Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuration for Infected Hosts

Threat Level Threshold for Blocking

Set the global threat level to block infected hosts. When a host is found to be compromised, it is assigned a threat level. Based on the global threat level you set here, 1-10 with 10 being the highest threat, compromised hosts with the set threat level and above are added to the infected hosts lists and can subsequently be blocked by policies configured on the SRX Series Firewall. See Hosts Overview and Configure the SRX Series Firewall to Block Infected Hosts for more information.

You can configure Juniper ATP Cloud to send e-mails when certain threat levels are reached for infected hosts. For example, you can send e-mails to an IT department when thresholds of 5 are met and send e-mails to an escalation department when thresholds of 9 are met.

You can send e-mails to any account; you are not restricted to administrator e-mails defined in the Users window. The Web UI does not verify if an e-mail account is valid.

Configure Threat Level Threshold for Blocking and Email Alerts

Benefits of the Global Infected Hosts Alerts

  • Email alerts for infected hosts call immediate attention to administrators when a possible network security issue arises.

  • Email alerts can be configured for only specific administrators and not all users of the web portal, targeting alerts more narrowly.

  1. Select Configure > Infected Hosts.

  2. (Premium licenses only) Set the default threat level threshold.

  3. Click the plus sign to create e-mail alerts, or click the pencil icon to edit existing ones. Configure the fields described in the table below.

  4. Click OK.

Table 1: Email alerts for infected hosts fields

Setting

Guideline

Threat Level

Select a threat level between 1 and 10. When this level is reached, an e-mail is sent to the address you provided.

E-mail

Enter an e-mail address.

Automatically Expire Blocked Hosts

When a host is marked as infected and added to the infected hosts feed, it is blocked from the network by policies configured on the SRX Series Firewall. There are options for unblocking individual hosts on the Host Details page in the Juniper ATP Cloud Web Portal. See Hosts Overview for information. If you want to unblock multiple host IP addresses based on time period and threat level, you would use the Automatically Expire Blocked Hosts feature on the Infected Hosts page in the Web Portal.

From the Global Infected Hosts page, you can set infected hosts to expire after a configured time based on a minimum and maximum threat level. Once the time period is reached, blocked IP addresses are no longer marked as infected and therefore no longer blocked.

One example of when you might use this feature is if you are using DHCP addressing and reallocating addresses on a set schedule. In that case, you may want to set an expiration time for infected hosts (based on IP address lease times), after which addresses are no longer marked as infected.

Configure Automatic Expiration of Infected Hosts

  1. Select Configure > Infected Hosts.

  2. (System Administrators and Operators only) Enable Automatically Expire Blocked Hosts and select one of the following:

    • Expire all hosts

    • Expire a range of hosts—Enter a range of IPv4 or IPv6 addresses.

      Any of the following IPv4 formats are valid: 1.2.3.4/30, or 1.2.3.4-1.2.3.6

      Any of the following IPv6 formats are valid: 1111::1-1111::9, or 1111:1::0/64

      Note:

      No more than a block of /16 IPv4 addresses and /48 IPv6 addresses are accepted. For example, 10.0.0.0-10.0.255.255 is valid, but 10.0.0.0-10.1.0.0 is not.

      Bitmasks: The maximum amount of IP addresses covered by bitmask in a subnet record for IPv4 is 16 and for IPv6 is 48. For example, 10.0.0.0/15 and 1234::/47 are not valid. CIDR notation is also accepted.

  3. For both Expire all hosts or Expire a range of hosts, you must also set expiration time and threat levels. Click the plus + sign to create a new entry and set the following in the Expiration Time table.

    Table 2: Expiration time fields

    Setting

    Guideline

    Set the Minimum Threat Level

    Click the table entry under Minimum Threat Level to access a pulldown menu. Select a minimum threat level (1-10). The level you select is included in the minimum setting.

    Set the Maximum Threat Level

    Click the table entry under Maximum Threat Level to access a pulldown menu. Select a maximum threat level (1-10). The level you select is included in the maximum setting.

    Set the Hours to Unblock

    Click the table entry under Hours to Unblock. You can select Never, 6, 12, 18, or 24 hours. After the set amount of hours, the infected label expires and the hosts are no longer blocked.

    For example, if you set the minimum at 6 and the maximum at 8 with hours to unblock as 24, the following would occur. All infected hosts with a threat level of 6 and above and 8 and below would expire after 24 hours.

    Note:

    You can create multiple entries in this table, setting different expiration times for different threat levels.

    Once unblock settings are entered in the table, you can use the table to change existing settings or to delete settings.

  4. You must click Save or your settings are lost.

Related Documentation