Configure the IMAP Emails Policy on the SRX Series Firewall
Unlike file scanning policies where you define an action permit or action block statement, with IMAP email management the action to take is defined in the Configure > Emails > IMAP window. All other actions are defined with CLI commands as before.
In the IMAP window on Juniper ATP Cloud, you can select all IMAP servers or specific IMAP servers and list them. Therefore the IMAP configuration sent to the SRX Series Firewall has a flag called “process_all_traffic” which defaults to True, and a list of IMAP servers, which may be empty. In the case where “process_all_traffic” is set to True, but there are servers listed in the IMAP server list, then all servers are processed regardless of the server list. If “process_all_traffic” is not set to True, only the IMAP servers in the server list are processed.
Shown below is an example policy with email attachments
addressed in profile profile2.
user@host# show services advanced-anti-malware
...
policy policy1 {
http {
inspection-profile default_profile; # Global profile
action permit;
}
imap {
inspection-profile profile2; # Profile2 applies to IMAP email
notification {
log;
}
}
verdict-threshold 8; # Globally, a score of 8 and above indicate possible malware
fallback-options {
action permit;
notification {
log;
}
}
default-notification {
log;
}
whitelist-notification {
log;
}
blacklist-notification {
log;
}
fallback-options {
action permit; # default is permit and no log.
notification log;
}
}
...
In the above example, the email profile (profile2) looks like this:
user@host> show services advanced-anti-malware profile
Advanced anti-malware inspection profile:
Profile Name: profile2
version: 1443769434
disabled_file_types:
{
application/x-pdfa: [pdfa],
application/pdf: [pdfa],
application/mbox: []
},
disabled_categories: [java, script, documents, code],
category_thresholds: [
{
category: executable,
min_size: 512,
max_size: 1048576
},
{
category: library,
min_size: 4096,
max_size: 1048576
}]The firewall policy is similar to before. The AAMW policy is place in trust to untrust zone. See the example below.
user@host# show security policies from-zone trust to-zone untrust {
policy p1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
advanced-anti-malware-policy policy1;
ssl-proxy {
profile-name ssl-proxy1;
}
}
}
}
}
}
Shown below is another example, using the show services
advanced-anti-malware policy CLI command. In this example, emails
are quarantined if their attachments are found to contain malware.
A verdict score of 8 and above indicates malware.
user@root> show services advanced-anti-malware policy
Advanced-anti-malware configuration:
Policy Name: policy1
Default-notification : Log
Whitelist-notification: No Log
Blacklist-notification: No Log
Fallback options:
Action: permit
Notification: Log
Protocol: HTTP
Verdict-threshold: recommended (7)
Action: block
Notification: No Log
Inspection-profile: default
Protocol: SMTP
Verdict-threshold: recommended (7)
Action: User-Defined-in-Cloud (permit)
Notification: Log
Inspection-profile: default
Protocol: IMAP
Verdict-threshold: recommended (7)
Action: User-Defined-in-Cloud (permit)
Notification: Log
Inspection-profile: test
Optionally you can configure forward and reverse proxy for server and client protection, respectively. For example, if you are using IMAPS, you may want to configure reverse proxy. For more information on configuring reverse proxy, see Configure Reverse Proxy on the SRX Series Firewall.
# show services ssl
initiation { # for cloud connection
profile srx_to_sky_tls_profile_name {
trusted-ca sky-secintel-ca;
client-certificate sky-srx-cert;
}
}
proxy {
profile ssl-client-protection { # for forward proxy
root-ca ssl-inspect-ca;
actions {
ignore-server-auth-failure;
log {
all;
}
}
}
profile ssl-server-protection { # for reverse proxy
server-certificate ssl-server-protection;
actions {
log {
all;
}
}
}
}
Use the show services advanced-anti-malware statistics CLI command to view statistical information about email management.
user@host> show services advanced-anti-malware statistics
Advanced-anti-malware session statistics:
Session interested: 3291750
Session ignored: 52173
Session hit blacklist: 0
Session hit whitelist: 0
Total HTTP HTTPS SMTP SMTPS IMAP IMAPS
Session active: 52318 0 0 52318 0 0 0
Session blocked: 0 0 0 0 0 0 0
Session permitted: 1354706 0 0 1354706 0 0 0
Advanced-anti-malware file statistics:
Total HTTP HTTPS SMTP SMTPS IMAP IMAPS
File submission success: 83134 0 0 83134 0 0 0
File submission failure: 9679 0 0 9679 0 0 0
File submission not needed: 86104 0 0 86104 0 0 0
File verdict meets threshold: 65732 0 0 65732 0 0 0
File verdict under threshold: 16223 0 0 16223 0 0 0
File fallback blocked: 0 0 0 0 0 0 0
File fallback permitted: 4512 0 0 4512 0 0 0
File hit submission limit: 0 0 0 0 0 0 0
Advanced-anti-malware email statistics:
Total SMTP SMTPS IMAP IMAPS
Email processed: 345794 345794 0 0 0
Email permitted: 42722 42722 0 0 0
Email tag-and-delivered: 0 0 0 0 0
Email quarantined: 9830 9830 0 0 0
Email fallback blocked: 0 0 0 0 0
Email fallback permitted: 29580 29580 0 0 0
Email hit whitelist: 0 0 0 0 0
Email hit blacklist: 0 0 0 0 0
As before, use the clear services advanced-anti-malware
statistics CLI command to clear the above statistics when you
are troubleshooting.
For debugging purposes, you can also set IMAP trace options.
user@host# set services advanced-anti-malware traceoptions flag imap
Before configuring the IMAP threat prevention policy, make sure you have done the following:
Define the action to take (block or deliver malicious messages) and the end-user email notification in the Configure > Emails > IMAP window.
(Optional) Create a profile in the Configure > Device Profiles window to indicate which email attachment types to scan. Or, you can use the default profile.
The following steps show the minimum configuration. To configure the threat prevention policy for IMAP using the CLI: