Configure Machine Learning-Based Threat Detection

Let’s take a look at a typical enterprise network. An end user unknowingly visits a compromised website and downloads a malicious content. This action results in compromise of the endpoint. The harmful content on the endpoint also becomes a threat to other hosts within the network. It is important to prevent the download of the malicious content.

You can use an SRX Series Firewall with flow-based antivirus and ML-based threat detection to protect users from malware attacks and to prevent the spread of malware in your network.

The following configuration creates an ML-based antivirus policy with the following properties:

Firewall policy name is fw-ml-policy.
Machine learning policy name is ml-policy.
Block any file if its returned verdict is greater than or equal to 7 and create a log entry.
When there is an error condition, allow files to be downloaded and create a log entry.

Requirements

Before you begin

Configure security zones and security policies. For more information, see Example: Creating Security Zones in Security Policies User Guide for Security Devices.
Verify that you have a Juniper antivirus license. For more information about how to verify licenses on your device, see Software Licenses for SRX Series Firewalls. A sample license information is given below:
SRX Series Firewall with Junos OS Release 24.2R1 or later.
Note:
- IMAPS, SMTPS, HTTPS and SMB protocols are supported for the machine learning-based zero-day threat detection.
- Currently only .exe and .dll file types are supported.

Step-by-Step Procedure

The following configuration requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

Create the antivirus policy and block any file if its returned verdict is greater than or equal to 7.

By default, your firewall downloads the signatures from the CDN server every week.

You can manually update the virus signature database by specifying the URL of the database server.

Configure the firewall policy and apply the antivirus policy.

Commit the configuration.

Here are the possible completions for the ML scan:

Results

From configuration mode, confirm your configuration by entering the show services anti-virus policy ml-policy and show configuration | display set commands. If the output does not display the intended configuration, repeat the configuration instructions to correct it.

Check the results of the configuration:

Verification

To verify the configuration is working properly, use the following steps:

Obtaining Information About ML Statistics

Purpose
Action
Meaning

Purpose

After some traffic has passed through your SRX Series Firewall, check the statistics to see how many sessions were permitted, blocked, and so on according to your profile and policy settings.

Action

From operational mode, enter the show services anti-virus machine-learning-scan-statistics command.

Sample Output

show services anti-virus machine-learning-scan-statistics

Meaning

Shows statistics on viruses scanned, identified and blocked or permitted.

ON THIS PAGE