Tenant Systems: Security-Intelligence and Anti-Malware Policies
Tenant systems allow you to allocate virtual system resources, such as memory and CPU, into logical groupings to create multiple virtual firewalls. Each virtual firewall can then identify itself as a stand-alone system within one computing system. Starting in Junos OS 18.4, SRX Series Firewalls support tenant systems for anti-malware and security-intelligence policies. When you associate a tenant system with a realm in Juniper ATP Cloud, that tenant system receives the threat management features configured for the realm. The SRX Series Firewall will then perform policy enforcement based on tenant system and the associated Juniper ATP Cloud realm.
For information on using tenant systems with SRX Series Firewalls, please refer to the Junos documentation.
Tenant System Support for SecIntel Feeds
Starting in Junos OS 18.4, you can configure security-intelligence profiles for tenant systems .
Tenant systems enroll to ATP Cloud when the associated SRX Series Firewall is enrolled. All tenant systems with enabled anti-malware or security-intelligence policies appear in the ATP Cloud “Enrolled Devices” page with other SRX Series Firewalls.
Unlike physical devices, which automatically make submissions to the realm they are enrolled in, tenant system submissions are ignored until they are associated with a realm using the Realm Management page in the Juniper ATP Cloud Web UI. See Realm Management for those instructions.
Note that root-logical-system is automatically associated with the realm to
which the SRX Series Firewall is enrolled. Only root-logical-system can
make submissions by default. Therefore you do not need to make an association for
root-logical-system.
Here is an example of the CLI commands for a tenant system security-intelligence policy configuration. The tenant system used in this example (TSYS1) must be associated with the correct realm in Juniper ATP Cloud for the policy to get applied to the intended device:
set logical-systems TSYS1 services security-intelligence profile secintel_profile category CC set logical-systems TSYS1 services security-intelligence profile secintel_profile rule secintel_rule match threat-level 10 set logical-systems TSYS1 services security-intelligence profile secintel_profile rule secintel_rule match threat-level 9 set logical-systems TSYS1 services security-intelligence profile secintel_profile rule secintel_rule then action block close set logical-systems TSYS1 services security-intelligence profile secintel_profile rule secintel_rule then log set logical-systems TSYS1 services security-intelligence profile secintel_profile default-rule then action permit set logical-systems TSYS1 services security-intelligence profile secintel_profile default-rule then log set logical-systems TSYS1 services security-intelligence policy p1 CC secintel_profile set logical-systems TSYS1 services security-intelligence profile pf1 category Infected-Hosts set logical-systems TSYS1 services security-intelligence profile pf1 default-rule then action block drop set logical-systems TSYS1 services security-intelligence profile pf1 default-rule then log set logical-systems TSYS1 services security-intelligence policy p1 Infected-Hosts pf1
Use the following commands to create a security policy on the SRX Series Firewall for the inspection profiles.
set logical-systems TSYS1 security policies from-zone trust to-zone untrust policy 1 match source-address any set logical-systems TSYS1 security policies from-zone trust to-zone untrust policy 1 match destination-address any set logical-systems TSYS1 security policies from-zone trust to-zone untrust policy 1 match application any set logical-systems TSYS1 security policies from-zone trust to-zone untrust policy 1 then permit application-services ssl-proxy profile-name ssl-inspect-profile-dut set logical-systems TSYS1 security policies from-zone trust to-zone untrust policy 1 then permit application-services security-intelligence-policy p1
Use the following example commands to view the infected hosts feed for a tenant system:
root@SRX> show security dynamic-address category-name Infected-Hosts logical-system TSYS1 No. IP-start IP-end Feed Address 1 10.1.32.131 10.1.32.131 Infected-Hosts/1 ID-2150001a 2 10.1.32.148 10.1.32.148 Infected-Hosts/1 ID-2150001a 3 10.1.32.183 10.1.32.183 Infected-Hosts/1 ID-2150001a 4 10.1.32.201 10.1.32.201 Infected-Hosts/1 ID-2150001a
Or use the following:
User1@SRX:TSYS1> show security dynamic-address category-name Infected-Hosts No. IP-start IP-end Feed Address 1 10.1.32.131 10.1.32.131 Infected-Hosts/1 ID-2150001a 2 10.1.32.148 10.1.32.148 Infected-Hosts/1 ID-2150001a 3 10.1.32.183 10.1.32.183 Infected-Hosts/1 ID-2150001a 4 10.1.32.201 10.1.32.201 Infected-Hosts/1 ID-2150001a
Tenant System Support for AAMW
Starting in Junos OS 18.4, you can also configure anti-malware policies on a per tenant system basis. Here is an example of a tenant system anti-malware policy configuration:
As stated previously, the tenant system used in this example (TSYS1) must be associated with the correct realm in ATP Cloud for the policy to get applied to the intended device. See Realm Management for ATP Cloud Web UI configuration details.
set logical-systems TSYS1 services advanced-anti-malware policy LP1 http inspection-profile ldom_profile set logical-systems TSYS1 services advanced-anti-malware policy LP1 http action block set logical-systems TSYS1 services advanced-anti-malware policy LP1 http notification log set logical-systems TSYS1 services advanced-anti-malware policy LP1 smtp inspection-profile default_profile set logical-systems TSYS1 services advanced-anti-malware policy LP1 smtp notification log set logical-systems TSYS1 services advanced-anti-malware policy LP1 imap inspection-profile default_profile set logical-systems TSYS1 services advanced-anti-malware policy LP1 imap notification log set logical-systems TSYS1 services advanced-anti-malware policy LP1 verdict-threshold 3
Use the following command to view anti-malware policies for a tenant system.
root@SRX> show services advanced-anti-malware policy logical-systems
TSYS1
Advanced-anti-malware configuration:
Policy Name: LP11
Default-notification : Log
Whitelist-notification: Log
Blacklist-notification: Log
Fallback options:
Action: block
Notification: No Log
Inspection-profile: ldom_profile
Applications: HTTP
Verdict-threshold: 3
Action: block
Notification: Log
Or use the following:
User1@SRX:TSYS1> show services advanced-anti-malware policy
Advanced-anti-malware configuration:
Policy Name: LP1
Default-notification : Log
Whitelist-notification: Log
Blacklist-notification: Log
Fallback options:
Action: block
Notification: No Log
Inspection-profile: ldom_profile
Applications: HTTP
Verdict-threshold: 3
Action: block
Notification: Log
Security Profile CLI
Administrators can configure a single security profile to assign resources to a specific tenant system, use the same security profile for more than one tenant system, or use a mix of both methods. You can configure up to 32 security profiles on an SRX Series Firewall running logical systems.
Security profiles allow you to dedicate various amounts of a resource to the tenant systems and allow them to compete for use of the free resources. They also protect against one logical system exhausting a resource that is required at the same time by other tenant systems.
The following commands are added to the security-profile CLI.
aamw-policy
For example:
set system security-profile <name> aamw-policy maximum 32secintel-policy
For example:
set system security-profile <name> secintel-policy maximum 32
Use the following command to view the security profiles:
show system security-profile all-resource
Refer to the Junos documentation for more information on the set system
security-profile command for logical systems.