Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure the SRX Series Firewall to Block Infected Hosts

An Infected-Host feed lists the hosts that have been compromised and need to be quarantined from communicating with other devices. The feed is in the format of IP addresses all with a threat level of 10, for example xxx.xxx.xxx.133 with threat level 10. You can configure security policies to take enforcement actions on the inbound and outbound traffic to and from a host whose IP address is listed in the feed. The Infected-Host feed is downloaded to the SRX Series Firewall only when the infected host profile is configured and enabled in a firewall policy.

Note:

Once the Juniper ATP Cloud global threshold for is met for an infected host (see Configuration for Infected Hosts), that host is added to the infected hosts feed and assigned a threat level of 10 by the cloud. Therefore all IP addresses in the infected hosts feed are threat level 10.

To create the infected host profile and policy and firewall policy:

  1. Define a profile for both the infected host and CC. In this example, the infected host profile is named ih-profile and the action is block drop anything with a threat level of 10. The CC host profile is named cc-profile and is based on outbound requests to a C&C host, so add C&C rules to the profile (threat levels 8 and above are blocked.)

    If you did not configure any threat level, use the below command to configure the default rule.

    As of Junos 18.1R1, there is support for the block action with HTTP URL redirection for Infected Hosts. During the processing of a session IP address, if the IP address in on the infected hosts list and HTTP traffic is using ports 80 or 8080, infected hosts HTTP redirection can be done. If HTTP traffic is using dynamic ports, HTTP traffic redirection cannot be done. See command below.

  2. Verify your command using the show services security-intelligence CLI command. It should look similar to this:
  3. Configure the security intelligence policy to include both profiles created in Step 1. In this example, the policy is named infected-host-cc-policy.
  4. Configure the firewall policy to include the security intelligence policy. This example sets the trust-to-untrust zone.
  5. Verify your command using the show security policies CLI command. It should look similar to this:
  6. Commit your changes.