Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

close
keyboard_arrow_left
Juniper ATP Cloud Administrator Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
keyboard_arrow_right

Integrate AWS GuardDuty with vSRX Virtual Firewall

date_range 27-Sep-24

Solution Overview

Amazon Web Services (AWS) GuardDuty is a continuous security monitoring service that identifies unexpected, potentially unauthorized, and malicious activity within your AWS environment. The threats detected by AWS GuardDuty is sent as a security feed to the vSRX Virtual Firewall in the your AWS environment. The vSRX Virtual Firewall can access the feeds either by directly downloading it from the AWS S3 bucket, or if the firewall device is enrolled with ATP Cloud, the feed is pushed to the firewall device along with the ATP Cloud security intelligence (SecIntel) feeds. In turn, the vSRX Virtual Firewall enables you to take actions on the feed and block or log connections to the threat sources identified in the feed. For more information about AWS components, see AWS Documentation.

The deployment scenarios that are supported in this solution are:

  • Direct Integration of AWS GuardDuty with vSRX Virtual Firewall

    You don’t need a Juniper ATP Cloud license for this deployment. The threat feeds from AWS GuardDuty are processed through the AWS Lambda function and then stored in the AWS S3 bucket. You must configure, and deploy the AWS Lambda function. Once deployed, the Lambda function translates the data from AWS GuardDuty findings into a list of malicious IP addresses and URLs. The resultant list is stored in a configured AWS S3 bucket in the format that can be ingested by the vSRX Virtual Firewall. You must configure vSRX Virtual Firewall to periodically download the threat feeds from the AWS S3 bucket. You must also ensure that IDP signature package is already available on your firewall device for the traffic to hit SecIntel policy.

    Figure 1: Direct Ingestion of threat feeds by vSRX Virtual FirewallDirect Ingestion of threat feeds by vSRX Virtual Firewall
  • Integration of AWS GuardDuty with vSRX Virtual Firewall using ATP Cloud

    You must install a Juniper ATP Cloud license on your SRX Series Firewalls and vSRX Virtual Firewall for this deployment. For more information, see Software Licenses for ATP Cloud. The threat feeds from AWS GuardDuty are processed through the AWS Lambda function. You must configure and deploy the Lambda function and enable ATP Cloud on your vSRX Virtual Firewall. The AWS Lambda function sends the threat feed to ATP Cloud (upload feeds to C&C category) using OpenAPIs. The threat feeds are pushed to all enrolled vSRX Virtual Firewall along with the ATP Cloud security intelligence (SecIntel) feeds.

    Figure 2: Ingestion of threat feeds through ATP CloudIngestion of threat feeds through ATP Cloud

Workflow to Integrate AWS GuardDuty with vSRX Virtual Firewall

Retrieve Necessary Files from GitHub Repository

To retrieve necessary files:

  1. Navigate to GitHub repository https://github.com/Juniper/vSRX-AWS.
  2. Click the Code drop-down list.
  3. Click Download ZIP.

    The vSRX-AWS-master.zip file is downloaded onto your system. You will need the manifest.xml and cc_schema files found within the SRX-GD-Threatfeed folder.

Configure S3 Bucket

This step is required only if the threat feeds are directly ingested by vSRX Virtual Firewall. You need not configure S3 bucket if the ingestion of threat feeds is through ATP Cloud.

  1. Log in to your AWS Management console, navigate to the Create Bucket page.
  2. Assign a name and a region to the S3 Bucket.
  3. Uncheck the Block all public access option.
  4. Leave the remaining options in the default states and click Create bucket.
    The green alert at the top confirms our new bucket.
  5. Click the newly created bucket to view more options.
  6. Under the Objects tab, we’ll upload the two files we retrieved earlier by clicking Upload and then Add Files.
  7. Navigate to the cc_schema and manifest files and then click Upload.
  8. Select the two files, now listed on the Objects tab, and then click the Actions drop-down list.
  9. Choose Make Public.
    This action enables anyone to access and read the files.
  10. Click Make Public.
    Best Practice:
    • Make a note of the S3 bucket name for future references.

    • The S3 bucket access must always be public so that the SRX Series Firewall can download the files and feed from the S3 bucket.
    • Configure the S3 bucket such that download or read operation does not require any API keys.

    • Write access on S3 bucket is only available with the Lambda function.

    • For S3 configuration details, see Setting up Amazon S3.

Configure GuardDuty

GuardDuty findings can be exported to either S3 bucket or CloudWatch events. In this solution we export the findings to CloudWatch events. Eventually CloudWatch events rule will trigger Lambda Function to convert findings into a compatible format with vSRX Virtual Firewall and push to AWS S3 bucket.

To configure AWS guardduty:

  1. Log in to your AWS account.
  2. Click Services tab and search for GuardDuty.
  3. Select GuardDuty service.

    The GuardDuty Findings page appears displaying the list of events that are generated by GuardDuty.

  4. Click Settings in the left pane.

    The About GuardDuty page appears.

  5. In Finding export options section, select the frequency for updated findings. The available options are:
    • Update CWE and S3 every 6 hours (default)

    • Update CWE and S3 every 1 hour

    • Update CWE and S3 every 15 minutes

  6. Choose an option and click Save.

    Based on the frequency that you have selected, the GuardDuty service generates events at regular intervals and share the events with Cloud Watch Events (CWE) Service.

Configure Lambda Function

AWS Lambda function uploads GuardDuty findings to ATP Cloud using the ATP Cloud OpenAPI. Lambda function updates the AWS S3 bucket with feed information in the standard SRX manifest file format. Lambda must be configured with the application token generated per realm in the ATP Cloud Web Portal. The threat feed is available under the C&C category.

To create Lambda function:

  1. Navigate to Services > Lambda.
  2. Click Create Function.
  3. Assign a name to the Lambda function.
  4. Choose the Runtime language the function will be written in. for example, Runtime python 3.6.
  5. In the Execution role section, choose Use an existing role.
  6. In the Existing role drop-down list, select the guardduty-lambdarole-test option.

    Open the link that now appears below the drop-down list to review the role details.

    Note:

    You must provide an appropriate Identity and Access Management (IAM) role. Create a new IAM role and assign the role to the Lambda function. This enables Lambda function to upload or write/read objects to/from the S3 bucket. For more information, see Create an IAM user

  7. With the role details in order, return to the Lambda page and click Create Function.
  8. To upload a Lambda file.
    1. Log in to GitHub repository https://github.com/Juniper/vSRX-AWS, navigate to SRX-GD-ThreatFeed folder, and download the SRX-GD-ThreatFeed.zip lambda file.
    2. Navigate to Lambda > Functions > your_lambda_function_name.
    3. Click Actions > Upload a .zip file. Upload SRX-GD-ThreatFeed.zip file from Function code section.
    4. Click OK.

      The Lambda configurations are displayed in the Environment variables section. Follow the guidelines in Table 1 to configure Lambda.

  9. Configure Lambda function.
    1. Navigate to Lambda > Functions > your_lambda_function_name > Edit Environment variables.
    2. Complete the configurations according to guidelines provided in Table 1.
      Table 1: AWS Lambda Configurations

      Parameters

      Description

      MAX_ENTRIES

      Defines the maximum number of entries that will be retained in the corresponding data file. Older entries will expire once this limit is reached.

      Default value: 10000

      Range:1000-100000

      Example: 1000

      IP_FEED_NAME

      Defines the CC IP feed name, which is also the key name for S3 data file. If there is a False Alarm entry that needs to be removed; you must manually delete it from the corresponding key derived from IP_FEED_NAME parameter.

      Example: custom_cc_(content_type)_data

      DNS_FEED

      Defines the CC DNS feed name, which is also the key name for S3 data file. If there is a False Alarm entry that needs to be removed; you must manually delete it from the corresponding key derived from DNS_FEED parameter.

      Example: custom_cc_dns_(content_type)_data

      S3_BUCKET

      Name of S3 Bucket. The bucket name is used in S3 URL name as well.

      Example: guardduty-integration-test

      SEVERITY_LEVEL

      Level beyond which AWS Guardduty event IPs/URLs are added to the feed file.

      Note:

      Severity Level maps one-to-one with ATP Cloud Threat Levels.

      Default value: 8

      Range: 1-10

      Example: 4

      SKY_APPLICATION_TOKEN

      Used to upload entries into the ATP Cloud OpenAPI. You must log in to Juniper ATP Cloud Web Portal and generate the application token. You must have at least one device configured with premium license to generate the application token. For more information, see Software Licenses for ATP Cloud.

      Example: TOKEN_VALUE

      SKY_OPENAPI_BASE_PATH

      Base path for the Sky Open APIs, which are used to upload feeds from Lambda function to ATP Cloud.

      Example: https://threat-api.sky.junipersecurity.net/v1/cloudfeeds

      FEED_TTL

      Use the Time to Live (TTL) to specify the number of days for the feed to be active. The feed entries will expire on SRX Series Firewall if it is not updated within the TTL.

      Default value: 3456000

      Range: 86400-31556952

      FEED_UPDATE_INTERVAL

      Update interval for the feeds.

      Default value: 300

      Range: 300-86400

      Note:
      • In case of Direct Ingestion of threat feeds by vSRX firewalls, you need not define SKY_APPLICATION_TOKEN and SKY_OPENAPI_BASE_PATH parameters. If these parameters are not configured, the feeds are directly uploaded to AWS S3 bucket.

      • In case of Ingestion of threat feeds through ATP Cloud, you must define SKY_APPLICATION_TOKEN and SKY_OPENAPI_BASE_PATH parameters. These parameters must be configured to upload the feeds from AWS Lambda to ATP Cloud. You need not define S3_BUCKET parameter.

  10. Configure time-out settings. Navigate to Lambda > Functions > your_lambda_function_name > Basic settings and update Timeout to 10sec.
  11. Click Save.

Configure CloudWatch

Create rules and specify the event source (GuardDuty) and event target (Lambda function).

To create rules:

  1. Select Events > Rules.

    The Rules page appears.

  2. Click Create Rule.
  3. Under Event Source section, select the service name as GuardDuty and event type as GuardDuty Finding.
  4. In the Targets section, click Add Targets and ensure the Lambda function is selected.

    By specifying GuardDuty and the Lambda function as the event source and target, the CloudWatch Logs Insights will allow you to search and analyze your logs.

  5. Click Configure Details.
  6. On the Rule Definition page, specify a name for the rule.
  7. Click Create Rule.

Configure Direct Integration of vSRX Virtual Firewall with AWS GuardDuty

The following section lists the CLI configurations that are required on vSRX Virtual Firewall.

This example configures a profile name, a profile rule and the threat level scores. Anything that matches these threat level scores is considered malware or an infected host. The ATP Cloud threat level maps one-to-one with the Severity Level in AWS GuardDuty.

Note:

You can change the severity level in AWS GuardDuty anytime, but the severity level must always match the threat level that you configure on your vSRX Virtual Firewall.

To configure vSRX Virtual Firewall with AWS GuardDuty (without using ATP Cloud):

  1. Open a console window and log in to the vSRX Virtual Firewall.

    login as: root@user-vsrx

    % cli

  2. Issue the show configuration command to view the existing SecIntel details.

    root@user-vsrx> show configuration | display set | match security-intel

  3. Ensure that the IDP security package is downloaded to your vSRX Virtual Firewall. To manually download and install the IDP security package from the Juniper Security Engineering portal, use the following command

    root@user-vsrx> request security idp security-package download

    content_copy zoom_out_map
    Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi).
    Version info:3383(Tue May 18 14:38:22 2021 UTC, Detector=12.6.180210326)
    root@user-vsrx> request security idp security-package download status
    content_copy zoom_out_map
    Done;Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi).
    Version info:2014(Thu Oct 20 12:07:01 2011, Detector=11.6.140110920)

    root@user-vsrx> request security idp security-package install

    content_copy zoom_out_map
    Done;Attack DB update : successful - [UpdateNumber=3383,ExportDate=Tue May 18
    14:38:22 2021 UTC,Detector=12.6.180210326]
    Updating control-plane with new detector : successful
    Updating data-plane with new attack or detector : not performed due to no
    active policy configured.

    root@user-vsrx> request security idp security-package install status

    content_copy zoom_out_map
    Done; policy-template has been successfully updated into internal repository
    (=>/var/db/scripts/commit/templates.xsl)!
  4. Enter configuration mode.

    root@user-vsrx> configure

  5. Configure security intelligence URL.

    root@user-vsrx# set services security-intelligence url https://guardduty-integration-test.s3-us-west-2.amazonaws.com/manifest.xml

  6. Configure security intelligence profile and policy. In this example the profile name is secintel_profile and threat levels 8 and above are blocked.
    content_copy zoom_out_map
    root@user-vsrx# set services security-intelligence profile secintel_profile category CC
    root@user-vsrx# set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 8
    root@user-vsrx# set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 9
    root@user-vsrx# set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 10
    root@user-vsrx# set services security-intelligence profile secintel_profile rule secintel_rule then action block drop
    root@user-vsrx# set services security-intelligence profile secintel_profile rule secintel_rule then log
    root@user-vsrx# set services security-intelligence policy secintel_policy CC secintel_profile
  7. Configure a security policy and assign the security intelligence policy to the security policy.

    root@user-vsrx# set security policies from-zone trust to-zone untrust policy 1 match source-address any

    root@user-vsrx# set security policies from-zone trust to-zone untrust policy 1 match destination-address any

    root@user-vsrx# set security policies from-zone trust to-zone untrust policy 1 match application any

    root@user-vsrx# set security policies from-zone trust to-zone untrust policy 1 then permit application-services security-intelligence-policy secintel_policy

  8. Run the request services security-intelligence download status command to check the SecIntel feed download status.

    root@user-vsrx# request services security-intelligence download status

    content_copy zoom_out_map
    Security intelligence feed download status:
    Start time:Thu Feb 4 20:46:13 2021
    Start downloading the latest manifest.
    Start parsing manifest file.
    Parse manifest succeeded, version: fd36ca761080aa10910763a8ee0d6104. 
    Start handling new category: CC.
    Start downloading schema of category CC.
    Start parsing schema of category CC. 
    ...
    End time:Thu Feb 4 20:46:14 2021

    The vSRX Virtual Firewall has started checking for both DNS and IP Feeds for the CC category, which we configured earlier with the Lambda function.

  9. Run the following command to display the details for the SecIntel category.
    root@user-vsrx# show services security-intelligence category detail category-name CC feed-name cc_guardduty_ip count 10 start 0 all-logical-systems-tenants
    content_copy zoom_out_map
    Category name :CC
      Feed name   :cc_guardduty_ip
      Version     :N/A
      Objects number:320
      Create time :02-04 20:26:08 PST
      Update time :02-04 20:46:14 PST
      Update status :Store succeeded
      Expired     :No
      Options     :N/A
    
  10. Issue the run show security dynamic-address category-name CC command to view the matching entries.
    content_copy zoom_out_map
    No.   IP-start         IP-end           	Feed     Address
    1     10.0.210.98      10.0.210.98       	CC/1     ID-fffc081a
    2     10.1.238.97      10.1.238.97       	CC/1     ID-fffc081a
    3     10.53.88.149     10.53.88.149      	CC/1     ID-fffc081a
    4     10.54.200.84     10.54.200.84      	CC/1     ID-fffc081a
    5     10.55.105.189    10.55.105.189     	CC/1     ID-Iffc081a
    6     10.80.62.249     10.80.62.249      	CC/1     ID-fffc081a
    7     10.87.149.74     10.87.149.74      	CC/1     ID-fffeesia
    8     10.171.46.235    10.171.46.235    	CC/1     ID-fffc081a
    9     10.177.144.242   10.177.144.242   	CC/1     ID-fffc081a
    ...
    Instance default Total number of matching entries: 65

    We can see from the IP addresses that the vSRX Virtual Firewall is receiving the feeds and has been directly integrated with AWS GuardDuty.

To check the security intelligence statistics, use the show services security-intelligence statistics command.

content_copy zoom_out_map
> show services security-intelligence statistics 
Logical system: root-logical-system
Category CC:
  Profile secintel_profile:
    Total processed sessions: 0
    Permit sessions:          0
    Block drop sessions:      0
    Block close sessions:     0
    Close redirect sessions:  0

Configure vSRX Virtual Firewall with AWS GuardDuty using ATP Cloud

To configure vSRX Virtual Firewall with AWS GuardDuty using ATP Cloud:

  1. Install ATP Cloud license.
  2. Enroll vSRX Virtual Firewall to ATP Cloud. See Enroll an SRX Series Firewall using Juniper ATP Cloud Web Portal.

    root@user-vsrx# request services advanced-anti-malware enroll https://amer.sky.junipersecurity.net/v2/skyatp/ui_api/bootstrap/enroll/HASH/HASH.slax

    The enrollment script will generate the aamw-ssl tls profile, which will be used in the Step 3.
  3. Configure security intelligence URL.
    set services security-intelligence url https://cloudfeeds.argonqa.junipersecurity.net/api/manifest.xmlset services security-intelligence authentication tls-profile aamw-ssl
  4. Configure security intelligence profiles and policies. In this example the profile name is secintel_profile and threat level 8 and above are blocked.

    set services security-intelligence profile secintel_profile category CC

    set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 8

    set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 9

    set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 10

    set services security-intelligence profile secintel_profile rule secintel_rule then action block drop

    set services security-intelligence profile secintel_profile rule secintel_rule then log

    set services security-intelligence profile ih_profile category Infected-Hosts

    set services security-intelligence profile ih_profile rule ih_rule match threat-level 8

    set services security-intelligence profile ih_profile rule ih_rule match threat-level 9

    set services security-intelligence profile ih_profile rule ih_rule match threat-level 10

    set services security-intelligence profile ih_profile rule ih_rule then action block drop

    set services security-intelligence profile ih_profile rule ih_rule then log

    set services security-intelligence policy secintel_policy Infected-Hosts ih_profile

    set services security-intelligence policy secintel_policy CC secintel_profile

  5. Configure a security policy and assign the security intelligence policy to the security policy.

    set security policies from-zone trust to-zone untrust policy 1 then permit application-services security-intelligence-policy secintel_policy

    commit

To check the security-intelligence status, use the show services security-intelligence update status command.

content_copy zoom_out_map
show services security-intelligence update status
Current action :Downloading feed cc_ip_data (20200330.35) in category CC.
Last update status :Feed cc_ip_data (20200330.4) of category CC not changed
Last connection status:succeeded
Last update time :2020-03-30 14:42:05 PDT

To check the security intelligence statistics, use the show services security-intelligence statistics command.

content_copy zoom_out_map
> show services security-intelligence statistics
Logical system: root-logical-system
Category Whitelist:
Profile Whitelist:
Total processed sessions: 337
Permit sessions: 0
Category Blacklist:
Profile Blacklist:
Total processed sessions: 337
Block drop sessions: 0
Category CC:
Profile secintel_profile:
Total processed sessions: 337
Permit sessions: 0
Block drop sessions: 337
Block close sessions: 0
Close redirect sessions: 0
Category Infected-Hosts:
Profile ih_profile:
Total processed sessions: 0
Permit sessions: 0
Block drop sessions: 0
Block close sessions: 0
Close redirect sessions: 0

No additional configuration is required in ATP Cloud Web portal when the vSRX Virtual Firewall is integrated with ATP Cloud. All settings, including the SecIntel configuration, is automatically created while enrolling the vSRX Virtual Firewall with ATP Cloud.

Use case for AWS GuardDuty

In this example, let us configure the vSRX Virtual Firewall to download the threat feeds.

  1. Log in to the vSRX Virtual Firewall.

    login as: root@user-vsrx

    % cli

  2. Issue the show configuration command to view the existing SecIntel details.
    root@user-vsrx> show configuration | display set | match security-intel
  3. Enter configuration mode.
    root@user-vsrx> configure
  4. Configure the SecIntel URL on the SRX Series Firewall:

    root@user-vsrx> set services security-intelligence url guardduty-url

  5. Commit the configuration.
    root@user-vsrx> commit
  6. Run the cat /var/db/secinteld/tmp/manifest.xml from shell and verify if the manifest file is downloaded successfully.
  7. If it is not then run the following command
    root@user-vsrx> request services security-intelligence download
  8. Verify if the manifest file is downloaded successfully.
  9. Once the manifest file is downloaded, run the following commands.

    root@user-vsrx> show services security-intelligence category detail category-name CC feed-name feed_name_gd

    content_copy zoom_out_map
    Category name   :CC
      Feed name     :cc_guardduty_ip
      Version       :20210518.142
      Objects number:974
      Create time   :2021-05-18 10:01:06 PDT
      Update time   :2021-05-18 10:33:23 PDT
      Update status :Store succeeded
      Expired       :No
      Options       :N/A
    
  10. Run the following command from CLI to check if the feed is present under the dynamic address:

    root@user-vsrx> show security dynamic-address category-name CC

    content_copy zoom_out_map
                                                                      
    No.     IP-start             IP-end               Feed           Address
    1       1.0.210.98           1.0.210.98           CC/1           ID-fffc081a                     
    2       1.1.153.43           1.1.153.43           CC/1           ID-fffc081a                     
    3       1.1.201.151          1.1.201.151          CC/1           ID-fffc081a                     
    4       1.1.238.97           1.1.238.97           CC/1           ID-fffc081a                     
    5       1.4.157.88           1.4.157.88           CC/1           ID-fffc081a                     
    6       1.4.205.9            1.4.205.9            CC/1           ID-fffc081a 
    
  11. Pick any IP address from the list, for example, 1.0.210.98 and run a ping test from the client and verify that the secintel CC block drop counters are incrementing.

    You should be able to get a response for the ping. Make sure you verify the traffic passing from the client is hitting the SecIntel policy on the SRX Series Firewall.

    Note:

    IDP signature package is required for the traffic to hit SecIntel policy, please run the request security idp security-package download command if you do not have the signature package already.

    Run the root@user-vsrx> show security flow session source-prefix Client_IP command.

    content_copy zoom_out_map
    show services security-intelligence statistics  
      
    Logical system: root-logical-system
    Category Whitelist:
      Profile Whitelist:
        Total processed sessions: 38
        Permit sessions:          0
    Category Blacklist:
      Profile Blacklist:
        Total processed sessions: 38
        Block drop sessions:      0
    Category CC:
      Profile secintel_profile:
        Total processed sessions: 38
        Permit sessions:          0
        Block drop sessions:      18
        Block close sessions:     0
        Close redirect sessions:  0
    
external-footer-nav