Getting Started

The Juniper ATP Appliance Web UI supports use of the following screen resolutions:

To launch the configuration wizard, enter the CLI command wizard.

• At the CLI prompt, enter your username and password. By default, the admin user name is admin and the password is 1JATP234.

  Be sure to change the default password for the admin account after initial setup; the password must be at least 8 characters in length.

• Enter yes to use the configuration wizard when prompted, and then respond as shown below.

• After all the questions are answered, the wizard summarizes the answers. To change an answer, enter the step number. To save changes and exit, press <enter>.

• To return to the configuration wizard to make changes to the configuration, use the following CLI command:

• Refer to the Juniper ATP Appliance CLI Command Reference for command syntax and usage.

This section describes how to navigate the appliance Web UI and describes its tabs:

• Navigating the CM Web UI

• Summary of Tabs

To navigate through the appliance Web UI:

• Use the tabs to access the main pages of the Web UI.

• Use links such as the path links under a tab or the left panel links under the Config tab to navigate to other linked pages.

Figure 2: Navigating the Juniper ATP Appliance Central Manager Web UI

• To set an initial view, select a time period from the dropdown for which the Juniper ATP Appliance Dashboard or Incidents tab should display detection results and malware analysis details. All graphs and tabular displays are synchronized by the time period selection control. available time period options include:

  • 24 hours (hourly)

  • 1 week (weekly)

  • 1 month (monthly)

  • 3 months (quarterly)

  • 1 year (yearly)

• Select the results type to display in the Incidents table: show threats | show suspicious | show benign.

• Perform a search of the Incidents table be entering search criteria in the Search field; you may search for SHA1, MD5 sums, Collector names, Threat Name, Threat Source, and so on.

• Click a header at the top of a table column in the Incidents tab, for example, to sort the table by that column. Click again to change the sort order from descending to ascending.

  

• Click a row in the Incidents table to display generalized information about the threat in the left panel Summary table below. Click the subset of tabs under the Summary tab, in turn, to view event details. And expand the row for greater details by clicking the arrow.

• Use the left panel menu options on the Config page to open configuration windows for Notifications, System Settings and Environmental Settings.

• On the configuration pages, enter information in the fields provided.

The Juniper ATP Appliance Central Manager Web UI

The purpose of each Web UI Tab is described as follows:

• Dashboard—Displays appliance status information as well as detected threats and incident trends. Context specific Threat Views on the Operations Dashboard and Research Dashboard prioritize the threats that affect your enterprise the most, according to your configurations. The System Dashboard and Collector Dashboards (Web and Email) provide information about System and Collector health status and trends. The Event Timeline Dashboard displays Advanced Threat Analytics (ATA) data per event for a given vendor and Endpoint IP, Hostname, Username or Email.

• Incidents—Displays levels of detailed information about malicious or suspicious downloads or infections, at various kill chain stages, in your network. See also Navigating the Incidents Page for more information.

• File Uploads—Provides detailed information about all file upload malware analysis results, whether malicious or benign, in one Web UI location. File Upload Handling capabilities from the Central Manager Web UI include uploads from a new File Uploads tab. The enhanced file uploads API accepts additional metadata for third party integrations such as Carbon Black Response to provide seamless integration with incidents. For more information, refer to Submitting a Malware File for Analysis.

• Mitigation—Presents mitigation options for specific detected threats such as Auto-Mitigation, blocking callbacks from the Gateway or IPS/Next Gen Firewall, or deploying the Juniper ATP Appliance Infection Verification Package (IVP) or Carbon Black Response integration to confirm infection on the targeted endpoint. For more information, refer to Configuring Firewall Auto-Mitigation.

• Reports—Allows you to generate or schedule consolidated and detailed executive summary reports, or system Audit Reports. Refer to Generating Reports for more information

• Custom Rules—Displays custom Snort rule matches in the Juniper ATP Appliance Central Manager Web UI Custom Rules Tab; correlated Snort Rule matches are available on the Incidents Tab. Refer to Configuring Custom SNORT Rules for information about adding rules to the system.

• Config—Allows you to configure appliance and software system settings as well as configure analysis, notifications and mitigation settings.

• Refresh—Performs a refresh of the CM browser display. Always perform a refresh following a software or security content update.

• System Health—Displays health indicator checks for Juniper ATP Appliance static and dynamic detonation engines and analysis systems. All indicators should display the green checkmark which indicates that the systems are in good health. If a red indicator displays, then troubleshooting actions are required.

Behavior Engine		Core Detonation Engine
Static Engine		Static Analysis
Correlation		Event Correlation Engine
Web Collectors		Connection status of the enabled Web Collectors
Secondary Cores		Connection status of configured Secondary Cores (Mac OSX)

• Log Out—Performs a log out of the current Central Manager Web UI user.

Three Juniper ATP Appliance advanced threat protection deployment scenarios are described in this section:

• Juniper ATP Appliance Deployment in an Enterprise Headquarters

• Juniper ATP Appliance Defense in a Distributed and/or Clustered Enterprise Environment

• Juniper ATP Appliance Distributed SaaS/OVA or Virtual Deployment

In this scenario (see Figure 5 below), a Core|CM system is installed in an enterprise headquarters with three physical Traffic Collectors deployed for wide traffic coverage and service integration.

• Collector 1 positioned for Data Center coverage

• Collector 2 positioned for Web traffic coverage

• Collector 3 positioned at the firewall for coverage and mitigation/blocking

In this deployment scenario the Traffic Collectors provide network coverage and integrate with existing infrastructure, and the Core|CM provides web and email incident detection while performing risk-aware mitigation and blocking at the firewall.

Figure 3: Juniper ATP Appliance Defense in an Enterprise Headquarters Deployment

A distributed enterprise requires a distributed threat defense scenario (see Figure below). In this scenario, various physical and virtual Collectors are deployed remotely at branch offices for continuous inspection and extended network visibility.

Figure 4: Juniper ATP Appliance Defense in a Distributed Enterprise Environment

Traffic analysis takes place at the distributed Collectors and objects are then delivered to the Core|CM, deployed at enterprise headquarters, where network objects are subjected to multi-OS detonation chamber execution for final threat assessment and mitigation.

Alternatively, the Core|CM in this distributed deployment could also be configured as an OVA VM or SaaS deployment. In addition, a supplemental Juniper ATP Appliance Core could be deployed in a public or private enterprise cloud.

In a distributed SaaS/OVA deployment, Traffic Collectors are deployed in several branch offices at critical monitoring locations with the Core|CM at headquarters and a Collector installed as a VM OVA in the cloud to inspect and analyze all content and trigger mitigation actions at configured enforcement servers, such as a PAN or SRX Firewall, for example.

Figure 5: Juniper ATP Appliance Distributed SaaS/OVA Deployment

A tap is a device that permits unimpeded traffic flow while simultaneously copying all the traffic from a fullduplex link and sending the information to Juniper ATP Appliance Collectors for object analysis. Tap mode uses an external fiber tap (for GBIC ports) or a built-in internal tap (for 10/100/1000 Monitoring ports). In tap mode, the Juniper ATP Appliance Collector monitors the packet information as it traverses the full-duplex network segment. Like SPAN mode, Tap mode is passive.

Use a network tap to send a copy of network traffic from a network segment to the eth1 network monitoring port of the Juniper ATP Appliance Collector. The tap does not interfere with traffic and, if shut down, allows traffic to pass through unhindered.

The Switch Port Analyzer (SPAN) port on a switch is designed for security monitoring. It allows a connected Juniper ATP Appliance to receive a copy of every packet from all incoming and outgoing traffic moving through the switch. This is port forwarding or port mirroring; a passive non-intrusive packet capture method.

Configure a switch with port mirroring capability to forward a copy of incoming and outgoing traffic passing between selected ports to SPAN ports on the switch. Then, connect the SPAN port to the Juniper ATP Appliance (labeled eth1).

The Juniper ATP Appliance can be configured in SPAN mode by configuring a switch with port mirroring capability to forward a copy of incoming and outgoing traffic passing between selected ports to SPAN ports on the switch. Then connect the SPAN ports to the Collector (ports eth1).

Juniper ATP Appliance Traffic Collectors continuously monitor and inspect all network traffic for malware objects; extracting and sending objects to the Core for distribution to the Windows or Mac Detection Engines.

For Windows traffic, Microsoft Exchange Server journaling can be configured to record a copy (a journal) of enterprise email messages, and then periodically send them to a journal mailbox on the Exchange Server.

Exchange Server 2010 can be configured to support envelope journaling only. This means that a copy is made of each email message body and its transport information. The transport information is essentially an envelope that includes the email sender and all recipients.

The Juniper ATP Appliance Email Collector polls the Exchange Server for journal entries and as-scheduled, pulls all the emails in the journal account from the exchange server to the Collector. The Email Collector uses journaling for initial traffic analysis and email attachment monitoring/inspection. All email traffic (and email attachments) are sent from the Email Collector to the Juniper ATP Appliance Core for detonation in the Windows or Mac OS X detection engines.

When email-based malware or malicious email attachments are detected, the journal entry is incorporated into the analysis results by the Juniper ATP Appliance Central Manager and sent out as a notification to the Juniper ATP Appliance administrator, with corresponding mitigation and/or infection verification actions detailed in the Central Manager Web UI.

To setup Email Collector Journaling, follow these procedures:

• Creating a Journaling Mailbox on the Exchange Server in the next section

• Configuring Microsoft Exchange Server 2013 Journaling

• Configuring Exchange-Server Journal Polling from the Web UI

• Configuring Office 365 Journaling

• Configuring Gmail Journaling

• Configuring Gmail Threat Mitigation

1. Launch Microsoft Exchange Management Console.

2. Expand Recipient Configuration node and click on Mailbox node.Select New Mailbox… from the Actions pane.

3. Select New Mailbox… from the Actions pane.

4. Select User Mailbox option and click Next.

5. Select New user option and click Next.

6. New user mailbox details

7. Enter the ‘User information’ details for the Collector to which the new journaling mailbox will be assigned and click Next.

8. Enter an ‘Alias’ for the journaling mailbox and click Next.

9. Click Next again and review the new mailbox summary for the new mailbox to create, then click New.

10. Now that the journaling mailbox is created, configure standard journaling by configuring a Mailbox Database.

• In the Microsoft Exchange Management Console>Server Configuration, click on Mailbox database.

• In the Toolbox Actions of Selected Mailbox Database, click on Properties.

• In the Mailbox Database Properties page, go to the General tab and select the Journal Recipient checkbox, BUT, before selecting the checkbox, first click on Browse and choose which mailbox will get all messages from the mailbox database. After checking Journal Recipient, click OK to finish.

1. Login to the MS Exchange Server Admin Center at: https://exchnageserverip/ecp/

2. Select the Send Connectors tab.

   Figure 6: Exchange Admin Center

3. Navigate to mail flow>>send connectors and enter Send Connector settings:

   Figure 7: Send Connector Settings

4. Save the connector settings.

5. Navigate to Compliance Management>>Journal Rules to configure Journal rules.

6. Provide the mailboxname and ip address in the “Send Journal Reports To” field .

   Note:

   This should match the mailbox name configured at the Juniper ATP Appliance Email Collector Config>System Profiles>Email Collector Web UI page.

   Figure 8: Setting Journal Rules

Refer to Configuring Email Collectors for information about configuring Email Collectors.

1. From the Juniper ATP Appliance Central Manager Config>EmailNavigate to compliance management>>Journal rules Collector page, click the Add New Email Collector button, or click Edit for an existing Collector listed in the Current Email Collectors table.

2. Enter and select the email journaling settings in the displayed configuration fields: Email Server [IP], Protocol, SSL, Mailbox Name, Password, Poll Interval (in minutes), Keep Mail on Server, and Enabled. [See following figure].

To set up Office 365 Journaling for Juniper ATP Appliance email mitigation:

1. Log in to the Microsoft Office 365 Admin Center.

2. From the Office 365 Admin Center, select Admin Centers > Exchange.

   Figure 9: Navigating to the Microsoft Office 365 Admin Center
   Figure 10: Microsoft Office 365 Admin Center

3. Select Compliance Management > Journal Rules.

   • Click on the + sign to add a new Journal Rule.

   • Complete the new journal rule form fields.

Use the following procedure to configure email journaling for Gmail:

1. Navigate to the Google Admin Home site at https://admin.google.com/AdminHome.

2. From the Google Admin Console Dashboard, navigate to Apps->G Suite->Gmail->Advanced Settings.

   Note:

   To view Advanced Settings, scroll to the bottom of the Gmail page.

3. Navigate to the Compliance Section and click Add Another Compliance Rule to setup deliver to the Juniper ATP Appliance MTA.

   Figure 11: Google Gmail Admin Home Journaling Settings

4. Select the options as displayed in the sample screenshot below (Setting 1 and 2):

   Figure 12: Journaling Criteria required by Juniper ATP Appliance MTA

5. Be sure to add the Recipient information (this is the Juniper ATP Appliance MT); for example: JATP_mta@FQDN or JATP_mta@ip.

   Figure 13: Setting the Juniper ATP Appliance MTA as the Gmail Recipient: JATP_mta@FQDN

For enterprise environments using a Google Apps domain, an administrator of the Google Apps domain can authorize an application to access user data on behalf of users in the Google Apps domain. Authorizing a service account to access data on behalf of users in a domain is sometimes referred to as "delegating domain-wide authority" to a service account.

To delegate domain-wide authority to a Gmail APIs Service Account, first enable domain-wide delegation for an existing service account from the Google APIs Service Accounts page, or create a new service account with domain-wide delegation enabled.

To create a new Gmail Service Account:

1. Navigate to the Google APIs Service Accounts page.

2. Select an existing Project or Create A New Project from under the Project drop-down menu at the top left corner.

   Figure 14: Navigate to the Google APIs Service Account page
   Figure 15: Creating a New Google APIs Service Account

3. Next, navigate to your Google Apps domain’s Admin console.

4. Select Security from the list of controls. If Security is not listed, select More controls from the gray bar at the bottom of the page, then select Security from that list of controls. If no controls are available, then be sure you are signed in as an administrator for the domain.

5. Select Show More, then Advanced Settings from the list of options.

6. Select Manage API Client Access in the Authentication section.

7. In the Client Name field, enter the Service Account's Client ID. You can find your Service Account's client ID in the Service Accounts page.

8. In the One or More API Scopes field, enter the list of scopes to which your application should be granted access. For example, if your application requires domain-wide access to the GMAIL API, enter: https:// mail.google.com/.

   Figure 16: Accessing the Google APIs Dashboard
   

9. Click Authorize.

   Note:

   Be sure to Enable GMAIL APIs by navigating to the Admin Console and clicking “ENABLE API” at the Dashboard under API Manager for the relevant project. Select GMAIL API and click Enable.

This section describes the Dashboard components for Dashboard tabs — the Operations, Research, System and Collectors Dashboard tabs, and describes how to interact with the various views and adjustable statistics and displays.

Table 6: Juniper ATP Appliance Dashboard Graphical Components

Operations Filter	Filter threat view results by selecting one of the available filters from the drop down menu: All | New Only | Ack’d & In Progress | Complete	Make a selection from the dropdown menu.
Time Period (Operations Dashboard, Research Dashboard, System Dashboard Collectors Dashboard, Events Timeline)	All Dashboard graphs are synchronized by the time period you select from the dropdown menu at the top of the table. Time period options include: Last 24 Hours Last Week Last Month Last 3 Months Last Year	Make a selection from the dropdown menu.
Reset Charts (both Malware Dashboard & System Dashboard)	Resets all the graphs on the Dashboard to their original state for the time period selected.	Mouse click
Infected Hosts (Operations Dashboard)	This bubble chart is the heart of the Threat View and depicts all infected hosts for the given time period. One bubble represents one infected host. The x axis of the chart represents the time period. The y axis represents the determined severity of the infection. The color of the bubble represents the tiered severity of the malware found on the host along the following spectrum: High (Red), Medium (Orange), Low (Yellow) The size of the bubble represents the total number of malware found on the host.	Mouse-Hover Over a Bubble “Host” Shows infected host’s IP address and name, and the total number of malware found on that host in the format: “ip/name (x threats)” Mouse-Click Over a Bubble “Host” The bubble becomes highlighted and the Host Details data is displayed, including data for malware Target, Kill Chain, Incident Summary and Triggers. Also, the Malware Trend chart adjusts to show when the selected host was compromised. And, Top Compromised Endpoints Malware data is displayed. Double click a bubble to open the Incidents tab for further details and mitigation options.
Host Details (Operations Dashboard)	When an individual bubble is selected in the Threat View bubble graph, the Host Details data is displayed for that host, including data for malware Target, Kill Chain Stage Progression, Incident Summary and Triggers. The Kill Chain Progression contains more interactive data.	Mouse click: Click the highlighted blue result in the Kill Chain Stage Progression to display more information: When a Kill Chain Progression bubble is clicked, the Incidents page is opened displaying the data for the specific Exploit(s), Download(s), Execution(s), Infection(s) and/or Phishing.
Malware Trend (Operations Dashboard)	Shows the malware trend for any give malware with given time frame.	Select a bubble in the Threat View bubble graph to adjust Trend Malware timeline.
Total Malware Found (Research Dashboard)	A pie chart that shows malware severity percentages in High (Red), Medium (Orange) and Low (Yellow)	No interactivity
Top Malware Countries (Research Dashboard)	A geographical graph that displays the incidence of currently-detected malware across the globe.	Opens Incidents Details page
Top Compromised Endpoints (Operations Dashboard)	Displays Status, Risk, Host and Threat per compromised endpoint represented..	No interactivity
Top Malware (Research Dashboard)	Lists the top set of malware incidents by malware name for the selected time period. The x axis represents the number of infections; the y axis is the malware name.	Mouse Click: Highlight a malware name in the Top Malware graph to see the Threat Progression display for that malware per endpoint host. The Threat Progression includes: Infections Downloads
Threat Progression (Research Dashboard)	Displays an interactive map of Infections and Downloads per malware selection. downloads to consecutive hosts across the enterprise is shown in the example below.	Mouse Clicks: Click Infections to display infected endpoint progressions. Click Downloads to display endpoints (indicated by IP address) from which downloads of the selected malware occurred. Click an endpoint IP address to display Host Details for that endpoint. The circle bullet for the selected endpoint turns orange when clicked.
Threat Details (Research Dashboard)	Displays generalized threat details for the currently selected malware. But, when an endpoint is selected from the Threat Progression map, the displays adjusts to provide Host Details.	Mouse click: Click an endpoint IP address to display Host Details for that endpoint. The circle bullet for the selected endpoint turns orange when clicked.
Traffic (System Dashboard)	Displays the total network traffic relative to the Analyzed Protocol Traffic processed in Kbps within the selected time period. The x axis represents the time period in months; the y axis indicates Kbps.	Mouse Hover: Perform a mouse hover over any part of the chart; the mouse pointer will turn into a crosshair: drag the mouse inside the chart to change the interval (x axis) for each of the three components.
Core Utilization (%) (System Dashboard)		Mouse Hover: Perform a mouse hover over any part of the chart; the mouse pointer will turn into a crosshair: drag the mouse inside the chart to change the interval (x axis) for each of the three components.
Average Analysis Time (Minutes) (System Dashboard)		Mouse Hover: Perform a mouse hover over any part of the chart; the mouse pointer will turn into a crosshair: drag the mouse inside the chart to change the interval (x axis) for each of the three components.
Objects Processed (System Dashboard)	Displays the network objects processed within the selected time period. The x axis represents the time period in months; the y axis indicates number of objects.	Mouse Hover: Perform a mouse hover over any part of the chart; the mouse pointer will turn into a crosshair: drag the mouse inside the chart to change the interval (x axis) for each of the three components.
Malware Objects (System Dashboard)	Displays the malware objects processed within the selected time period. The x axis represents the time period in months; the y axis indicates number of objects.	Mouse Hover: Perform a mouse hover over any part of the chart; the mouse pointer will turn into a crosshair: drag the mouse inside the chart to change the interval (x axis) for each of the three components.
Trend (Collectors Dashboard)	Displays stats for Collector(s) activity and trends. Display options are selected from the Trend dropdown menu and include Total Traffic, CPU Usage, Memory Usage, Found Objects and Malware Objects	Select the Collectors to track from the Summary table below the plot. Values are updated every 10 minutes for each Collector. Click the Plot column(s) checkbox to plot the graphical information for selected Collectors.
Vendor (Events Timeline Dashboard)	Select a Vendor from your security infrastructure and view all correlated events for a specified Endpoint IP, Hostname, Username or Email:

Reset the Dashboard to its original all-hosts, all-threats state by clicking Reset Charts.

• Click the File Uploads tab, and in the “Submit file for analysis” window, select the file to upload for analysis and click the Submit file button.

  Note:

  The maximum file size that you can upload for analysis is 32MB.

  Figure 20: Submitting a File for Malware Analysis from the Incidents Tab

Upon file submission, a SHA1 is displayed.

The Upload File feature calls the “file_submit” API and then, following analysis, displays the results returned from the API in Central Manager Web UI File Uploads tab. The results are also displayed in the Incidents page table with the Kill Chain Progression designation: UP along with the incident sha1sum and filename.

Regardless of whether a file is submitted to the Core for malware analysis from the HTTP API or via the Central Manager File Uploads page, the analysis results are always displayed on the File Uploads page.

Two types of vCollector deployments are supported for a network switch SPAN/TAP:

1. Traffic that is spanned to a vCollector from a physical switch. In this case, traffic is spanned from portA to portB. ESXi containing the Juniper ATP Appliance vCollector OVA is connected to portB. This deployment scenario is shown in the figure above.

2. Traffic from a virtual machine that is on the same vSwitch as the vCollector. In this deployment scenario, because the vSwitch containing the vCollector is in promiscuous mode, by default all port-groups created will also be in promiscuous mode. Therefore, 2 port groups are recommended wherein port-groupA (vCollector) in promiscuous mode is associated with the vCollector, and port-groupB (vTraffic) represents traffic that is not in promiscuous mode.

   Note:

   Traffic from a virtual machine that is not on the same vSwitch as the vCollector is not supported. Also, a dedicated NIC adapter is required for the vCollector deployment; attach the NIC to a virtual switch in promiscuous mode (to collect all traffic). If a vSwitch is in promiscuous mode, by default all port-groups are put in promiscuous mode and that means other regular VMs are also receiving unnecessary traffic. A workaround for that is to create a different port-group for the other VMs and configure without promiscuous mode.

   Tip:

   There are two available options to deploying a Virtual Collector (regular as well as small form factor Collector): (1) Use the OVA installation method using vCenter; (2) Use OVF + VMDK without vCenter by directly installing on ESXi. There is no wizard available for deploying the vCollector using the second method; configure the collector from the CLI. For the virtual Core installations, only the OVA/ vCenter method is available.

The following table details resource and hardware provisioning required for an OVA vCollector deployment.

The sizing options available for a vCollector deployment are provided below.

After installing the OVA vCollector, follow instruction in the Quick Start Guide for configuring the Web or Email vCollector using the Juniper ATP Appliance CLI and configuration wizard.

1. Download the Juniper ATP Appliance OVA file from the location specified by your Juniper support representative to a desktop system that can access VMware vCenter. See TIP at end of this section to optionally avoid the use of vCenter.

2. Connect to vCenter and click on File>Deploy OVF Template.

3. Browse the Downloads directory and select the OVA file, then click Next to view the OVF Template Details page.

4. Click Next to display and review the End User License Agreement page.

5. Accept the EULA and click Next to view the Name and Location page.

6. The default name for the Virtual Core is Juniper ATP Appliance Virtual Core Appliance. If desired, enter a new name for the Virtual Core.

7. Choose the Data Center on which the vCore will be deployed, then click Next to view the Host/Cluster page.

8. Choose the host/cluster on which the vCore will reside, then click Next to view the Storage page.

9. Choose the destination file storage for the vCore virtual machine files, then click Next to view the Disk Format page. The default is THIN PROVISION LAZY ZEROED which requires 512GB of free space on the storage device. Using Thin disk provisioning to initially save on disk space is also supported.

   Click Next to view the Network Mapping page.

10. Set up the vCore interface:

    • Management (Administrative): This interface is used for management and to communicate with the Juniper ATP Appliance Traffic Collectors. Assign the destination network to the port-group that has connectivity to the CM Management Network IP Address.

    • Click Next to view the Juniper ATP Appliance Properties page.

11. IP Allocation Policy can be configured for DHCP or Static addressing-- Juniper recommends using STATIC addressing. For DHCP instructions, skip to Step 12. For IP Allocation Policy as Static, perform the following assignments:

    • IP Address: Assign the Management Network IP Address for the vCore.

    • Netmask: Assign the netmask for the vCore.

    • Gateway: Assign the gateway for the vCore.

    • DNS Address 1: Assign the primary DNS address for the vCore.

    • DNS Address 2: Assign the secondary DNS address for the vCore.

12. Enter the Search Domain and Hostname for the vCore.

13. Complete the Juniper ATP Appliance vCore Settings:

    New Juniper ATP Appliance CLI Admin Password: this is the password for accessing the vCore from the CLI.

14. Complete the Juniper ATP Appliance vCore Settings:

    • New Juniper ATP Appliance CLI Admin Password: this is the password for accessing the vCore from the CLI.

    • Juniper ATP Appliance Central Manager IP Address: If the virtual core is stand-alone (no clustering enabled) or Primary (clustering is enabled), the IP address is 127.0.0.1. If the virtual core is a Secondary, the Central Manager IP address will be the IP address of the Primary.

    • Juniper ATP Appliance Device Name: Enter a unique device name for the vCore.

    • Juniper ATP Appliance Device Description: Enter a description for the vCore.

    • Juniper ATP Appliance Device Key Passphrase: Enter the passphrase for the vCore; it should be identical to the passphrase configured in the Central Manager for the Core/CM. Click Next to view the Ready to Complete page.

15. Do not check the Power-On After Deployment option because you must first (next) modify the CPU and Memory requirements (depending on the vCore model--either 500Mbps, or 1Gbps; refer to OVA vCollector Sizing Options for sizing information.

16. To configure the number of vCPUs and memory:

    1. Power off the vCore.

    2. Right click on the vCore -> Edit Settings

    3. Select Memory in the hardware tab. Enter the required memory in the Memory Size combination box on the right.

    4. Select CPU in the hardware tab. Enter the required number of virtual CPUs combination box on the right. Click OK to set.

17. To configure CPU and memory reservation:

    1. For CPU reservation: Right click on vCore-> Edit settings:

    2. Select Resources tab, then select CPU.

    3. Under Reservation, specify the guaranteed CPU allocation for the VM. It can be calculated based on Number of vCPUs *processor speed.

    4. For Memory Reservation: Right click on vCore -> Edit settings.

    5. In the Resources tab, select Memory.

    6. Under Reservation, specify the amount of Memory to reserve for the VM. It should be the same as the memory specified by the Sizing guide.

18. If Hyperthreading is enabled, perform the following selections:

    1. Right click on the vCore -> Edit settings.

    2. In the Resources tab, select HT Sharing: None for Advanced CPU.

19. Power on the Virtual Core (vCore). NOTE: For future reference, allowlist rules rely on normal service shutdown to be backed up. Powering off a VM or Virtual Core directly will lose the current allowlist state because the rules cannot be saved in that case.

Log into the CLI and use the server mode “show uuid” command to obtain the UUID; send to Juniper ATP Appliance to receive your license.

When an OVA is cloned to a create another virtual Secondary Core, the value for column "id" in the Central Manager Appliance table is the same by default. Admins must reset the UUID to make it unique. A new Virtual Core CLI command “set id” is available to reset the UUID on a cloned Virtual Core from the CLI’s core mode. Refer to the Juniper ATP Appliance CLI Command Reference to review the new Core mode "set id" and "show id" commands.

Upgrading of software and security content is automatic when upgrades are configured from the Central Manager Web UI Config>System Settings>System Settings page.

• To enable automatic upgrades, check the “Software Update Enabled” and/or “Content Update Enabled” options on the System Settings page.

All automatic updates from all Juniper ATP Appliance components are coordinated and implemented by the Juniper ATP Appliance Core. Ongoing updates take place on a regular schedule:

• The Core software and content update (if enabled) checks for available updates every 30 minutes and pushes new files to the Collectors and/or Secondary Cores.

• The Core detonation engine image upgrade check occurs daily at midnight.

• Juniper ATP Appliance continues to reduce its operational footprint and no longer requires an extensive set of allowlist external IP addresses for upgrades, telemetry, content updates and other services.

• Firewall ports opened previously for specific services can be closed after a Release upgrade is complete.

• Note that most modern firewalls support domain allowlists.

• Customers can optionally allow just outbound access to the Core/CM device* (not collectors) on HTTPS (port 443); no domain allowlist is required in this case.

• *Juniper ATP Appliance has always recommended allowing un-fettered outbound communications for the Core/CM appliance (or All-in-One) in order to allow for kill-chain correlation in sandbox detonations.

• Customers concerned about a comprehensive allowlist on port 443 can restrict the allowlist to just Amazon AWS and S3 CIDRs - but note that this is still a quite large range of IP addresses.

You can enable remote support account either from UI or CLI.

Enable remote support account from the UI

To enable the support account from the Web UI:

1. Select Config > System Profiles >Remote Support.

2. In the Remote Support page, select the Enable Remote Support option.

3. In the Duration field, enter the time duration (in hours) for the session.

4. Click Enable Support.

   The support password is generated using two secret keys:

   • One key is automatically obtained by Juniper Support from the ATP Appliance device when Remote Support is enabled.

   • The other key is provided by Juniper Networks.

   When you enable Remote Support, the UI refreshes to display a new secret key as shown in Figure 22. The secret key is unique for every support session.

Figure 22: Remote Support Window

Enable remote support account from the CLI

To enable the support account from the CLI:

1. T Log in to the CLI, enter server mode, then use the set cysupport enable on command.

2. Enter the Remote Support duration in hours.

3. If you need to obtain the secret key from the CLI, use the show remote-access-key command.

A user with the name “recovery” can log into the appliance without a password and enter a limited amount of commands, including a command to reset the administrator password.

To recover the administrator password using CLI, do the following:

1. When prompted to login, enter the user name recovery on the appliance and press Enter.

   Since no password is required the recovery user is automatically logged into the device.

2. Enter the reset-admin-password command to reset the password.

   The other commands available to the recovery user are: exit, help, and history.

In addition to viewing UI users in the audit logs, you can now also view admin and recovery-admin CLI users in the audit logs, under Reports in the Web UI. See Audit Logs Display UI or CLI Access for details.

In addition to UI audit logging, there is core and collector CLI activity audit logging. Along with the log data, you can see if the action was performed from the UI or the CLI. See Figure 24.

You can also view the audit logs for software update, static content update, and fast content update that was done either in normal mode or private mode. See Figure 23.

These logs are available from the ATP Appliance UI portal from the Reports tab and in the system log server (the same as previous UI audit logs).

Figure 23: Generate System Audit Report

Figure 24: Audit Log