Configuration for Infected Hosts
Threat Level Threshold for Blocking
Set the global threat level to block infected hosts. When a host is found to be compromised, it is assigned a threat level. Based on the global threat level you set here, 1-10 with 10 being the highest threat, compromised hosts with the set threat level and above are added to the infected hosts lists and can subsequently be blocked by policies configured on the SRX Series Firewall. See Hosts Overview and Configure the SRX Series Firewall to Block Infected Hosts for more information.
You can configure Juniper ATP Cloud to send e-mails when certain threat levels are reached for infected hosts. For example, you can send e-mails to an IT department when thresholds of 5 are met and send e-mails to an escalation department when thresholds of 9 are met.
You can send e-mails to any account; you are not restricted to administrator e-mails defined in the Users window. The Web UI does not verify if an e-mail account is valid.
Configure Threat Level Threshold for Blocking and Email Alerts
Benefits of the Global Infected Hosts Alerts
Email alerts for infected hosts call immediate attention to administrators when a possible network security issue arises.
Email alerts can be configured for only specific administrators and not all users of the web portal, targeting alerts more narrowly.
-
Select Configure > Infected Hosts.
(Advanced licenses only) Set the default threat level threshold.
Click the plus sign to create e-mail alerts, or click the pencil icon to edit existing ones. Configure the fields described in the table below.
Click OK.
Setting |
Guideline |
---|---|
Threat Level |
Select a threat level between 1 and 10. When this level is reached, an e-mail is sent to the address you provided. |
Enter an e-mail address. |
Automatically Expire Blocked Hosts
When a host is marked as infected and added to the infected hosts feed, it is blocked from the network by policies configured on the SRX Series Firewall. There are options for unblocking individual hosts on the Host Details page in the Juniper ATP Cloud Web Portal. See Hosts Overview for information. If you want to unblock multiple host IP addresses based on time period and threat level, you would use the Automatically Expire Blocked Hosts feature on the Infected Hosts page in the Web Portal.
From the Global Infected Hosts page, you can set infected hosts to expire after a configured time based on a minimum and maximum threat level. Once the time period is reached, blocked IP addresses are no longer marked as infected and therefore no longer blocked.
One example of when you might use this feature is if you are using DHCP addressing and reallocating addresses on a set schedule. In that case, you may want to set an expiration time for infected hosts (based on IP address lease times), after which addresses are no longer marked as infected.
Configure Automatic Expiration of Infected Hosts
-
Select Configure > Infected Hosts.
(System Administrators and Operators only) Enable Automatically Expire Blocked Hosts and select one of the following:
-
Expire all hosts
-
Expire a range of hosts—Enter a range of IPv4 or IPv6 addresses.
Any of the following IPv4 formats are valid:
1.2.3.4/30, or 1.2.3.4-1.2.3.6
Any of the following IPv6 formats are valid:
1111::1-1111::9, or 1111:1::0/64
Note:No more than a block of /16 IPv4 addresses and /48 IPv6 addresses are accepted. For example,
10.0.0.0-10.0.255.255
is valid, but10.0.0.0-10.1.0.0
is not.Bitmasks: The maximum amount of IP addresses covered by bitmask in a subnet record for IPv4 is 16 and for IPv6 is 48. For example,
10.0.0.0/15
and1234::/47
are not valid. CIDR notation is also accepted.
-
-
For both Expire all hosts or Expire a range of hosts, you must also set expiration time and threat levels. Click the plus + sign to create a new entry and set the following in the Expiration Time table.
Table 2: Expiration time fields Setting
Guideline
Set the Minimum Threat Level
Click the table entry under Minimum Threat Level to access a pulldown menu. Select a minimum threat level (1-10). The level you select is included in the minimum setting.
Set the Maximum Threat Level
Click the table entry under Maximum Threat Level to access a pulldown menu. Select a maximum threat level (1-10). The level you select is included in the maximum setting.
Set the Hours to Unblock
Click the table entry under Hours to Unblock. You can select Never, 6, 12, 18, or 24 hours. After the set amount of hours, the infected label expires and the hosts are no longer blocked.
For example, if you set the minimum at 6 and the maximum at 8 with hours to unblock as 24, the following would occur. All infected hosts with a threat level of 6 and above and 8 and below would expire after 24 hours.
Note:You can create multiple entries in this table, setting different expiration times for different threat levels.
Once unblock settings are entered in the table, you can use the table to change existing settings or to delete settings.
You must click Save or your settings are lost.