Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Getting Started with ATP Appliance and the SRX Series Firewall

These are basic setup instructions to begin using the SRX Series Services Gateway with ATP Appliance (for those less familiar with SRX). Refer to the rest of the integration document for further configuration information such as email scanning, infected hosts, and viewing incidents.

Configure the SRX Series Firewall to Begin

Initial Configuration

To begin using the SRX Series Firewall:

  1. Load the factory defaults.

    load factory-default

  2. Set the root password.

    set system root-authentication <password>

  3. Set the host name.

    set system host-name <hostname>

  4. Commit the configuration. Once you commit, you should see the host name in the prompt.

    commit

Configure Interfaces and a Default Route

On the SRX Series Firewall, configure interfaces and the default route. (For the following instructions, these are generic examples. Please insert your own addresses and interfaces):

  1. Enter the following commands for interfaces:

    set interfaces ge-0/0/2 unit 0 family inet address x.x.x.x/x

    set interfaces ge-0/0/4 unit 0 family inet address x.x.x.x/x

    set interfaces ge-0/0/5 unit 0 family inet address x.x.x.x/x

  2. Enter the following to configure the default route:

    set routing-options static route 0.0.0.0/0 next-hop x.x.x.x

Configure Security Zones

The SRX Series Firewall is a zone-based firewall. You must assign each interface to a zone in order to pass traffic through it: To configure security zones, enter the following commands:

set security zones security-zone untrust interfaces ge-0/0/2.0

set security zones security-zone untrust interfaces ge-0/0/5.0

set security zones security-zone trust host-inbound-traffic system-services all

set security zones security-zone trust host-inbound-traffic protocols all

set security zones security-zone trust interfaces ge-0/0/4.0

Configure DNS

On the SRX Series Firewall, configure DNS using the following commands:

set groups global system name-server x.x.x.x

set groups global system name-server x.x.x.x

Configure NTP

On the SRX Series Firewall, configure NTP using the following commands:

set groups global system processes ntp enable

set groups global system ntp boot-server x.x.x.x

set groups global system ntp server x.x.x.x

On ATP Appliance: Login to the Web UI and Enroll SRX Series Firewalls

Enroll the SRX Series Firewall to ATP Appliance Web UI

Enrollment establishes a secure connection between ATP Appliance and the SRX Series Firewall. It also performs basic configurations tasks such as:

  • Downloads and installs certificate authority (CAs) licenses onto your SRX Series Firewall

  • Creates local certificates and enrolls them with ATP Appliance

  • Establishes a secure connection to ATP Appliance

Warning:

If you are using a custom SSL certificate with ATP Appliance, before you enroll SRX Series Firewalls, you must upload the CA bundle containing a CA certificate which validates the ATP Appliance certificate. This ONLY applies if you are using a Custom SSL certificate. See The Juniper ATP Operator’s Guide for instructions. Search for the “Managing Certificates” heading. Once this is done, proceed to the enrollment instructions.

Warning:

If you already have SRX Series Firewalls enrolled with ATP Appliance and you change the certificate (from the default to custom or vice-versa), you must re-enroll all SRX Series Firewalls.

Warning:

Network Environment Considerations and Requirements

  • It is required that both your Routing Engine (control plane) and Packet Forwarding Engine (data plane) can connect to the Juniper ATP Appliance. (The Packet Forwarding Engine and the Routing Engine perform independently but communicate constantly through a 100-Mbps internal link. This arrangement provides streamlined forwarding and routing control and the ability to run Internet-scale networks at high speeds. Refer to Juniper Network’s Junos documentation for more information.)

  • You do not need to open any ports on the SRX Series Firewall to communicate with ATP Appliance. However, if you have a device in the middle, such as a firewall, then that device must have port 443 open.

  • You cannot use FXP0 interfaces to communicate with ATP Appliance. You must use a separate revenue interface.

  • If you are using addresses in the same subnet for ATP Appliance management and SRX Series management, you must use a virtual router instance to separate the management and revenue interfaces. If the addresses of ATP Appliance management and SRX Series management configured through FXP0 are in different subnets, you do not need to configure an additional virtual router instance. Note that traffic must be routed through the revenue interface configured for ATP Appliance management.

  • If you are registering ATP Appliance through a VPN tunnel, it must be a named tunnel. ATP Appliance expects an IP address on the interface. Therefore you must configure an IP address on the VPN tunnel interface before running the OP URL script to enroll the SRX Series Firewall. Otherwise, the registration will fail.

  • SRX Series Integration with ATP Appliance requires api keys to generate the enrollment script (op url). The ATP Appliance UI only allows generating API keys for local users. Therefore, if users authenticate using radius and attempt to generate an enrollment script to register an SRX Series Firewall, it will fail because the remote user will not have an API key. As a workaround, you can log into the ATP Appliance UI using local credentials (https://<ATP Appliance IP>/cyadmin/?local_login) and continue with the instructions below. If your network policy doesn’t allow local users, there is no workaround for this issue.

  • Network Address Translation (NAT) is not supported between the Juniper ATP Appliance and the SRX Series Firewall.

To enroll a SRX Series Firewall with ATP Appliance, do the following:

  1. From the ATP Appliance web UI, you must enable the API Key for the admin user. This is used for enrolling the SRX Series Firewall. From the Config tab, navigate to System Profile > Users. Select the admin user for ATP Appliance and enable the Generate New API Key checkbox. Click Update User.

  2. From the Config tab, navigate to > System Profile > SRX settings and click the Enrollment URL button in top right side of the page. A screen with the enrollment command appears.

  3. Copy the entire enrollment command to your clipboard and click OK.

  4. Paste the command into the Junos OS CLI of the SRX Series Firewall you want to enroll with ATP Appliance and press Enter.

    Note:

    (Optional) Use the show services advanced-anti-malware status CLI command to verify that a connection is made to ATP Appliance from the SRX Series Firewall.

    Once configured, the SRX Series Firewall communicates with ATP Appliance through multiple persistent connections established over a secure channel (TLS 1.2) and the SRX Series Firewall is authenticated using SSL client certificates.

Use the Delete button in the ATP Appliance SRX settings page to remove the SRX Series Firewall currently enrolled in ATP Appliance. To access the Delete button, click the arrow to the left of the device name to expand device information.

Use the Search field at the top of the page to search for enrolled devices in the list by serial number.

On the SRX Series Firewall: Configure Security Policies

Configure the Anti-Malware Policy

On the SRX Series Firewall, enter the following commands to create and configure the anti-malware policy. (Note that commands for both SMTP and IMAP are included here.):

set services advanced-anti-malware policy aamw-policy http inspection-profile default

set services advanced-anti-malware policy aamw-policy http action permit

set services advanced-anti-malware policy aamw-policy http notification log

set services advanced-anti-malware policy aamw-policy smtp inspection-profile default

set services advanced-anti-malware policy aamw-policy smtp notification log

set services advanced-anti-malware policy aamw-policy imap inspection-profile default

set services advanced-anti-malware policy aamw-policy imap notification log

set services advanced-anti-malware policy aamw-policy fallback-options notification log

set services advanced-anti-malware policy aamw-policy default-notification log

Configure the SSL Forward Proxy

SSL Forward Proxy is required to collect files from HTTPS traffic in the data plane.

  1. On the SRX Series Firewall, generate the local certificate.

    request security pki generate-key-pair certificate-id ssl-inspect-ca size 2048 type rsa

    request security pki local-certificate generate-self-signed certificate-id ssl-inspect-ca domain-name www.juniper.net subject "CN=www.juniper.net,OU=IT,O=Juniper Networks,L=Sunnyvale,ST=CA,C=US" email security-admin@juniper.net

  2. Load the trusted root CA profiles.

    request security pki ca-certificate ca-profile-group load ca-group-name trusted-ca-* filename default

  3. Enter the following commands to configure the SSL forward proxy.

    set services ssl proxy profile ssl-inspect-profile-dut root-ca ssl-inspect-ca

    set services ssl proxy profile ssl-inspect-profile-dut actions log all

    set services ssl proxy profile ssl-inspect-profile-dut actions ignore-server-auth-failure

    set services ssl proxy profile ssl-inspect-profile-dut trusted-ca all

Optionally, Configure the Anti-Malware Source Interface

If you are using a routing instance, you must configure the source interface for the anti-malware connection. If you are using a non-default routing instance, you do not have to complete this step on the SRX Series Firewall.

set services advanced-anti-malware connection source-interface ge-0/0/2

Configure a Security Intelligence Profile

ATP Appliance and SRX use different threat level thresholds. See the ATP Appliance and SRX Series Threat Level Comparison Chart for information.

On the SRX Series Firewall, enter the following commands to create a security intelligence profile on the SRX Series Firewall.

set services security-intelligence profile secintel_profile category CC

set services security-intelligence profile secintel_profile rule secintel_rule match threat-level [ 7 8 9 10 ]

set services security-intelligence profile secintel_profile rule secintel_rule then action block drop

set services security-intelligence profile secintel_profile rule secintel_rule then log

set services security-intelligence profile secintel_profile default-rule then action permit

set services security-intelligence profile secintel_profile default-rule then log

set services security-intelligence profile ih_profile category Infected-Hosts

set services security-intelligence profile ih_profile rule ih_rule match threat-level [ 7 8 9 10 ]

set services security-intelligence profile ih_profile rule ih_rule then action block drop

set services security-intelligence profile ih_profile rule ih_rule then log

set services security-intelligence policy secintel_policy Infected-Hosts ih_profile

set services security-intelligence policy secintel_policy CC secintel_profile

Configure a Security Policy

On the SRX Series Firewall, enter the following commands to create a security policy on the SRX Series Firewall for the inspection profiles.

set security policies from-zone trust to-zone untrust policy 1 match source-address any

set security policies from-zone trust to-zone untrust policy 1 match destination-address any

set security policies from-zone trust to-zone untrust policy 1 match application any

set security policies from-zone trust to-zone untrust policy 1 then permit application-services ssl-proxy profile-name ssl-inspect-profile-dut

set security policies from-zone trust to-zone untrust policy 1 then permit application-services advanced-anti-malware-policy aamw-policy

set security policies from-zone trust to-zone untrust policy 1 then permit application-services security-intelligence-policy secintel_policy

The initial configuration is complete.

Related Documentation