Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

security-intelligence(services)

Syntax

Hierarchy Level

Description

Using this command, you can configure security intelligence profiles and policies to work with security intelligence feeds, such as infected hosts and C&C. You then configure a firewall policy to include the security intelligence policy, for example, block outgoing requests to a C&C host.

A security intelligence rule can have multiple feed names (feed-name) with multiple threat levels. Specifying the threat level is required, but feed-name is optional. Juniper ATP Cloud makes sure there is no duplicate feed-name associated with threat levels configured in the same profile. Juniper ATP Cloud uses the following approach:

  • If feed-name is configured, it looks up the feed-name first.

  • If no feed-name configured or the feed-name is not match, it uses the threat level rules.

  • If no rules are present or match, the profile’s default rule is used.

Options

authentication

Configure authentication, such as an auth token or TLS profile, to commute with the feed server. This operation is performed by the ops script used to enroll your devices and is typically not required afterwards. If you have problems establishing a connection with the Juniper ATP cloud server, it is recommended that you rerun the ops script instead of manually entering all the CLI commands.

category (all | category-name)

Category to be disabled. You can disable a specific category or all. This option is used for temporarily disabling a category during debugging phases.

disable-global-feed (all | feed-name (CC_IP |CC_URL))

Disable the Juniper C&C and URL feed to free the resources on SRX Series Firewalls. The resources are then available for loading custom feeds. The available options are all, CC_IP or CC_URL.

  • all—Applies to all feeds.

  • CC_IP—Applies to global CC IP feed.

  • CC_URL—Applies to global CC URL feed.

policypolicy-name category-profile-name

Configure the security intelligence policy. You specify the category (such as CC) and the security intelligence profile to associate with this policy.

profile profile-name category rule rule-name (match | then)

Configure security intelligence profile. You specify the profile name, the category (such as CC), and any rules and actions. The actions that you can perform are listed below:

  • block—Block with close or drop action

  • permit—Permit action

  • recommended— Recommended action from feed server

  • sinkhole—DNS sinkhole action for malicious DNS queries

Note:

The action sinkhole must be configured only for DNS profile category.

traceoptions

Set security intelligence trace options.

url url-address

Configure the URL of the feed server. This operation is performed by the ops script used to enroll your devices and is typically not required afterwards. If you have problems establishing a connection with the Juniper ATP Cloud server, it is recommended that you rerun the ops script instead of manually entering all the CLI commands.

url-parameter url-parameter

This is an internal option. Do not use this option unless instructed to by Juniper Networks Technical Support.

block close infected host file message|redirect-URL

Provides HTTP URL redirection based on infected hosts with the block action.

This allows for administrator notification of Infected Hosts. During the processing of a session IP address, if the IP address is on the infected hosts list and HTTP traffic is using ports 80 or 8080, infected hosts HTTP redirection can be done. If HTTP traffic is using dynamic ports, HTTP traffic redirection cannot be done.

set services security-intelligence profile secintel_profile rule

This example performs feed name-based URL redirection.

set services security-intelligence profile

set services security-intelligence profile

This example configures a profile name, a profile rule and the threat level scores. Anything that matches these scores is considered malware or an infected host.

set services advanced-anti-malware connection authentication

This example defines the TLS profile, typically done by the ops script when enrolling devices.

set services security-intelligence url

This example defines the feed server URL, typically done by the ops script when enrolling devices.

set services security-intelligence profile secintel_profile rule secintel_rule2 then action block close infected host|http redirect-url http://www.test.com/url2.html

User notification of infected hosts—(Starting in Junos 18.1R1) This command allows you to configure HTTP URL redirection based on infected hosts with the block action. During the processing of a session IP address, if the IP address is on the infected hosts list and HTTP traffic is using ports 80 or 8080, infected hosts HTTP redirection to a specified URL can be used in conjunction with the block action. This allows administrators to receive a notification of the block action. Note that if HTTP traffic is using dynamic ports, HTTP traffic redirection cannot be done

The syntax for the command is as follows:

Syntax: set services security-intelligence profile <name> then action block close <file message|redirect-URL>

For example:

To view the HTTP URL redirection counter, type show services security-intelligence statistics

set services security-intelligence disable-global-feed all

This example disables the global feed in all SecIntel configurations.

set services security-intelligence disable-global-feed feed-name CC_IP

This example disables the global CC IP feeds in SecIntel configurations.

set services security-intelligence disable-global-feed feed-name CC_URL

This example disables the global CC URL feeds in SecIntel configurations.

All the security intelligence services are enabled by default. To disable the services, you must use the configuration commands:

  • set services security-intelligence category category-name GeoIP disable

    This example disables the GeoIP feeds in SecIntel configurations.

  • set services security-intelligence category category-name Whitelist disable

    This example disables allowlist category in SecIntel configurations.

  • set services security-intelligence category category-name Blacklist disable

    This example disables blocklist category in SecIntel configurations.

  • set services security-intelligence category category-name IPFilter disable

    This example disables IPFilter category in SecIntel configurations.

Use the show services security-intelligence CLI command to verify your settings. Your output should look similar to the following:

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Command introduced in Junos OS 12.1X46. Starting with Junos OS 15.1X49-D110, this command adds the feed-name option which can be used in security intelligence rules. Prior to Junos OS 15.1X49-D100 you could perform HTTP URL redirect based on threat levels. With feed-name, you can now perform HTTP URL redirection based on a feed name.

User notification of infected hosts—As of Junos OS 18.1R1, there is support HTTP URL redirection based on infected hosts with the block action. This allows for administrator notification of Infected Hosts. During the processing of a session IP address, if the IP address is on the infected hosts list and HTTP traffic is using ports 80 or 8080, infected hosts HTTP redirection can be done. If HTTP traffic is using dynamic ports, HTTP traffic redirection cannot be done. See command at bottom of this page.

The disable-global-feed option is introduced in Junos OS Release 20.1R1.

The DNS option is introduced in Junos OS Release 20.4R1.

The Reverse-Shell category is introduced in Junos OS Release 23.3 R1.