- play_arrow Overview
- play_arrow Juniper Advanced Threat Prevention Cloud Overview
- play_arrow Juniper Advanced Threat Cloud Prevention Setup
-
- play_arrow Juniper ATP Cloud Web Portal
- play_arrow Juniper ATP Cloud Web Portal Overview
-
- play_arrow Enroll SRX Series Firewalls in Juniper ATP Cloud Web Portal
- play_arrow Enroll and Manage SRX Series Firewalls
-
- play_arrow Configure Juniper ATP Cloud Features
- play_arrow Allowlists and Blocklists
- play_arrow Email Scanning: Juniper ATP Cloud
- play_arrow File Inspection Profiles
- play_arrow Adaptive Threat Profiling
- play_arrow Feeds Configuration
- play_arrow Infected Hosts
- play_arrow Threat Intelligence Sharing
- play_arrow Misc Configurations
-
- play_arrow Administration
- play_arrow Juniper ATP Cloud Administration
- Modify My Profile
- Create and Edit User Profiles
- Set Password
- Application Tokens Overview
- Create Application Tokens
- Multi-Factor Authentication Overview
- Configure Multi-Factor Authentication for Administrators
- Set Up Single Sign-on with SAML 2.0 Identity Provider
- Configure SSO Settings
- View Audit Logs
-
- play_arrow More Documentation
- play_arrow ATP Cloud Tech Library Page Links
-
Encrypted Traffic Insights Details
To access this page, navigate to Monitor > Encrypted Traffic. Click on the any of the External Server IP address link.
Use Encrypted Traffic Insights Details page to view analysis information and a threat summary for the external server. The following information is displayed for each server:
Total Hits
Threat Summary (Location, Category, Time last seen)
Ports and protocols used
The encrypted traffic insights details page is divided into several sections:
Table 1 lists the actions that you can perform on this page. You can perform these actions using the options that are available on the upper right corner of page.
Button/Link | Purpose |
|---|---|
Select Option > Add to Whitelist | Choose this option to allowlist the server from encrypted traffic insights based detections. Note: You can also allowlist the servers from the Configure > Whitelists > ETA page. |
Select Option > Report False Positive | Choose this option to send a report to Juniper Networks, informing Juniper of a false positive. Juniper will investigate the report; however, this does not change the verdict. |
Under Time Range is a graph displaying the frequency of events over time. An event occurs when a host communicates to the external server IP address (either sending or receiving data). You can filter this information by clicking on the timeframe links: 1 day, 1 week, 1 month, Custom (select your own time-frame).
Hosts is a list of hosts that have contacted the external server. Table 2 lists the information provided in this section.
Field | Definition |
|---|---|
Client Host | The name of the host in contact with the external server. |
Client IP Address | The IP address of the host in contact with the external server. (Click through to the Host Details page for this host IP address.) |
Threat Level at Time | The threat level of the external server as determined by an analysis of actions and behaviors at the time of the event. |
Status | The action taken by the device on the communication (whether it was permitted or blocked). Note: At this point of time, encrypted traffic insights only detects malicious threats but does not block it. Actions such as blocking is handled by features such as infected hosts based on the host threat score and customer policies. |
Protocol | The protocol (https) the external server used to attempt communication. |
Source Port | The port the external server used to attempt communication. |
Uploaded | Number of bytes uploaded to the server. |
Downloaded | Number of bytes downloaded from the server. |
Device Name | The name of the SRX Series Firewall in contact with the external server. |
Date/Time Seen | The date and time of the most recent external server hit. |
Username | The name of the host user in contact with the external server. |
Select a client host and click Download packet to download the packet capture details and view more information about the network/SSL traffic.
Domains is a list of domains that the IP address has previously used at the time of suspicious events. If an external IP address is seen changing its DNS/domain name to evade detection, a list of the various names used will be listed along with the dates in which they were seen.
Field | Definition |
|---|---|
C&C Host | This is a list of domains the destination IP addresses in the external server events resolved to. |
Last Seen | The date and time of the most recent external server hit. |
Signatures is a list of the threat indicators associated with the IP address.
Field | Definition |
|---|---|
Name | The name or type of detected malware. |
Category | Description of the malware and way in which it may have compromised a resource or resources. |
Date | The date the malware was seen. |
Certificates is a list of certificates associated with the external server. Click View Certificate and Download Certificate
Field | Definition |
|---|---|
Subject | Specifies the IP address of the external server. |
Issuer | Specifies the authority that issued the certificate. |
SHA1 | SHA1 hash of the server certificate. |
Date/Time Seen | The date and time when the SHA1 file was last updated. |
