Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure and Deploy Adaptive Threat Profiling

An SRX Series Firewall that has already been enrolled with Juniper ATP Cloud should include all the necessary configuration to begin leveraging adaptive threat profiling.

To begin, validate that the device already contains a URL for security-intelligence.

  1. Check the URL for the feed server.

    Your output should look similar to the following:

    Note:

    If the URL is not present in the configuration, try re-enrolling the device in Juniper ATP Cloud. See Enroll an SRX Series Firewall using Juniper ATP Cloud Web Portal.

  2. Create an adaptive threat profiling feed in Juniper ATP Cloud. Log into Juniper ATP Cloud UI, select Configure > Adaptive Threat Profiling. The Adaptive Threat Profiling page appears as shown in Figure 1. In this example, we will use the feed name High_Risk_Users with a time-to-live (TTL) of seven days.

    Figure 1: Add New FeedAdd New Feed
  3. Click OK to save changes. For more information, see Create an Adaptive Threat Profiling Feed.

  4. Ensure that the feed has been downloaded by your SRX Series Firewall. This is done automatically at regular intervals but can take a few seconds.

    A manual download of the security-intelligence database can speed up this process, if necessary.

You can deploy adaptive threat profiling on the SRX Series Firewalls in the following ways:

  • As a detection solution

  • As an enforcement solution

  • As both detection and enforcement solution

To use adaptive threat profiling to detect threats, you can define adaptive threat profiling actions in the following locations:

  1. Within the security policy on deny, reject, and permit rules, where you can add the source and/or destination address of the flow to a feed of your choice.

  2. Within an IDP Policy as an application-service that adds the origin of the exploit (the attacker) or the target of the exploit to a feed of your choice.

    To take effect, you must apply the IDP policy to a traditional policy or unified policy.

Once the feed is created, it can then be referenced as a dynamic address group within a security policy as the source-address or destination-address match criteria.

In the following example, we have created a rule which allows authenticated users access to the Enterprise’s Crown Jewels, but are excluding any source-addresses that are part of the High_Risk_Users dynamic address group (sourced from the threat feed of the same name).

Use the following command to view the feed summary and status:

show services security-intelligence sec-profiling-feed status

show security dynamic-address category-name SecProfiling

Note:

Dynamic-address entries will only be displayed by this command if the feed name being referenced (High_Risk_Users in the example), has been used as a source or destination address in a security policy.

Feed contents can always be viewed in the Juniper ATP Cloud portal, regardless of their state on the SRX Series Firewalls.