste this command into the Junos OS CLI of the SRX Series device you want to enroll with Juniper
Sky ATP and press Enter. Your screen will look similar to the following.
root@mysystem> op url http://skyatp.argon.junipersecurity.net/bootstrap/
enroll/6e797dc797d26129dae46f17a7255650/jpz1qkddodlcav5g.slax
Version JUNOS Software Release [15.1-X49] is valid for bootstrapping.
Going to enroll single device for SRX1500: P1C_00000067 with hostname mysystem...
Updating Application Signature DB...
Wait for Application Signature DB download status #1...
Communicate with cloud...
Configure CA...
Request aamw-secintel-ca CA...
Load aamw-secintel-ca CA...
Request aamw-cloud-ca CA...
Load aamw-cloud-ca CA...
Retrieve CA profile aamw-ca...
Generate key pair: aamw-srx-cert...
Enroll local certificate aamw-srx-cert with CA server #1...
Configure advanced-anti-malware services...
Communicate with cloud...
Wait for aamwd connection status #1...
SRX was enrolled successfully!
26
NOTE: If for some reason the ops script fails, disenroll the device (see Disenrolling an SRX
Series Device from Juniper Sky Advanced Threat Prevention) and then re-enroll it.
4. In the management interface, click Devices.
The SRX Series device you enrolled now appears in the table. See Figure 12 on page 26.
Figure 12: Example Enrolled SRX Series Device
5. (optional) Use the show services advanced-anti-malware status CLI command to verify that connection
is made to the cloud server from the SRX Series device. Your output will look similar to the following.
root@host> show services advanced-anti-malware status
Server connection status:
Server hostname: https://skyatp.argon.junipersecurity.net
Server port: 443
Control Plane:
Connection Time: 2015-11-23 12:09:55 PST
Connection Status: Connected
Service Plane:
fpc0
Connection Active Number: 0
Connection Failures: 0
Once configured, the SRX Series device communicates to the cloud through multiple persistent connections
established over a secure channel (TLS 1.2) and the SRX device is authenticated using SSL client certificates.
As stated earlier, the script performs basic Juniper Sky ATP configuration on the SRX Series device. These
include:
27
NOTE: You should not copy the following examples and run them on your SRX Series device.
The list here is simply to show you what is being configured by the ops script. If you run into
any issues, such as certificates, rerun the ops script again.
Creating a default profile.
•
Establishing a secured connection to the cloud server. The following is an example. Your exact URL is
•
determined by your geographical region. Refer to this table.
Customer Portal URLLocation
Customer Portal: https://amer.sky.junipersecurity.netUnited States
Customer Portal: https://euapac.sky.junipersecurity.netEuropean Union
Customer Portal: https://apac.sky.junipersecurity.netAPAC
Customer Portal: https://canada.sky.junipersecurity.netCanada
set services advanced-anti-malware connection url
https://amer.sky.junipersecurity.net (this URL is only an example and will not
work for all locations).
set services advanced-anti-malware connection authentication tls-profile aamw-ssl
Configuring the SSL proxy.
•
set services ssl initiation profile aamw-ssl trusted-ca aamw-secintel-ca
set services ssl initiation profile aamw-ssl client-certificate aamw-srx-cert
set services security-intelligence authentication tls-profile aamw-ssl
set services advanced-anti-malware connection authentication tls-profile aamw-ssl
set services ssl initiation profile aamw-ssl trusted-ca aamw-cloud-ca
Configuring the cloud feeds (whitelists, blacklists and so forth.)
•
set services security-intelligence url https://cloudfeeds.sky.junipersecurity.net/
api/manifest.xml
set services security-intelligence authentication tls-profile aamw-ssl
Juniper Sky ATP uses SSL forward proxy as the client and server authentication. Instead of importing the
signing certificate and its issuer’s certificates into the trusted-ca list of client browsers, SSL forward proxy
now generates a certificate chain and sends this certificate chain to clients. Certificate chaining helps to
eliminate the need to distribute the signing certificates of SSL forward proxy to the clients because clients
can now implicitly trust the SSL forward proxy certificate.
28
The following CLI commands load the local certificate into the PKID cache and load the certificate-chain
into the CA certificate cache in PKID, respectively.
user@root> request security pki local-certificate load filename ssl_proxy_ca.crt key sslserver.key
certificate-id ssl-inspect-ca
user@root> request security pki ca-certificate ca-profile-group load ca-group-name ca-group-name
filename certificate-chain
where:
ssl_proxy_ca.crt (Signing certificate)—Is the SSL forward proxy certificate signed by the administrator or
by the intermediate CA.
sslserver.key—Is the key pair.
ssl-inspect-ca—Is the certificate ID that SSL forward proxy uses in configuring the root-ca in the SSL
forward proxy profile.
certificate-chain—Is the file containing the chain of certificates.
The following is an example of SSL forward proxy certificate chaining used by the op script.
request security pki local-certificate enroll certificate-id aamw-srx-cert ca-profile aamw-ca
challenge-password *** subject CN=4rrgffbtew4puztj:model:sn email email-address
request security pki ca-certificate enroll ca-profile aamw-ca
Note that you cannot enroll the SRX Series device to Juniper Sky ATP if the SRX device is in FIPS mode
due to a PKI limitation.
To check your certificates, see “Troubleshooting Juniper Sky Advanced Threat Prevention: Checking
Certificates” on page 224. We recommend that you re-run the op script if you are having certificate issues.
29
2
PART
The Web Portal and Enrolling SRX
Series Devices
The Juniper Sky ATP Web Portal | 31
Enroll SRX Series Devices | 43
CHAPTER 3
The Juniper Sky ATP Web Portal
IN THIS CHAPTER
Juniper Sky Advanced Threat Prevention Configuration Overview | 31
Juniper Sky Advanced Threat Prevention Web UI Overview | 34
Dashboard Overview | 37
Reset Password | 38
Recover Realm Name | 40
31
Juniper Sky Advanced Threat Prevention Configuration Overview
Table 5 on page 31 lists the basic steps to configure Juniper Sky ATP.
NOTE: These steps assume that you already have your SRX Series device(s) installed, configured,
and operational at your site.
Table 5: Configuring Juniper Sky ATP
For information, seeDescriptionTask
(optional) Update the
administrator profile
Update your administrator profile to add more users with
administrator privileges to your security realm and to set
the thresholds for receiving alert emails. A default
administrator profile is created when you register an
account.
This step is done in the Web UI.
Sky Advanced Threat Prevention
Administrator Profile Overview
Table 5: Configuring Juniper Sky ATP (continued)
32
For information, seeDescriptionTask
Enroll your SRX
Series devices
Set global
configurations
(optional) Create
whitelists and
blacklists
Select the SRX Series devices to communicate with Juniper
Sky ATP. Only those listed in the management interface
can send files to the cloud for inspection and receive
results.
This step is done in the Web UI and on your SRX Series
device.
threshold and optionally, e-mail accounts when certain
thresholds are reached. For example, you can send e-mails
to an IT department when thresholds of 5 are met and
send e-mails to an escalation department when thresholds
of 9 are met.
Create whitelists and blacklists to list network nodes that
you trust and don’t trust. Whitelisted websites are trusted
websites where files downloaded from do not need to be
inspected. Blacklisted websites are locations from which
downloads should be blocked. Files downloaded from
websites that are not in the whitelist or blacklist are sent
to the cloud for inspection.
“Enrolling an SRX Series Device
With Juniper Sky Advanced
Threat Prevention” on page 43
Web UI tooltips and online helpSelect Configure > Global Configuration to set the default
“Whitelist and Blacklist
Overview” on page 57
(optional) Create the
Juniper Sky ATP
profile
(optional) Identify
compromised hosts
This step is done in the Web UI.
Juniper Sky ATP profiles define which file types are to be
sent to the cloud for inspection. For example, you may
want to inspect executable files but not documents. If you
don’t create a profile, the default one is used.
This step is done in the Web UI.
Compromised hosts are systems where there is a high
confidence that attackers have gained unauthorized access.
Once identified, Juniper Sky ATP recommends an action
and you can create security policies to take enforcement
actions on the inbound and outbound traffic on these
infected hosts.
This step is done on the SRX Series device.
Juniper Sky Advanced Threat
Prevention Profile Overview
“Compromised Hosts: More
Information” on page 142
Table 5: Configuring Juniper Sky ATP (continued)
33
For information, seeDescriptionTask
(optional) Block
outbound requests to
a C&C host
Configure the
Advanced
Anti-Malware Policy
on the SRX Series
Device
Configure the
Security Intelligence
Policy on the SRX
Series Device
The SRX Series device can intercept and perform an
enforcement action when a host on your network tries to
initiate contact with a possible C&C server on the Internet.
This step is done on the SRX Series device.
NOTE: Requires Juniper Sky ATP premium license.
Advanced anti-malware security policies reside on the SRX
Series device and determine which conditions to send files
to the cloud and what to do when a file when a file
receives a verdict number above the configured threshold.
This step is done on the SRX Series device.
Create the security intelligence policies on the SRX Series
device to act on infected hosts and attempts to connect
with a C&C server.
This step is done on the SRX Series device.
“Command and Control Servers:
More Information” on page 158
“Juniper Sky Advanced Threat
Prevention Policy Overview” on
page 193
“Configuring the SRX Series
Devices to Block Infected Hosts”
on page 149
“Configuring the SRX Series
Device to Block Outbound
Requests to a C&C Host” on
page 161
Enable the firewall
policy
Create your SRX Series firewall policy to filter and log
traffic in the network using the set security policies
from-zone to-zone CLI commands.
This step is done on the SRX Series device.
“Configuring the SRX Series
Devices to Block Infected Hosts”
on page 149
“Configuring the SRX Series
Device to Block Outbound
Requests to a C&C Host” on
page 161
“Example: Configuring a Juniper
Sky Advanced Threat Prevention
Policy Using the CLI” on page 197
You can optionally use APIs for C&C feeds, whitelist and blacklist operations, and file submission. See the
Threat Intelligence Open API Setup Guide for more information.
NOTE:
The cloud sends data, such as your Juniper Sky ATP whitelists, blacklists and profiles, to the SRX
Series device every few seconds. You do not need to manually push your data from the cloud
to your SRX Series device. Only new and updated information is sent; the cloud does not
continually send all data.
Juniper Sky Advanced Threat Prevention Web UI Overview
The Juniper Sky ATP Web UI is a web-based service portal that lets you monitor malware download
through your SRX Series devices. The Web UI is hosted by Juniper Networks in the cloud. There is no
separate download for you to install on your local system.
34
NOTE: If you are a licensed Junos Space Security Director, you can use Security Director 16.1
and later screens to set up and use Juniper Sky ATP. For more information using Security Director
with Juniper Sky ATP, see the Policy Enforcer administration guide and the Security Director
online help. The remainder of this guide refers to using Juniper Sky ATP with the Web UI.
You can perform the following tasks with the Web UI:
Monitoring—Display information about scanned files whether clean or malware, infected hosts including
•
their current and past threats, and blocked access to known C&C sites.
Configuring—Create and view whitelists and blacklists that list safe or harmful network nodes, and
•
profiles that define what file types to submit to Juniper Sky ATP for investigation.
Reporting—Use the dashboard to view and drill into various reports, such as most infected file types,
•
top malwares identified, and infected hosts.
The Web UI has infotips that provide information about a specific screen, field or object. To view the
infotip, hover over the question mark (?) without clicking it. See.
Accessing the Web UI
To access the Juniper Sky ATP Web UI:
1. Open a Web browser that has Hypertext Transfer Protocol (HTTP) or HTTP over Secure Sockets Layer
(HTTPS) enabled.
For information on supported browsers and their version numbers, see the Juniper Sky Advanced Threat
Prevention Supported Platforms Guide.
2. Type in the URL for the customer portal and press Enter.
The customer portal hostname varies by location. Please refer to the following table:
Customer Portal URLLocation
Customer Portal: https://amer.sky.junipersecurity.netUnited States
Customer Portal: https://eu.sky.junipersecurity.netEuropean Union
Customer Portal: https://apac.sky.junipersecurity.netAPAC
Customer Portal: https://canada.sky.junipersecurity.net/Canada
The Web UI login page appears. See Figure 13 on page 36.
35
Figure 13: Juniper Sky ATP Web UI Login Page
36
3. On the login page, type your username (your account e-mail address), password, and realm name and
click Log In.
The Web UI Dashboard page appears.
NOTE: Users can login to Juniper Sky ATP using different realms. You can manage realms
using the Configure > Global Configuration > Realm Management page. See “Realm Overview”
on page 122. You must be a system administrator to see the Realm Management page. See
“Creating and Editing User Profiles” on page 211 for information on role-based access control.
To terminate your session at any time, click the icon in the upper-right corner and click Logout.
Dashboard Overview
The Juniper Sky Advanced Threat Prevention Web UI is a Web-based service portal that lets you monitor
malware downloaded through your SRX Series devices.
The Web UI for Juniper Sky ATP includes a dashboard that provides a summary of all gathered information
on compromised content and hosts. Drag and drop widgets to add them to your dashboard. Mouse over
a widget to refresh, remove, or edit the contents.
In addition, you can use the dashboard to:
Navigate to the File Scanning page from the Top Scanned Files and Top Infected Files widgets by clicking
•
the More Details link.
Navigate to the Hosts page from the Top Compromised Hosts widget by clicking the More Details link.
•
Navigate to the Command and Control Servers page from the C&C Server Malware Source Location
•
widget.
37
NOTE: C&C and GeoIP filtering feeds are only available with the Basic-Threat Feed or Premium
license. For information on other licensed features, see Juniper Sky Advanced Threat Prevention
License Types.
Available dashboard widgets are as follows:
Table 6: Juniper Sky ATP Dashboard Widgets
DefinitionWidget
Top Malware Identified
Top Compromised Hosts
Top Infected File Types
Top Infected File Categories
A list of the top malware found based on the number of times the malware is
detected over a period of time. Use the arrow to filter by different time frames.
A list of the top compromised hosts based on their associated threat level and
blocked status.
A graph of the top infected file types by file extension. Examples: exe, pdf, ini,
zip. Use the arrows to filter by threat level and time frame.
A graph of the top infected file categories. Examples: executables, archived files,
libraries. Use the arrows to filter by threat level and time frame.
Top Scanned File Types
A graph of the top file types scanned for malware. Examples: exe, pdf, ini, zip.
Use the arrows to filter by different time frames.
Table 6: Juniper Sky ATP Dashboard Widgets (continued)
DefinitionWidget
38
Top Scanned File Categories
C&C Server and Malware Source
A graph of the top file categories scanned for malware. Examples: executables,
archived files, libraries. Use the arrows to filter by different time frames.
A color-coded map displaying the location of Command and Control servers or
other malware sources. Click a location on the map to view the number of detected
sources.
RELATED DOCUMENTATION
Reset Password | 38
Juniper Sky Advanced Threat Prevention | 2
How is Malware Analyzed and Detected? | 9
Hosts Overview | 137
HTTP File Download Overview | 164
Command and Control Servers Overview | 153
Reset Password
If you forget your password to login to the Juniper Sky ATP dashboard, you can reset it using a link sent
by email when you click Forgot Password from the Juniper Sky ATP login screen. The following section
provides details for resetting your password securely over email.
To reset your password you must enter the realm name and a valid email address.
•
Once you receive your password reset email, the link expires immediately upon use or within one hour.
•
If you want to reset your password again, you must step through the process to receive a new link.
Use this process if you have forgotten your password. If you are logged into the dashboard and want
•
to change your password, you can do that from the Administration > My Profile page. See “Modifying
My Profile” on page 210 for those instructions.
To reset your Juniper Sky ATP dashboard password, do the following:
1. Click the Forgot Password link on the Juniper Sky ATP dashboard login page.
2. In the screen that appears, enter the Email address associated with your account.
3. Enter the Realm name.
4. Click Continue. An email with a link for resetting your password is sent. Note that the link expires within
one hour of receiving it.
5. Click the link in the email to go to the Reset Password page.
6. Enter a new password and then enter it again to confirm it. The password must contain an uppercase
and a lowercase letter, a number, and a special character.
7. Click Continue. The password is now reset. You should receive an email confirming the reset action.
You can now login with the new password.
RELATED DOCUMENTATION
39
Modifying My Profile | 210
Creating and Editing User Profiles | 211
Dashboard Overview | 37
Recover Realm Name
If you forget your realm name to login to the Juniper Sky ATP portal, you can recover the realm name
using the following methods:
See the confirmation e-mail that is sent to you when you create a new realm. The e-mail now contains
•
the realm name. Here's a sample:
Welcome to Juniper SkyATP!
You have successfully created your SkyATP Security Realm. Below is your information:
You email ID: user@juniper.net
Realm Name: " realm123"
You may save the Realm name for future use for login purpose as SkyATP login expects
Realm name as an input.
40
You can login now using link: https://xxxxxxxx
Please do not reply to this automated message and contact JTAC if you have any
questions.
Thank you,
Your friendly Juniper Sky ATP robot.
Click Forgot Realm link from the Juniper Sky ATP login page.
•
The following section provides details to recover the realm name using the Juniper Sky ATP web portal.
NOTE: To recover the realm name you must enter a valid e-mail address.
To recover the realm name from the Sky ATP web portal:
1. Open a Web browser, type in the URL for the Sky ATP web portal, and press Enter.
The login page appears as shown in Figure 14 on page 41.
Figure 14: Juniper Sky ATP Web UI Login Page
41
2. Click the Forgot Realm link.
A pop-up appears asking you to confirm navigation to customer support center to provide Juniper SSO
credentials.
3. Click Continue.
The customer support center login page appears.
4. Enter the e-mail address that you provided while creating the realm and click Next.
A pop-up message is displayed with the status of realm recovery.
If the e-mail address has realms associated with it, an e-mail is sent to your registered e-mail address
•
with the list of associated realms. Here's a sample:
An email message has been sent to user@juniper.net with the names of all Sky
ATP Realms associated with this email address.
Here's a sample e-mail for realm recovery:
Welcome to Juniper SkyATP !
Based on your request please find below Realms created by you with Juniper
SkyATP till date.
Your email ID : <Juniper-Networks-Account>
42
Realm names: REALM-1, REALM-2, RELAM-3…REALM-N
You may save the Realm name for future use for login purpose as SkyATP login
expects Realm name as an input.
You can login now using link: <realm-recovery link>
Please do not reply to this automated message and contact JTAC if you have any
questions.
Thank you,
Your friendly Juniper Sky ATP robot
If no realms are associated with the e-mail address, then you will see the following message:
•
There are no realms created by login user@juniper.net.
5. Click OK to login to the Sky ATP portal with the realm name.
RELATED DOCUMENTATION
Reset Password | 38
Dashboard Overview | 37
CHAPTER 4
Enroll SRX Series Devices
IN THIS CHAPTER
Enrolling an SRX Series Device With Juniper Sky Advanced Threat Prevention | 43
Enrolling an SRX Series Device without the Juniper Sky ATP Web Portal | 47
Removing an SRX Series Device From Juniper Sky Advanced Threat Prevention | 49
Searching for SRX Series Devices Within Juniper Sky Advanced Threat Prevention | 50
Juniper Sky Advanced Threat Prevention RMA Process | 53
Device Information | 53
Cloud Feeds for Juniper Sky Advanced Threat Prevention: More Information | 54
43
Enrolling an SRX Series Device With Juniper Sky Advanced Threat Prevention
Only devices enrolled with Juniper Sky ATP can send files for malware inspection.
Before enrolling a device, check whether the device is already enrolled. To do this, use the Devices screen
or the Device Lookup option in the Web UI (see “Searching for SRX Series Devices Within Juniper Sky
Advanced Threat Prevention” on page 50). If the device is already enrolled, disenroll it first before enrolling
it again.
NOTE: If a device is already enrolled in a realm and you enroll it in a new realm, none of the
device data or configuration information is propagated to the new realm. This includes history,
infected hosts feeds, logging, API tokens, and administrator accounts.
NOTE: In the Enrolled Devices page, you can view the realm with which the device is associated.
From the Realm Management page, you can change that realm association or attach new realms.
See “Realm Management” on page 124 for configuration details.
As of Junos Release 19.3R1, there is another way to enroll the SRX Series device without having to interact
with the Sky ATP Web Portal. You run the “enroll” command from the SRX and it performs all the necessary
enrollment steps. See “Enrolling an SRX Series Device without the Juniper Sky ATP Web Portal” on page 47
Juniper Sky ATP uses a Junos OS operation (op) script to help you configure your SRX Series device to
connect to the Juniper Sky Advanced Threat Prevention cloud service. This script performs the following
tasks:
Downloads and installs certificate authority (CAs) licenses onto your SRX Series device.
•
Creates local certificates and enrolls them with the cloud server.
•
Performs basic Juniper Sky ATP configuration on the SRX Series device.
•
Establishes a secure connection to the cloud server.
•
NOTE: Juniper Sky Advanced Threat Prevention requires that both your Routing Engine (control
plane) and Packet Forwarding Engine (data plane) can connect to the Internet. Juniper Sky
Advanced Threat Prevention requires the following ports to be open on the SRX Series device:
80, 8080, and 443.
44
WARNING: If you are configuring explicit web proxy support for SRX Series
services/Juniper Sky ATP connections, you must enroll SRX Series devices to Juniper
Sky ATP using a slightly different process, see “Explicit Web Proxy Support” on page 204.
To enroll a device in Juniper Sky ATP using the Web Portal, do the following:
1. Click the Enroll button on the Devices page.
2. Copy the command to your clipboard and click OK.
3. Paste the command into the Junos OS CLI of the SRX Series device you want to enroll with Juniper
Sky ATP and press Enter. (Note that this command must be run in operational mode.)
NOTE: If the script fails, disenroll the device (see instructions for disenrolling devices) and then
re-enroll it.
NOTE: (Optional) Use the show services advanced-anti-malware status CLI command to verify
that a connection is made to the cloud server from the SRX Series device.
Once configured, the SRX Series device communicates to the cloud through multiple persistent connections
established over a secure channel (TLS 1.2) and the SRX Series device is authenticated using SSL client
certificates.
In the Juniper Sky ATP Web UI Enrolled Devices page, basic connection information for all enrolled devices
is provided, including serial number, model number, tier level (free or not) enrollment status in Juniper Sky
ATP, last telemetry activity, and last activity seen. Click the serial number for more details. In addition to
Enroll, the following buttons are available:
Table 7: Button Actions
DefinitionActions
45
Enroll
Disenroll
NOTE: Running the Enroll or Disenroll command will commit any uncommitted configuration changes on the SRX
Series device.
NOTE: Generating a new Enroll or Disenroll command invalidates any previously generated commands.
Device Lookup
Remove
Use the Enroll button to obtain a enroll command to run on eligible SRX Series
devices. This command enrolls them in Juniper Sky ATP and is valid for 7
days. Once enrolled, SRX Series device appears in the Devices and
Connections list.
Use the Disenroll button to obtain a disenroll command to run on SRX Series
devices currently enrolled in Juniper Sky ATP. This command removes those
devices from Juniper Sky ATP enrollment and is valid for 7 days.
Use the Device Lookup button to search for the device serial number(s) in
the licensing database to determine the tier (premium, feed only, free) of the
device. For this search, the device does not have to be currently enrolled in
Juniper Sky ATP.
Removing an SRX Series device is different than disenrolling it. Use the
Remove option only when the associated SRX Series device is not responding
(for example, hardware failure). Removing it, disassociates it from the cloud
without running the Junos OS operation (op) script on the device (see Enrolling
and Disenrolling Devices). You can later enroll it using the Enroll option when
the device is again available.
For HA configurations, you only need to enroll the cluster master. The cloud will detect that this is a cluster
and will automatically enroll both the master and slave as a pair. Both devices, however, must be licensed
accordingly. For example, if you want premium features, both devices must be entitled with the premium
license.
NOTE: Juniper Sky ATP supports only the active-passive cluster configuration. The passive
(non-active) node does not establish a connection to the cloud until it becomes the active node.
Active-active cluster configuration is not supported.
NOTE: The License Expiration column contains the status of your current license, including
expiration information. There is a 60 day grace period after the license expires before the SRX
Series device is disenrolled from Juniper Sky ATP. On the SRX Series device, you can run the >
show system license command to view license details.
46
RELATED DOCUMENTATION
Juniper Sky Advanced Threat Prevention RMA Process | 53
Removing an SRX Series Device From Juniper Sky Advanced Threat Prevention | 49
Searching for SRX Series Devices Within Juniper Sky Advanced Threat Prevention | 50
Device Information | 53
Enrolling an SRX Series Device without the Juniper Sky ATP Web Portal
Starting in Junos OS Release 19.3R1, you can use the request services advanced-anti-malware enroll
command on the SRX Series to enroll a device to the Juniper Sky ATP Web Portal. With this command,
you do not have to perform any enrollment tasks on the Web Portal itself. All enrollment is done from the
CLI on the SRX.
Enrollment establishes a secure connection between the Juniper Sky ATP cloud server and the SRX Series
device. It also performs basic configuration tasks such as:
Downloads and installs certificate authorities (CAs) onto your SRX Series device
•
Creates local certificates and enrolls them with the cloud server
•
Establishes a secure connection to the cloud server
•
NOTE: Juniper Sky Advanced Threat Prevention requires that both your Routing Engine (control
plane) and Packet Forwarding Engine (data plane) can connect to the Internet. You do not need
to open any ports on the SRX Series device to communicate with the cloud server. However, if
you have a device in the middle, such as a firewall, then that device must have ports 80, 8080,
and 443 open.
47
Also note, the SRX Series device must be configured with DNS servers in order to resolve the
cloud URL.
Using the device enrollment command on the SRX Series device, request services advanced-anti-malware
enroll, you can enroll the device to an existing realm or create a new realm and then enroll to it.
Here is an example configuration that creates a new realm and then enrolls to that realm.
root@host> request services advanced-anti-malware enroll
1. Enroll the SRX Series device to Juniper Sky ATP (CLI only):
user@host> request services advanced-anti-malware enroll
Please select geographical region from the list:
1. North America
2. European Region
3. Canada
4. Asia Pacific
Your choice: 1
2. Select an existing realm or create a new realm:
Enroll SRX to:
1. A new SkyATP security realm (you will be required to create it first)
2. An existing SkyATP security realm
If you select option 1 to create a new realm, the steps are as follows:
You are going to create a new Sky ATP realm, please provide the required information:
•
Please enter a realm name (This should be a name that is meaningful to your organization. A realm
•
name can only contain alphanumeric characters and the dash symbol. Once a realm is created, it
cannot be changed):
Real name: example-company-a
Please enter your company name:
•
Company name: Example Company A
Please enter your e-mail address. This will be your username for your Sky ATP account:
•
48
Email: me@example-company-a.com
Please setup a password for your new Sky ATP account (It must be at least 8 characters long and
•
include both uppercase and lowercase letters, at least one number, at least one special character):
Password: **********
Verify: **********
Please review the information you have provided:
•
Region: North America
New Realm: example-company-a
Company name: Example Company A
Email: me@example-company-a.com
Create a new realm with the above information? [yes,no]
•
yes
Device enrolled successfully!
If you select option 2 to use an existing realm, the steps are as follows:
NOTE: You must enter a valid username and password for the existing realm as part of the
enrollment procedure.
Enter the name of the existing realm:
•
Please enter a realm name.
Realm name: example-company-b
Please enter your company name:
•
Company name: Example Company B
Enter your email adddress/username for the realm. This is the email address that was previously
•
created when setting up the realm.
Please enter your e-mail address. This will be your username for your Sky ATP account:
Enter the password for the realm. This is the password that was previously created when setting up
•
the realm.
Password:********
Enroll device to the realm above? [yes,no] yes
•
Device enrolled successfully!
49
You can use the show services advanced-anti-malware status CLI command on your SRX Series device
to verify that a connection has been made to the cloud server from the SRX Series device.
Once enrolled, the SRX Series device communicates to the cloud through multiple, persistent connections
established over a secure channel (TLS 1.2) and the SRX Series device is authenticated using SSL client
certificates.
RELATED DOCUMENTATION
Enrolling an SRX Series Device With Juniper Sky Advanced Threat Prevention | 43
Removing an SRX Series Device From Juniper Sky Advanced Threat Prevention
If you no longer want an SRX Series device to send files to the cloud for inspection, use the disenroll option
to disassociate it from Juniper Sky Advanced Threat Prevention. The disenroll process generates an ops
script to be run on SRX Series devices and resets any properties set by the enroll process.
To disenroll an SRX Series device:
1. Select the check box associated with the device you want to disasssociate and click Disenroll.
2. Copy the highlighted command to your clipboard and click OK.
3. Paste this command into the Junos OS CLI of the device you want to disenroll and press Enter.
You can re-enroll this device at a later time using the Enroll option.
RELATED DOCUMENTATION
Searching for SRX Series Devices Within Juniper Sky Advanced Threat Prevention | 50
Enrolling an SRX Series Device With Juniper Sky Advanced Threat Prevention | 43
Device Information | 53
Searching for SRX Series Devices Within Juniper Sky Advanced Threat Prevention
50
You can search for any SRX Series device enrolled within your security realm of Juniper Sky Advanced
Threat Prevention using the Device Lookup option. This option also a way for you to view the type of
license the device is using: basic, premium, or free. .
NOTE: With this release, you can only search for device using serial numbers.
To search for devices enrolled with Juniper Sky Advanced Threat Prevention:
1. From the Web UI, select Devices.
2. Click Device Lookup.
The Device Lookup window appears. See Figure 15 on page 51.
Figure 15: Searching for a Device in the Web UI
51
3. Enter the serial number of the device you want to search for and click Next. You can enter multiple
serial numbers, separating each entry with a comma. For more information, see the infotips.
NOTE: The Web UI does not check for valid serial numbers. If you enter an invalid serial
number, the results will come back empty. If you enter multiple serial numbers and one is an
invalid number, the results will come back empty.
The search results window appears. See Figure 16 on page 52.
Figure 16: Example Device Search Results
52
4. (Optional) Click a serial number to view details about that device.
RELATED DOCUMENTATION
Device Information | 53
Enrolling an SRX Series Device With Juniper Sky Advanced Threat Prevention | 43
Removing an SRX Series Device From Juniper Sky Advanced Threat Prevention | 49
Searching for SRX Series Devices Within Juniper Sky Advanced Threat Prevention | 50
Juniper Sky Advanced Threat Prevention RMA Process
On occasion, because of hardware failure, a device needs to be returned for repair or replacement. For
these cases, contact Juniper Networks, Inc. to obtain a Return Material Authorization (RMA) number and
follow the RMA Procedure.
Once you transfer your license keys to the new device, it may take up to 24 hours for the new serial
number to be registered with the Juniper Sky ATP cloud service.
WARNING: After any serial number change on the SRX Series device, a new RMA
serial number needs to be re-enrolled with Juniper Sky ATP cloud. This means that
you must enroll your replacement unit as a new device. See “Enrolling an SRX Series
Device With Juniper Sky Advanced Threat Prevention” on page 43. Juniper Sky ATP
does not have an “RMA state”, and does not see these as replacement devices from a
configuration or registration point of view. Data is not automatically transferred to the
replacement SRX Series device from the old device.
53
Device Information
Use this page to view the following information on the selected SRX Series device.
Table 8: Device Information Fields
DefinitionField
Device Information
SRX Series device serial numberSerial Number
Host name of the device.Host
SRX Series device model numberModel Number
License type: Free, Feed only, Premium.Tier
SRX Series device JunOS versionOS Version
Submission Status
Allowed or Paused. This indicates whether the device can submit
files to Juniper Sky ATP or if it has reached its daily limit. (At this
time, the limit is 10,000 files per day for premium accounts.)
Table 8: Device Information Fields (continued)
Configuration Information
54
DefinitionField
Global Config
Profile Config
Global Whitelist
Global Blacklist
Customer Whitelist
Customer Blacklist
Connection Type
The Device and Cloud fields indicate the version numbers of each
list, both on the device and in the cloud. You can compare them to
see if they are in sync.
The time when the last telemetry submission was received.Telemetry
The time when the last file submission was received.Submission
The time when the last Command and Control event was received.C&C Event
RELATED DOCUMENTATION
Enrolling an SRX Series Device With Juniper Sky Advanced Threat Prevention | 43
Removing an SRX Series Device From Juniper Sky Advanced Threat Prevention | 49
Searching for SRX Series Devices Within Juniper Sky Advanced Threat Prevention | 50
Cloud Feeds for Juniper Sky Advanced Threat Prevention: More Information
The cloud feed URL is set up automatically for you when you run the op script to configure your SRX Series
device. See “Downloading and Running the Juniper Sky Advanced Threat Prevention Script” on page 24.
There are no further steps you need to do to configure the cloud feed URL.
If you want to check the cloud feed URL on your SRX Series device, run the show services
security-intelligence URL CLI command. Your output should look similar to the following:
root@host# show services security-intelligence url
https://cloudfeeds.sky.junipersecurity.net/api/manifest.xml
If you do not see a URL listed, run the ops script again as it configures other settings in addition to the
cloud feed URL.
SRX Series Update Intervals for Cloud Feeds
The following table provides the update intervals for each feed type. Note that when the SRX Series device
makes requests for new and updated feed content, if there is no new content, no updates are downloaded
at that time.
NOTE: You can run the request services security-intelligence download command to manually
download updates before the next interval, although this is not recommended.
55
Table 9: Feed Update Intervals
SRX Update Intervals (in seconds)FeedsCategory
1,800Juniper FeedsCommand and Control
1,800Integrated Feeds
1,800Customer Feeds
435,600geoip_countryGeoIP
3,600Customer FeedsWhitelist
3,600Customer FeedsBlacklist
60Infected HostsInfected Hosts
1,800Customer FeedsIPFilter
1,800Office 365
3
PART
Configure
Whitelists and Blacklists | 57
Email Scanning: Juniper Sky ATP | 65
Email Scanning: SRX Series Device | 74
File Inspection Profiles | 92
Adaptive Threat Profiling | 97
Third Party Threat Feeds | 110
Global Configurations | 116
CHAPTER 5
Whitelists and Blacklists
IN THIS CHAPTER
Whitelist and Blacklist Overview | 57
Creating Whitelists and Blacklists | 59
Whitelist and Blacklist Overview
57
A whitelist contains known trusted IP addresses, Hashes, Email addresses, and URLs. Content downloaded
from locations on the whitelist does not have to be inspected for malware. A blacklist contains known
untrusted IP addresses and URLs. Access to locations on the blacklist is blocked, and therefore no content
can be downloaded from those sites.
Benefits of Whitelists and Blacklists
Whitelists allows users to download files from sources that are known to be safe. Whitelists can be
•
added to in order to decrease false positives.
Blacklists prevent users from downloading files from sources that are known to be harmful or suspicious.
•
The Custom whitelists or custom blacklists allow you to add items manually. Both are configured on the
Juniper Sky ATP cloud server. The priority order is as follows:
1. Custom whitelist
2. Custom blacklist
If a location is in multiple lists, the first match wins.
Whitelists and blacklists support the following types:
URL
•
IP address
•
Hostname
•
Hash file
•
NOTE:
For IP and URL, The Web UI performs basic syntax checks to ensure your entries are valid.
•
The cloud feed URL for whitelists and blacklists is set up automatically for you when you run
•
the op script to configure your SRX Series device. See “Downloading and Running the Juniper
Sky Advanced Threat Prevention Script” on page 24.
A hash is a unique signature for a file generated by an algorithm. You can add custom whitelist
•
and blacklist hashes for filtering, but they must be listed in a text file with each entry on a
single line. You can only have one running file containing up to 15,000 file hashes. For upload
details see “Creating Whitelists and Blacklists” on page 59. Note that Hash lists are slightly
different than other list types in that they operate on the cloud side rather than the SRX Series
device side. This means the web portal is able to display hits on hash items.
The SRX series device makes requests approximately every two hours for new and updated feed content.
If there is nothing new, no new updates are downloaded.
58
Use the show security dynamic-address instance advanced-anti-malware CLI command to view the
IP-based whitelists and blacklists on your SRX Series device. There is no CLI command to show the
domain-based or URL-based whitelists and blacklists at this time.
Example show security dynamic-address instance advanced-anti-malware
user@host>show security dynamic-address instance advanced-anti-malware
No. IP-start IP-end Feed Address
1 x.x.x.0 x.x.x.10 custom_whitelist ID-80000400
2 x.x.0.0 x.x.0.10 custom_blacklist ID-80000800
Instance advanced-anti-malware Total number of matching entries: 2
If you do not see your updates, wait a few minutes and try the command again. You might be outside the
Juniper Sky ATP polling period.
Once your whitelists or blacklists are created, create an advanced anti-malware policy to log (or don’t log)
when attempting to download a file from a site listed in the blacklist or white list files. For example, the
following creates a policy named aawmpolicy1 and creates log entries.
set services advanced-anti-malware policy aamwpolicy1 blacklist-notification log
set services advanced-anti-malware policy aamwpolicy1 whitelist-notification log
RELATED DOCUMENTATION
Creating Whitelists and Blacklists | 59
Creating Whitelists and Blacklists
Access these pages from Configure > Whitelists or Blacklists.
Use the whitelist and blacklist pages to configure custom trusted and untrusted lists. You can also upload
hash files.
Content downloaded from locations on the whitelist is trusted and does not have to be inspected for
malware. Hosts cannot download content from locations on the blacklist, because those locations are
untrusted.
Read the “Whitelist and Blacklist Overview” on page 57 topic.
•
Decide on the type of item you intend to define: URL, IP, Hash, Domain
•
59
Review current list entries to ensure the item you are adding does not already exist.
•
If you are uploading hash files, the files must be in a text file with each hash on its own single line.
•
To create Juniper Sky ATP whitelists and blacklists:
1. Select Configuration > Whitelist or Blacklist.
2. For either Whitelist or Blacklist, select one of the following tabs: IP and URL, Hash File, Email Sender,
C&C Server, or Encrypted Traffic and enter the required information. See the tables below.
NOTE: Encrypted Traffic option is available only under Whitelist menu.
3. Click OK.
Refer to the following tables for the data required by each tab.
IP and URL
When you create a new IP or URL list item, you must choose the Type of list: IP or URL. You can do this
by selecting the type in the navigation pane or by choosing it from a pulldown list in the Create window.
Depending on the type, you must enter the required information. See the following table.
Table 10: IP and URL Configuration
60
GuidelineSetting
IP
URL
Enter the IPv4 or IPv6 IP address. For example: 1.2.3.4 or
0:0:0:0:0:FFFF:0102:0304. CIDR notation and IP address ranges are also
accepted.
Any of the following IPv4 formats are valid: 1.2.3.4, 1.2.3.4/30, or 1.2.3.4-1.2.3.6.
Any of the following IPv6 formats are valid: 1111::1, 1111::1-1111::9, or
1111:1::0/64.
NOTE: Address ranges: No more than a block of /16 IPv4 addresses and /48
IPv6 addresses are accepted. For example, 10.0.0.0-10.0.255.255 is valid, but
10.0.0.0-10.1.0.0 is not.
Bitmasks: The maximum amount of IP addresses covered by bitmask in a subnet
record for IPv4 is 16 and for IPv6 is 48. For example, 10.0.0.0/15 and 1234::/47
are not valid.
Enter the URL using the following format: juniper.net. Wildcards and protocols
are not valid entries. The system automatically adds a wildcard to the beginning
and end of URLs. Therefore juniper.net also matches a.juniper.net, a.b.juniper.net,
and a.juniper.net/abc. If you explicitly enter a.juniper.net, it matches
b.a.juniper.net, but not c.juniper.net. You can enter a specific path. If you enter
juniper.net/abc, it matches x.juniper.net/abc, but not x.juniper.net/123.
NOTE: To edit an existing whitelist or blacklist IP or URL entry, select the check box next to the entry you want to
edit and click the pencil icon.
Hash File
When you upload a hash file, it must be in a text file with each hash on its own single line. You can only
have one running hash file. To add to it or edit it, see the instructions in the following table.
Table 11: Hash File Upload and Edit
GuidelineField
You can add custom whitelist and blacklist hashes for filtering, but they must be listed in a text file with each entry
on a single line. You can only have one running hash file containing up to 15,000 file hashes. This is the “current” list,
but you can add to it, edit it, and delete it at any time.
Table 11: Hash File Upload and Edit (continued)
GuidelineField
61
SHA-256 Hash Item
To add to hash entries, you can upload several text files and they will
automatically combine into one file. See all, merge, delete and replace options
below.
Download—Click this button to download the text file if you want to view or
edit it.
You have the following options from the pulldown:
Replace current list—Use this option when you want to change the existing
•
list, but do not want to delete it entirely. Download the existing file, edit it,
and then upload it again.
Merge with current list—Use this option when you upload a new text file and
•
want it to combine with the existing text file. The hashes in both files combine
to form one text file containing all hashes.
Delete from current list—Use this option when you want to delete only a
•
portion of the current list. In this case, you would create a text file containing
only the hashes you want to remove from the current list. Upload the file
using this option and only the hashes in the uploaded file are deleted from
the current active list.
Delete All or Delete Selected—Sometimes it’s more efficient to delete the
current list rather than downloading it and editing it. Click this button to delete
the current selected list or all lists that have been added and accumulated here.
This says either Whitelist or Blacklist.Source
The month, date, year, and time when the hash file was last uploaded or edited.Date Added
Email Sender
Add email addresses to be whitelisted or blacklisted if found in either the sender or recipient of an email
communication. Add addresses one at a time using the + icon.
Table 12: Email Sender
GuidelineField
Email address
Enter an email address in the format name@domain.com. Wildcards and partial
matches are not supported, but if you want to include an entire domain, you
could enter only the domain as follows: domain.com
Table 12: Email Sender (continued)
GuidelineField
If an email matches the blacklist, it is considered to be malicious and is handled the same way as an email with a
malicious attachment. The email is blocked and a replacement email is sent. If an email matches the whitelist, that
email is allowed through without any scanning. See “SMTP Quarantine Overview: Blocked Emails” on page 177.
It is worth noting that attackers can easily fake the “From” email address of an email, making blacklists a less effective
way to stop malicious emails.
C&C Server
When you whitelist a C&C server, the IP or hostname is sent to the SRX Series devices to be excluded
from any security intelligence blacklists or C&C feeds (both Juniper’s global threat feed and third party
feeds). The server will also now be listed under the C&C whitelist management page.
You can enter C&C server data manually or upload a list of servers. That list must be a text file with each
IP or Domain on its own single line. The text file must include all IPs or all Domains, each in their own file.
You can upload multiple files, one at a time.
62
NOTE: You can also manage whitelist and blacklist entries using the Threat Intelligence API.
When adding entries to the whitelist/blacklist data, these will be available in the Threat Intelligence
API under the following feed names: “whitelist_domain” or “whitelist_ip”, and “blacklist_domain”
or “blacklist_ip.” See the Juniper Sky ATP Threat Intelligence Open API Setup Guide for details
on using the API to manage any custom feeds.
Table 13: C&C Server
GuidelineField
Type
IP or Domain
Select IP to enter the IP address of a C&C server that you want to add to the
whitelist. Select Domain to whitelist an entire domain on the C&C server list.
For IP, enter an IPv4 or IPv6 address. An IP can be IP address, IP range or IP
subnet. For domain, use the following syntax: juniper.net. Wildcards are not
supported.
Enter a description that indicates why an item has been added to the list.Description
Table 13: C&C Server (continued)
GuidelineField
You can also whitelist C&C servers directly from the C&C Monitoring page details view. See “Command and Control
Server Details” on page 154.
WARNING: Adding a C&C server to the whitelist automatically triggers a remediation process to update any affected
hosts (in that realm) that have contacted the whiltelisted C&C server. All C&C events related to this whitelisted server
will be removed from the affected hosts’ events, and a host threat level recalculation will occur.
If the host score changes during this recalculation, a new host event appears describing why it was rescored. (For
example, “Host threat level updated after C&C server 1.2.3.4 was cleared.”) Additionally, the server will no longer
appear in the list of C&C servers because it has been cleared.
Encrypted Traffic
You can specify the IP address or domain names that you want to whitelist from encrypted traffic analysis.
Use this tab to add, modify, or delete the whitelists for encrypted traffic analysis.
63
Table 14: Encrypted Traffic
GuidelineField
Select whether you want to specify the IP address or domain name for the whitelist.Type
Enter the IP address or domain name for the whitelist.IP or Domain
NOTE: Juniper Sky ATP periodically polls for new and updated content and automatically
downloads it to your SRX Series device. There is no need to manually push your whitelist or
blacklist files.
Use the show security dynamic-address instance advanced-anti-malware command to view the
custom whitelist and blacklist on SRX Series devices.
user@host>show security dynamic-address instance advanced-anti-malware
No. IP-start IP-end Feed Address
1 x.x.x.0 x.x.x.10 custom_whitelist ID-80000400
2 x.x.0.0 x.x.0.10 custom_blacklist ID-80000800
Instance advanced-anti-malware Total number of matching entries: 2
RELATED DOCUMENTATION
Whitelist and Blacklist Overview | 57
Enabling Third Party Threat Feeds | 110
64
CHAPTER 6
Email Scanning: Juniper Sky ATP
IN THIS CHAPTER
Email Management Overview | 65
Email Management: Configure SMTP | 67
Email Management: Configure IMAP | 70
Email Management Overview
65
With Email Management, enrolled SRX devices transparently submit potentially malicious email attachments
to the cloud for inspection. Once an attachment is evaluated, Juniper Sky ATP assigns the file a threat
score between 0-10 with 10 being the most malicious.
NOTE: If an email contains no attachments, it is allowed to pass without any analysis.
Benefits of Email Management
Allows attachments to be checked against whitelists and blacklists.
•
Prevents users from opening potential malware received as an email attachment.
•
Configure Juniper Sky ATP to take one of the following actions when an email attachment is determined
to be malicious:
For SMTP
Quarantine Malicious Messages—If you select to quarantine emails with attachments found to be
•
malicious, those emails are stored in the cloud in an encrypted form and a replacement email is sent to
the intended recipient. That replacement email informs the recipient of the quarantined message and
provides a link to the Juniper Sky ATP quarantine portal where the email can be previewed. The recipient
can then choose to release the email by clicking a Release button (or request that the administrator
release it) or Delete the email.
Deliver malicious messages with warning headers added—When you select this option, headers are
•
added to emails that most mail servers recognize and filter into Spam or Junk folders.
Permit—You can select to permit the email and the recipient receives it intact.
•
For IMAP
Block Malicious Messages—Block emails with attachments that are found to be malicious.
•
Permit—You can select to permit the email and the recipient receives it intact.
•
Figure 17: Email Management Overview
66
Quarantine Release
If the recipient selects to release a quarantined email, it is allowed to pass through the SRX series with a
header message that prevents it from being quarantined again, but the attachments are placed in a
password-protected ZIP file. The password required to open the ZIP file is also included as a separate
attachment. The administrator is notified when the recipient takes an action on the email (either to release
or delete it).
If you configure Juniper Sky ATP to have the recipient send a request to the administrator to release the
email, the recipient previews the email in the Juniper Sky ATP quarantine portal and can select to Delete
the email or Request to Release. The recipient receives a message when the administrator takes action
(either to release or delete the email.)
Blacklist and Whitelist
Emails are checked against administrator-configured blacklists and whitelists using information such as
Envelope From (MAIL FROM), Envelope To (RCPT TO), Body Sender, Body Receiver. If an email matches
the whitelist, that email is allowed through without any scanning. If an email matches the blacklist, it is
considered to be malicious and is handled the same way as an email with a malicious attachment.
RELATED DOCUMENTATION
Email Management: Configure SMTP | 67
Creating Whitelists and Blacklists | 59
SMTP Quarantine Overview: Blocked Emails | 177
Email Management: Configure SMTP
Access this page from Configure > Email Management > SMTP.
Read the “Email Management Overview” on page 65 topic.
•
67
Decide how malicious emails are handled: quarantined, delivered with headers, or permitted.
•
1. Select Configure > Email Management > SMTP.
2. Based on your selections, configuration options will vary. See the tables below.
Table 15: Configure Quarantine Malicious Messages
GuidelineSetting
Action to take
Quarantine malicious messages—When you select to quarantine malicious
email messages, in place of the original email, intended recipients receive
a custom email you configure with information on the quarantining. Both
the original email and the attachment are stored in the cloud in an
encrypted format.
Table 15: Configure Quarantine Malicious Messages (continued)
GuidelineSetting
68
Release option
Recipients can release email—This option provides recipients with a link
•
to the Juniper Sky ATP quarantine portal where they can preview the
email. From the portal, recipients can select to Release the email or
Delete it. Either action causes a message to be sent to the administrator.
NOTE: If a quarantined email has multiple recipients, any individual
recipient can release the email from the portal and all recipients will
receive it. Similarly, if one recipient deletes the email from the portal, it
is deleted for all recipients.
Recipients can request administrator to release email—This option also
•
provides recipients with a link to the Juniper Sky ATP quarantine portal
where they can preview the email. From the portal, recipients can select
to Request to Release the email or Delete it. Either choice causes a
message to be sent to the administrator. When the administrator takes
action on the email, a message is sent to the recipient.
NOTE: When a quarantined email is released, it is allowed to pass through
the SRX series with a header message that prevents it from being
quarantined again, but the attachment is placed inside a
password-protected zip file with a text file containing the password that
the recipient must use to open the file.
Email Notifications for End Users
Learn More Link URL
Subject
Custom Message
Custom Link Text
If you have a corporate web site with further information for users, enter
that URL here. If you leave this field blank, this option will not appear to
the end user.
When an email is quarantined, the recipient receives a custom message
informing them of their quarantined email. For this custom message, enter
a subject indicating a suspicious email sent to them has been quarantined,
such as "Malware Detected."
Enter information to help email recipients understand what they should
do next.
Enter custom text for the Juniper Sky ATP quarantine portal link where
recipients can preview quarantined emails and take action on them.
Table 15: Configure Quarantine Malicious Messages (continued)
GuidelineSetting
69
Buttons
Click Preview to view the custom message that will be sent to a recipient
•
when an email is quarantined. Then click Save.
Click Reset to clear all fields without saving.
•
Click Save if you are satisfied with the configuration.
•
Table 16: Configure Deliver with Warning Headers
GuidelineSetting
Action to take
SMTP Headers
Deliver malicious messages with warning headers added—When you select
to deliver a suspicious email with warning headers, you can add headers
to emails that most mail servers will recognize and filter into spam or junk
folders.
X-Distribution (Bulk, Spam)—Use this header for messages that are sent
•
to a large distribution list and are most likely spam. You can also select
“Do not add this header.”
X-Spam-Flag—This is a common header added to incoming emails that
•
are possibly spam and should be redirected into spam or junk folders.
You can also select “Do not add this header.”
Subject Prefix—You can prepend headers with information for the
•
recipient, such as "Possible Spam."
Buttons
Click Reset to clear all fields without saving.
•
Click OK if you are satisfied with the configuration.
•
Table 17: Permit
GuidelineSetting
Action to take
Permit—You can select to permit the message and no further configuration
is required.
Administrators Who Receive Notifications
To send notifications to administrators when emails are quarantined or released from quarantine:
1. Click the + sign to add an administrator.
2. Enter the administrator's email address.
3. Select the Quarantine Notification check box to receive those notifications.
4. Select the Release Notifications check box to receive those notifications.
5. Click OK.
RELATED DOCUMENTATION
Email Management Overview | 65
SMTP Quarantine Overview: Blocked Emails | 177
Configuring the SMTP Email Management Policy on the SRX Series Device | 74
Email Management: Configure IMAP
To access this page, navigate to Configure > Email Management > IMAP.
70
Read the “Email Management Overview” on page 65 topic.
•
Decide how malicious emails are handled. For IMAP, the available options are to block or permit email.
•
Unlike SMTP, there is no quarantine option for IMAP and no method for previewing a blocked email.
1. Select Configure > Email Management > IMAP.
2. Based on your selections, configuration options will vary. See the tables below.
Table 18: Configure Block Malicious Messages
GuidelineSetting
71
Action to take
Permit download of attachments—Allow email attachments, either from
•
all IMAP servers or specific IMAP servers, through to their destination.
NOTE: In Permit mode, black and white lists are not checked. Emails
from blacklisted addresses are not sent to the cloud for scanning. They
are allowed through to the client.
Block download of attachments—Block email attachments, either from
•
all IMAP servers or specific IMAP servers, from reaching their destination.
NOTE: In Block mode, black and white lists are checked. Emails from
blacklisted addresses are blocked. Emails from whitelisted addresses
are allowed through to the client.
Recipients can send a request to an administrator to release the email.
Enter the email address to which recipients should send a release request.
NOTE: If a blocked email has multiple recipients, any individual recipient
can request to release the email and all recipients will receive it.
When you select to block email attachments, in place of the original email,
intended recipients receive a custom email you configure with information
on the block action. Both the original email and the attachment are stored
in the cloud in an encrypted format.
IMAP Server
IMAP Servers
Email Notifications for End Users
All IMAP Servers—The permitting or blocking of email attachments
•
applies to all IMAP servers.
Specific IMAP Server—The permitting or blocking of email attachments
•
applies only to IMAP servers with hostnames that you add to a list. A
configuration section to add the IMAP server name appears when you
select this option.
When you add IMAP servers to the list, it is sent to the SRX Series device
to filter emails sent to Juniper Sky ATP for scanning. For emails that are
sent for scanning, if the returned score is above the set policy threshold
on the SRX, then the email is blocked.
Select the Specific IMAP Server option above and click the + sign to add
IMAP server hostnames to the list.
NOTE: You must use the IMAP server hostname and not the IP address.
Table 18: Configure Block Malicious Messages (continued)
GuidelineSetting
72
Learn More Link URL
Subject
Custom Message
Custom Link Text
Buttons
If you have a corporate web site with further information for users, enter
that URL here. If you leave this field blank, this option will not appear to
the end user.
When an email is blocked, the recipient receives a custom message
informing them of their blocked email. For this custom message, enter a
subject indicating a suspicious email sent to them has been blocked, such
as "Malware Detected."
Enter information to help email recipients understand what they should
do next.
Enter custom text for the Juniper Sky ATP quarantine portal link where
recipients can preview blocked emails and take action on them.
•
•
•
Administrators Who Receive Notifications
Click Preview to view the custom message that will be sent to a recipient
when an email is blocked. Then click Save.
Click Reset to clear all fields without saving.
Click Save if you are satisfied with the configuration.
To send notifications to administrators when emails are blocked or released from quarantine:
1. Click the + sign to add an administrator.
2. Enter the administrator's email address and click OK.
3. Once the administrator is created, you can uncheck or check which notification types the administrator
will receive.
Block Notifications—When this check box is selected, a notification is sent when an email is blocked.
•
Unblock Notifications—When this check box is selected, a notification is sent when a user releases
•
a blocked email.
RELATED DOCUMENTATION
IMAP Block Overview | 179
Email Management Overview | 65
Configuring the IMAP Email Management Policy on the SRX Series Device | 80
73
CHAPTER 7
Email Scanning: SRX Series Device
IN THIS CHAPTER
Configuring the SMTP Email Management Policy on the SRX Series Device | 74
Configuring the IMAP Email Management Policy on the SRX Series Device | 80
Configuring Reverse Proxy on the SRX Series Device | 88
Configuring the SMTP Email Management Policy on the SRX Series Device
74
Unlike file scanning policies where you define an action permit or action block statement, with SMTP email
management the action to take is defined in the Configure > Email Management > SMTP window. All
other actions are defined with CLI commands as before.
Shown below is an example policy with email attachments addressed in profile profile2.
user@host# show services advanced-anti-malware
...
policy policy1 {
http {
inspection-profile default_profile; # Global profile
action permit;
}
smtp {
inspection-profile profile2; # Profile2 applies to SMTP email
notification {
log;
}
}
verdict-threshold 8; # Globally, a score of 8 and above indicate possible
malware
fallback-options {
action permit;
notification {
log;
}
}
default-notification {
log;
}
whitelist-notification {
log;
}
blacklist-notification {
log;
}
fallback-options {
action permit; # default is permit and no log.
notification log;
}
}
...
75
In the above example, the email profile (profile2) looks like this:
user@host> show services advanced-anti-malware profile
Advanced anti-malware inspection profile:
Profile Name: profile2
version: 1443769434
disabled_file_types:
{
application/x-pdfa: [pdfa],
application/pdf: [pdfa],
application/mbox: []
},
disabled_categories: [java, script, documents, code],
category_thresholds: [
{
category: executable,
min_size: 512,
max_size: 1048576
},
{
category: library,
min_size: 4096,
max_size: 1048576
}]
The firewall policy is similar to before. The AAMW policy is place in trust to untrust zone. .See the example
below.
user@host# show security policies from-zone trust to-zone untrust {
policy p1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
advanced-anti-malware-policy policy1;
ssl-proxy {
profile-name ssl-proxy1;
}
}
}
}
}
}
76
Shown below is another example, using the show services advanced-anti-malware policy CLI command.
In this example, emails are quarantined if their attachments are found to contain malware. A verdict score
of 8 and above indicates malware.
user@root> show services advanced-anti-malware policy policy1
Advanced-anti-malware configuration:
Policy Name: policy1
Default-notification : No Log
Whitelist-notification: Log
Blacklist-notification: Log
Fallback options:
Action: permit
Notification: Log
Inspection-profile: profile2
Applications: HTTP
Verdict-threshold: 8
Action: block
Notification: Log
Protocol: SMTP
Verdict-threshold: 8
Action: User-Defined-in-Cloud (quarantine)
Notification: Log
Inspection-profile: profile2
Optionally you can configure forward and reverse proxy for server and client protection, respectively. For
example, if you are using SMTPS, you may want to configure reverse proxy. For more information on
configuring reverse proxy, see “Configuring Reverse Proxy on the SRX Series Device” on page 88.
# show services ssl
initiation { # for cloud connection
profile srx_to_sky_tls_profile_name {
trusted-ca sky-secintel-ca;
client-certificate sky-srx-cert;
}
}
proxy {
profile ssl-client-protection { # for forward proxy
root-ca ssl-inspect-ca;
actions {
ignore-server-auth-failure;
log {
all;
}
}
}
profile ssl-server-protection { # for reverse proxy
server-certificate ssl-server-protection;
actions {
log {
all;
}
}
}
}
77
Use the show services advanced-anti-malware statistics CLI command to view statistical information
about email management.
user@host> show services advanced-anti-malware statistics
Advanced-anti-malware session statistics:
Session interested: 3291750
Session ignored: 52173
Session hit blacklist: 0
Session hit whitelist: 0
Total HTTP HTTPS SMTP SMTPS
Session active: 52318 0 0 52318 0
Session blocked: 0 0 0 0 0
Session permitted: 1354706 0 0 1354706 0
Advanced-anti-malware file statistics:
Total HTTP HTTPS SMTP SMTPS
File submission success: 83134 0 0 83134 0
File submission failure: 9679 0 0 9679 0
File submission not needed: 86104 0 0 86104 0
File verdict meets threshold: 65732 0 0 65732 0
File verdict under threshold: 16223 0 0 16223 0
File fallback blocked: 0 0 0 0 0
File fallback permitted: 4512 0 0 4512 0
File hit submission limit: 0 0 0 0 0
78
Advanced-anti-malware email statistics:
Total SMTP SMTPS
Email processed: 345794 345794 0
Email permitted: 42722 42722 0
Email tag-and-delivered: 0 0 0
Email quarantined: 9830 9830 0
Email fallback blocked: 0 0 0
Email fallback permitted: 29580 29580 0
Email hit whitelist: 0 0 0
Email hit blacklist: 0 0 0
As before, use the clear services advanced-anti-malware statistics CLI command to clear the above
statistics when you are troubleshooting.
For debugging purposes, you can also set SMTP trace options.
user@host# set services advanced-anti-malware traceoptions flag smtp
Before configuring the SMTP threat prevention policy, make sure you have done the following:
Define the action to take (quarantine or deliver malicious messages) and the end-user email notification
•
in the Configure > Email Management > SMTP window.
(Optional) Create a profile in the Configure > Device Profiles window to indicate which email attachment
•
types to scan. Or, you can use the default profile.
The following steps show the minimum configuration. To configure the threat prevention policy for SMTP
using the CLI:
1. Create the Juniper Sky ATP policy.
In this example, the policy name is smtppolicy1.
•
user@host# set services advanced-anti-malware policy smtppolicy1
Associate the policy with the SMTP profile. In this example, it is the default_profile profile.
•
user@host# set services advanced-anti-malware policy smtppolicy1
inspection-profile default_profile
79
Configure your global threshold. If a verdict comes back equal to or higher than this threshold, then
•
it is considered to be malware. In this example, the global threshold is set to 7.
user@host# set services advanced-anti-malware policy smtppolicy1
verdict-threshold 7
Apply the SMTP protocol and turn on notification.
•
user@host# set services advanced-anti-malware policy smtppolicy1 smtp
notification log
If the attachment has a verdict less than 7, create log entries.
•
set services advanced-anti-malware policy smtppolicy1 default-notification log
When there is an error condition, send the email to the recipient and create a log entry.
•
set services advanced-anti-malware policy smtppolicy1 fallback-options action
permit
set services advanced-anti-malware policy smtppolicy1 fallback-options
notification log
2. Configure the firewall policy to enable the advanced anti-malware application service.
[edit security zones]
user@host# set security policies from-zone untrust to-zone trust policy 1 then
permit application-services advanced-anti-malware smtppolicy1
3. In this example, we will configure the reverse proxy.
For reverse proxy:
Load the CA certificate.
•
Load the server certificates and their keys into the SRX Series device certificate repository.
•
user@host> request security pki local-certificate load filename /cf0/cert1.pem
key /cf0/key1.pem certificate-id server1_cert_id
80
Attach the server certificate identifier to the SSL proxy profile.
•
user@host# set services ssl proxy profile server-protection-profile
server-certificate server1_cert_id
Configuring the IMAP Email Management Policy on the SRX Series Device
Unlike file scanning policies where you define an action permit or action block statement, with IMAP email
management the action to take is defined in the Configure > Email Management > IMAP window. All other
actions are defined with CLI commands as before.
NOTE: In the IMAP window on Juniper Sky ATP, you can select all IMAP servers or specific
IMAP servers and list them. Therefore the IMAP configuration sent to the SRX Series device has
a flag called “process_all_traffic” which defaults to True, and a list of IMAP servers, which may
be empty. In the case where “process_all_traffic” is set to True, but there are servers listed in
the IMAP server list, then all servers are processed regardless of the server list. If
“process_all_traffic” is not set to True, only the IMAP servers in the server list are processed.
Shown below is an example policy with email attachments addressed in profile profile2.
user@host# show services advanced-anti-malware
...
policy policy1 {
http {
inspection-profile default_profile; # Global profile
action permit;
}
imap {
inspection-profile profile2; # Profile2 applies to IMAP email
notification {
log;
}
}
verdict-threshold 8; # Globally, a score of 8 and above indicate possible
malware
fallback-options {
action permit;
notification {
log;
}
}
default-notification {
log;
}
whitelist-notification {
log;
}
blacklist-notification {
log;
}
fallback-options {
action permit; # default is permit and no log.
notification log;
}
}
...
81
In the above example, the email profile (profile2) looks like this:
user@host> show services advanced-anti-malware profile
Advanced anti-malware inspection profile:
Profile Name: profile2
version: 1443769434
disabled_file_types:
{
application/x-pdfa: [pdfa],
application/pdf: [pdfa],
application/mbox: []
},
disabled_categories: [java, script, documents, code],
category_thresholds: [
{
category: executable,
min_size: 512,
max_size: 1048576
},
{
category: library,
min_size: 4096,
max_size: 1048576
}]
82
The firewall policy is similar to before. The AAMW policy is place in trust to untrust zone. See the example
below.
user@host# show security policies from-zone trust to-zone untrust {
policy p1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
advanced-anti-malware-policy policy1;
ssl-proxy {
profile-name ssl-proxy1;
}
}
}
}
}
}
Shown below is another example, using the show services advanced-anti-malware policy CLI command.
In this example, emails are quarantined if their attachments are found to contain malware. A verdict score
of 8 and above indicates malware.
user@root> show services advanced-anti-malware policy
Advanced-anti-malware configuration:
Policy Name: policy1
Default-notification : Log
Whitelist-notification: No Log
Blacklist-notification: No Log
Fallback options:
Action: permit
Notification: Log
Protocol: HTTP
Verdict-threshold: recommended (7)
Action: block
Notification: No Log
Inspection-profile: default
Protocol: SMTP
Verdict-threshold: recommended (7)
Action: User-Defined-in-Cloud (permit)
Notification: Log
Inspection-profile: default
Protocol: IMAP
Verdict-threshold: recommended (7)
Action: User-Defined-in-Cloud (permit)
Notification: Log
Inspection-profile: test
83
Optionally you can configure forward and reverse proxy for server and client protection, respectively. For
example, if you are using IMAPS, you may want to configure reverse proxy. For more information on
configuring reverse proxy, see “Configuring Reverse Proxy on the SRX Series Device” on page 88.
# show services ssl
initiation { # for cloud connection
profile srx_to_sky_tls_profile_name {
trusted-ca sky-secintel-ca;
client-certificate sky-srx-cert;
}
}
proxy {
profile ssl-client-protection { # for forward proxy
root-ca ssl-inspect-ca;
actions {
ignore-server-auth-failure;
log {
all;
}
}
}
profile ssl-server-protection { # for reverse proxy
server-certificate ssl-server-protection;
actions {
log {
all;
}
}
}
}
84
Use the show services advanced-anti-malware statistics CLI command to view statistical information
about email management.
user@host> show services advanced-anti-malware statistics
Advanced-anti-malware session statistics:
Session interested: 3291750
Session ignored: 52173
Session hit blacklist: 0
Session hit whitelist: 0
Total HTTP HTTPS SMTP SMTPS IMAP
IMAPS
Session active: 52318 0 0 52318 0 0
0
Session blocked: 0 0 0 0 0 0
0
Session permitted: 1354706 0 0 1354706 0 0
0
Advanced-anti-malware file statistics:
Total HTTP HTTPS SMTP SMTPS
IMAP IMAPS
File submission success: 83134 0 0 83134 0
0 0
File submission failure: 9679 0 0 9679 0
0 0
File submission not needed: 86104 0 0 86104 0
0 0
File verdict meets threshold: 65732 0 0 65732 0
0 0
File verdict under threshold: 16223 0 0 16223 0
0 0
File fallback blocked: 0 0 0 0 0
0 0
File fallback permitted: 4512 0 0 4512 0
0 0
File hit submission limit: 0 0 0 0 0
0 0
Advanced-anti-malware email statistics:
Total SMTP SMTPS IMAP IMAPS
Email processed: 345794 345794 0 0 0
Email permitted: 42722 42722 0 0 0
Email tag-and-delivered: 0 0 0 0 0
Email quarantined: 9830 9830 0 0 0
Email fallback blocked: 0 0 0 0 0
Email fallback permitted: 29580 29580 0 0 0
Email hit whitelist: 0 0 0 0 0
Email hit blacklist: 0 0 0 0 0
85
As before, use the clear services advanced-anti-malware statistics CLI command to clear the above
statistics when you are troubleshooting.
For debugging purposes, you can also set IMAP trace options.
user@host# set services advanced-anti-malware traceoptions flag imap
Before configuring the IMAP threat prevention policy, make sure you have done the following:
Define the action to take (block or deliver malicious messages) and the end-user email notification in
•
the Configure > Email Management > IMAP window.
(Optional) Create a profile in the Configure > Device Profiles window to indicate which email attachment
•
types to scan. Or, you can use the default profile.
The following steps show the minimum configuration. To configure the threat prevention policy for IMAP
using the CLI:
1. Create the Juniper Sky ATP policy.
In this example, the policy name is imappolicy1.
•
user@host# set services advanced-anti-malware policy imappolicy1
Associate the policy with the IMAP profile. In this example, it is the default_profile profile.
•
user@host# set services advanced-anti-malware policy imappolicy1
inspection-profile default_profile
Configure your global threshold. If a verdict comes back equal to or higher than this threshold, then
•
it is considered to be malware. In this example, the global threshold is set to 7.
user@host# set services advanced-anti-malware policy imappolicy1
verdict-threshold 7
86
Apply the IMAP protocol and turn on notification.
•
user@host# set services advanced-anti-malware policy imappolicy1 imap
notification log
If the attachment has a verdict less than 7, create log entries.
•
set services advanced-anti-malware policy imappolicy1 default-notification log
When there is an error condition, send the email to the recipient and create a log entry.
•
set services advanced-anti-malware policy imappolicy1 fallback-options action
permit
set services advanced-anti-malware policy imappolicy1 fallback-options
notification log
2. Configure the firewall policy to enable the advanced anti-malware application service.
[edit security zones]
user@host# set security policies from-zone untrust to-zone trust policy 1 then
permit application-services advanced-anti-malware imappolicy1
Loading...