- play_arrow Configure
- play_arrow Configure ATP Cloud Features on SRX Series Firewall
- Encrypted Traffic Insights Overview
- Configure Encrypted Traffic Insights
- Adaptive Threat Profiling Overview
- Configure and Deploy Adaptive Threat Profiling
- Adaptive Threat Profiling Use Cases
- Enable DNS Secintel Detection
- DNS DGA Detection Overview
- Enable DNS DGA Detection
- DNS Tunnel Detection Overview
- Enable DNS Tunnel Detection
- DNS Sinkhole Overview
- Configure DNS Sinkhole
- DNS Security Logs
- Geolocation IPs and Juniper Advanced Threat Prevention Cloud
- Configure Juniper Advanced Threat Prevention Cloud With Geolocation IP
- Configure IPFilter Category
- Configure Reverse Shell Detection
- play_arrow Configure AI Predictive Threat Prevention on SRX Series Firewall
-
- play_arrow Configuration Statements and Operational Commands
- play_arrow SRX Series Firewall Commands to Configure Juniper ATP Cloud
-
- play_arrow Use Cases
- play_arrow SecIntel Feeds for MX Series Routers
- play_arrow Amazon Web Services GuardDuty with vSRX Virtual Firewall
- play_arrow Juniper ATP Cloud with Policy Enforcer
-
- play_arrow Troubleshoot
- Juniper Advanced Threat Prevention Cloud Troubleshooting Overview
- Troubleshooting Juniper Advanced Threat Prevention Cloud: Checking DNS and Routing Configurations
- Troubleshooting Juniper Advanced Threat Prevention Cloud: Checking Certificates
- Troubleshooting Juniper Advanced Threat Prevention Cloud: Checking the Routing Engine Status
- Troubleshooting Juniper Advanced Threat Prevention Cloud: Checking the application-identification License
- Viewing Juniper Advanced Threat Prevention Cloud System Log Messages
- Configure traceoptions
- Viewing the traceoptions Log File
- Turning Off traceoptions
- Juniper Advanced Threat Prevention Cloud Dashboard Reports Not Displaying
- Juniper Advanced Threat Prevention Cloud RMA Process
- play_arrow More Documentation
- play_arrow Additional Documentation on Juniper.net
-
ON THIS PAGE
Configure Juniper Advanced Threat Prevention Cloud Policy
This configuration shows how to create a Juniper ATP Cloud policy using the CLI. It assumes you understand configuring security zones and security policies. See Example: Creating Security Zones.
Requirements
This configuration uses the following hardware and software components:
An SRX1500 device with traffic through packet forwarding.
Junos OS Release 15.1X49-D80 or later.
Note:Starting in Junos OS Release 15.1X49-D80, the match-then condition has been deprecated from the Juniper ATP Cloud policy configuration. This configuration includes those updates.
Note:Junos OS Release 18.2R1 or later adds explicit web proxy support for anti-malware and security-intelligence policies using the following statements:
set services advanced-anti-malware connection proxy-profile proxy_nameandset services security-intelligence proxy-profile proxy_name. First use the set services command to configure the web proxy profile, including the proxy host IP address and port number. See Explicit Web Proxy for Juniper ATP Cloud for details.
Overview
The following configuration creates a Juniper ATP Cloud policy that has the following properties:
Policy name is aamwpolicy1.
Profile name is default_profile.
Block any file if its returned verdict is greater than or equal to 7 and create a log entry.
Do not create a log entry if a file has a verdict less than 7.
When there is an error condition, allow files to be downloaded and create a log entry.
Create a log entry when attempting to download a file from a site listed in the blocklist or allowlist files.
Configuration
The following configuration requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
Starting in Junos OS Release 15.1X49-D80, the match-then condition has
been deprecated from the Juniper ATP Cloud policy configuration. Configurations made prior
to 15.1X49-D80 will continue to work but it is recommended you do not use these statements
going forward.
Create the Juniper ATP Cloud policy.
Set the policy name to aamwpolicy1 and block any file if its returned verdict is greater than or equal to 7.
set services advanced-anti-malware policy aamwpolicy1 verdict-threshold 7Associate the policy with the
default_profileprofile.set services advanced-anti-malware policy aamwpolicy1 http inspection-profile default_profileBlock any file if its returned verdict is greater than or equal to 7 and create a log entry.
set services advanced-anti-malware policy aamwpolicy1 http action block notification logWhen there is an error condition, allow files to be downloaded and create a log entry.
set services advanced-anti-malware policy aamwpolicy1 fallback-options action permitset services advanced-anti-malware policy aamwpolicy1 fallback-options notification logCreate a log entry when attempting to download a file from a site listed in the blocklist or allowlist files.
set services advanced-anti-malware policy aamwpolicy1 blacklist-notification logset services advanced-anti-malware policy aamwpolicy1 whitelist-notification logFor smtp, you only need to specify the profile name. The user-defined action-to-take is defined in the Juniper ATP Cloud portal.
set services advanced-anti-malware policy aamwpolicy1 smtp inspection-profile my_smtp_profile
Configure the firewall policy to enable the advanced anti-malware application service.
content_copy zoom_out_mapset security policies from-zone trust to-zone untrust policy firewall-policy1 match source-address any set security policies from-zone trust to-zone untrust policy firewall-policy1 match destination-address any set security policies from-zone trust to-zone untrust policy firewall-policy1 match application any set security policies from-zone trust to-zone untrust policy firewall-policy1 then permit application-services advanced-anti-malware aamwpolicy1
Configure the SSL proxy profile to inspect HTTPs traffic.
content_copy zoom_out_mapset services ssl proxy profile ssl-inspect-profile root-ca ssl-inspect-ca
Configure the SSL forward proxy to inspect HTTPs traffic.
Note that this command assumes you have already configured ssl-inspect-ca which is used for ssl forward proxy. If you have not already done so, an error occurs when you commit this configuration. See Enable Juniper ATP Cloud for Encrypted HTTPS Connections for more information on configuring ssl-inspect-ca.
content_copy zoom_out_mapset security policies from-zone trust to-zone untrust policy firewall-policy1 then permit application-services ssl-proxy profile-name ssl-inspect-profile
Review your policy. It should look similar to this.
content_copy zoom_out_mapshow services advanced-anti-malware policy Advanced-anti-malware configuration: Policy Name: aamwpolicy1 Default-notification : No Log Whitelist-notification: Log Blacklist-notification: Log Fallback options: Action: permit Notification: Log Protocol: HTTP Verdict-threshold: 7 Action: block Notification: Log Inspection-profile: default_profile Protocol: SMTP Verdict-threshold: 7 Action: User-Defined-in-Cloud (permit) Notification: No Log Inspection-profile: my_smtp_profile
Verification
First, verify that your SRX Series Firewall is connected to the cloud.
show services advanced-anti-malware status
Next, clear the statistics to make it easier to read your results.
clear services advanced-anti-malware statistics
After some traffic has passed through your SRX Series Firewall, check the statistics to see how many sessions were permitted, blocked, and so forth according to your profile and policy settings.
show services advanced-anti-malware statistics
