Configure the SRX Series Firewall IMAP Email Policies for Integration with ATP Appliance
IMAP email management has no configuration page in ATP Appliance. Similar to SMTP, actions are defined with CLI commands on the SRX Series Firewall.
With IMAP, a default profile is send to the SRX Series Firewall whereby all attachments are scanned and allowed unless an attachment is found to be malicious.
Shown below is an example policy with email attachments
addressed in profile profile2.
user@host# show services advanced-anti-malware
...
policy policy1 {
http {
inspection-profile default_profile; # Global profile
action permit;
}
imap {
inspection-profile profile2; # Profile2 applies to IMAP email
notification {
log;
}
}
verdict-threshold 8; # Globally, a score of 8 and above indicate possible malware
fallback-options {
action permit;
notification {
log;
}
}
default-notification {
log;
}
whitelist-notification {
log;
}
blacklist-notification {
log;
}
fallback-options {
action permit; # default is permit and no log.
notification log;
}
}
...
In the above example, the email profile (profile2) looks like this:
user@host> show services advanced-anti-malware profile
Advanced anti-malware inspection profile:
Profile Name: profile2
version: 1443769434
disabled_file_types:
{
application/x-pdfa: [pdfa],
application/pdf: [pdfa],
application/mbox: []
},
disabled_categories: [java, script, documents, code],
category_thresholds: [
{
category: executable,
min_size: 512,
max_size: 1048576
},
{
category: library,
min_size: 4096,
max_size: 1048576
}]The firewall policy is similar to before. The AAMW policy is place in trust to untrust zone. See the example below.
user@host# show security policies from-zone trust to-zone untrust {
policy p1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
advanced-anti-malware-policy policy1;
ssl-proxy {
profile-name ssl-proxy1;
}
}
}
}
}
}
Shown below is another example, using the show services
advanced-anti-malware policy CLI command. In this example, a
verdict score of 8 and above indicates malware.
user@root> show services advanced-anti-malware policy
Advanced-anti-malware configuration:
Policy Name: policy1
Default-notification : Log
Whitelist-notification: No Log
Blacklist-notification: No Log
Fallback options:
Action: permit
Notification: Log
Protocol: HTTP
Verdict-threshold: recommended (7)
Action: block
Notification: No Log
Inspection-profile: default
Protocol: SMTP
Verdict-threshold: recommended (7)
Action: User-Defined-in-Cloud (permit)
Notification: Log
Inspection-profile: default
Protocol: IMAP
Verdict-threshold: recommended (7)
Action: User-Defined-in-Cloud (permit)
Notification: Log
Inspection-profile: test
Optionally you can configure forward and reverse proxy for server and client protection, respectively. For example, if you are using IMAPS, you may want to configure reverse proxy. For more information on configuring reverse proxy, see the SRX Series documentation.
# show services ssl
initiation { # for cloud connection
profile srx_to_jatp_tls_profile_name {
trusted-ca jatp-secintel-ca;
client-certificate jatp-srx-cert;
}
}
proxy {
profile ssl-client-protection { # for forward proxy
root-ca ssl-inspect-ca;
actions {
ignore-server-auth-failure;
log {
all;
}
}
}
profile ssl-server-protection { # for reverse proxy
server-certificate ssl-server-protection;
actions {
log {
all;
}
}
}
}
Use the show services advanced-anti-malware statistics CLI command to view statistical information about email management.
user@host> show services advanced-anti-malware statistics
Advanced-anti-malware session statistics:
Session interested: 3291750
Session ignored: 52173
Session hit blacklist: 0
Session hit whitelist: 0
Total HTTP HTTPS SMTP SMTPS IMAP IMAPS
Session active: 52318 0 0 52318 0 0 0
Session blocked: 0 0 0 0 0 0 0
Session permitted: 1354706 0 0 1354706 0 0 0
Advanced-anti-malware file statistics:
Total HTTP HTTPS SMTP SMTPS IMAP IMAPS
File submission success: 83134 0 0 83134 0 0 0
File submission failure: 9679 0 0 9679 0 0 0
File submission not needed: 86104 0 0 86104 0 0 0
File verdict meets threshold: 65732 0 0 65732 0 0 0
File verdict under threshold: 16223 0 0 16223 0 0 0
File fallback blocked: 0 0 0 0 0 0 0
File fallback permitted: 4512 0 0 4512 0 0 0
File hit submission limit: 0 0 0 0 0 0 0
Advanced-anti-malware email statistics:
Total SMTP SMTPS IMAP IMAPS
Email processed: 345794 345794 0 0 0
Email permitted: 42722 42722 0 0 0
Email tag-and-delivered: 0 0 0 0 0
Email fallback blocked: 0 0 0 0 0
Email fallback permitted: 29580 29580 0 0 0
Email hit whitelist: 0 0 0 0 0
Email hit blacklist: 0 0 0 0 0
As before, use the clear services advanced-anti-malware
statistics CLI command to clear the above statistics when you
are troubleshooting.
For debugging purposes, you can also set IMAP trace options.
user@host# set services advanced-anti-malware traceoptions flag imap
Before configuring the IMAP threat prevention policy, you can do the following:
(Optional) Create a File Type Profile in the ATP Appliance UI to indicate which email attachment types to scan. Or, you can use the default profile.
The following steps show the minimum configuration. To configure the threat prevention policy for IMAP using the CLI on the SRX Series Firewall: