Example: Configure Flow-Based Antivirus Policy
Overview
AI-Predictive Threat Prevention leverages flow-based antivirus policy. In this example, you’ll learn how to configure flow-based antivirus policy on your SRX Series Firewall using the CLI. It assumes you understand configuring security zones and security policies. See Example: Creating Security Zones.
Requirements
Before you begin
-
Verify that you have a Juniper antivirus license. For more information about how to verify licenses on your device, see Understanding Licenses for SRX Series Devices. A sample license information is given below:
License identifier: JUNOSXXXXXXXX License version: 4 Valid for device: XXXXXXXXXXXX Features: Juniper AV - Juniper Anti-virus Scan Engine date-based, 2022-10-23 17:00:00 PDT - 2022-11-23 16:00:00 PST
-
The Juniper content delivery network (CDN) server, https://signatures.juniper.net/phase, must be reachable from the SRX Series Firewall.
-
SRX Series Firewall with Junos OS Release 22.4R1 or later.
Topology
Let’s take a look at a typical enterprise network. An end user unknowingly visits a compromised Website and downloads a malicious content. This action results in compromise of the endpoint. The harmful content on the endpoint also becomes a threat to other hosts within the network. It is important to prevent the download of the malicious content.
You can use an SRX Series Firewall with flow-based antivirus to protect users from virus attacks and to prevent spreading of viruses in your system. The flow-based antivirus scans network traffic for viruses, trojans, rootkits, and other types of malicious code and blocks the malicious content immediately when detected.
This example creates a flow-based antivirus policy that has the following properties:
-
Policy name is av-policy
-
Block any file if its returned verdict is greater than or equal to 7 and create a log entry.
-
When there is an error condition, allow files to be downloaded and create a log entry.
Configuration
Step-by-step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
-
Create the antivirus policy and block any file if its returned verdict is greater than or equal to 7.
set services anti-virus policy av-policy action block set services anti-virus policy av-policy default-notification log set services anti-virus policy av-policy fallback-options notification log set services anti-virus policy av-policy http-client-notify message "test message for anti-virus flow" set services anti-virus policy av-policy notification log set services anti-virus policy av-policy verdict-threshold 7
-
By default, your firewall downloads the signatures from the CDN server every five minutes.
You can manually update the virus signature database by specifying the URL of the database server.
set services anti-virus update url https://signatures.juniper.net/phase
-
Configure the firewall policy and apply the antivirus policy.
set security policies from-zone trust to-zone untrust av-policy match source-address any set security policies from-zone trust to-zone untrust av-policy match destination-address any set security policies from-zone trust to-zone untrust av-policy match application any set security policies from-zone trust to-zone untrust av-policy then permit application-services anti-virus-policy av-policy
-
Commit the configuration.
commit
Results
From configuration mode, confirm your configuration by entering the show
services anti-virus policy av-policy
and show configuration
|display set
commands. If the output does not display the intended
configuration, repeat the configuration instructions in this example to correct
it.
Check the results of the configuration:
show services anti-virus update { url https://signatures.juniper.net/phase; automatic { interval 5; } } policy av-policy { action block; default-notification { log; } fallback-options { notification { log; } } http-client-notify { message "test message for anti-virus flow"; } notification { log; } verdict-threshold 7; } }
Verification
To verify the configuration is working properly, use the following steps:
Obtaining Information About the Current Antivirus Statistics
Purpose
After some traffic has passed through your SRX Series Firewall, check the statistics to see how many sessions were permitted, blocked, and so on according to your profile and policy settings.
Action
From operational mode, enter the show services anti-virus
statistics
command.
Sample Output
show services anti-virus statistics
show services anti-virus statistics Anti-virus scan statistics: Virus DB type: anti-virus Total signatures: 11 Anti-virus DB version: 1654594666 Anti-virus DB update time: 2022-08-25 13:03:58 PDT Total HTTP HTTPS SMTP SMTPS IMAP IMAPS SMB File scanned: 419382 81947 177549 16067 31591 15994 31925 64309 Virus found: 290713 1613 161485 15940 31591 15994 31925 32165 Virus blocked: 290713 1613 161485 15940 31591 15994 31925 32165 Virus permitted: 0 0 0 0 0 0 0 0
Meaning
Viruses are identified and blocked.