security-intelligence(services)
Syntax
security-intelligence { authentication { auth-token auth-token; tls-profile tls-profile; } category { all; category-name { Blacklist { disable; } CC { disable; } DNS { disable; } GeoIP { disable; } IPFilter { disable; } Infected-Hosts { disable; } SecProfiling { disable; } Reverse Shell { disable; } Whitelist { disable; } } } default-policy { CC { feed-cc-log-only; } DNS { feed-cc-log-only; } GeoIP { feed-cc-log-only; } IPFilter { feed-cc-log-only; } Infected-Hosts { feed-cc-log-only; } } global-disable-feed { all; feed-name (cc_ip_dat | cc_ipv6_dat | cc_url_dat)) } policy policy-name category-profile-name{ CC { feed-cc-log-only; } DNS { feed-cc-log-only; } GeoIP { feed-cc-log-only; } IPFilter { feed-cc-log-only; } Infected-Hosts { feed-cc-log-only; } } profile profile-name { category { Blacklist; CC; DNS; GeoIP; IPFilter; Infected-Hosts; Whitelist; } default rule { then { action { block { close { http { file file-name; message block-message; redirect-url redirect-url; } drop; } recommended; } log; no-log; } } description text; rule rule-name { match feed-name feed-name; threat-level (1| 2| 3| 4 |5 | 6 |7 |8 | 9 |10); } then action { block { close { http { file file-name; message block-message; redirect-url redirect-url; } drop; } permit; recommended; sinkhole; } log; } } } proxy-profile proxy-profile-name; traceoptions { file { filename; files number-of-trace-files; match match-expression; no-world-readable size maximum-trace-file-size; world-readable } flag (all | config | connect | dns | filter | gencfg | normal | operational commands | parse | routing | snmp | statistics | system | timer); level (all | error | info | notice | verbose | warning); no-remote-trace; } url url-address; url-parameter url-parameter; }
Hierarchy Level
[edit services]
Description
Using this command, you can configure security intelligence profiles and policies to work with security intelligence feeds, such as infected hosts and C&C. You then configure a firewall policy to include the security intelligence policy, for example, block outgoing requests to a C&C host.
A security intelligence rule can have multiple feed names
(feed-name
) with multiple threat levels. Specifying the threat
level is required, but feed-name
is optional. Juniper ATP Cloud
makes sure there is no duplicate feed-name associated with threat levels configured
in the same profile. Juniper ATP Cloud uses the following approach:
-
If
feed-name
is configured, it looks up the feed-name first. -
If no
feed-name
configured or thefeed-name
is not match, it uses the threat level rules. -
If no rules are present or match, the profile’s default rule is used.
Options
authentication |
Configure authentication, such as an auth token or TLS profile, to commute with the feed server. This operation is performed by the ops script used to enroll your devices and is typically not required afterwards. If you have problems establishing a connection with the Juniper ATP cloud server, it is recommended that you rerun the ops script instead of manually entering all the CLI commands. |
category (all | category-name) |
Category to be disabled. You can disable a specific category or all. This option is used for temporarily disabling a category during debugging phases. |
disable-global-feed (all | feed-name (CC_IP |CC_URL)) |
Disable the Juniper C&C and URL feed to free the resources on SRX Series Firewalls. The resources are then available for loading custom feeds. The available options are all, CC_IP or CC_URL.
|
policypolicy-name category-profile-name |
Configure the security intelligence policy. You specify the category
(such as |
profile profile-name category rule rule-name (match | then) |
Configure security intelligence profile. You specify the profile name, the category (such as CC), and any rules and actions. The actions that you can perform are listed below:
Note:
The action |
traceoptions |
Set security intelligence trace options. |
url url-address |
Configure the URL of the feed server. This operation is performed by the ops script used to enroll your devices and is typically not required afterwards. If you have problems establishing a connection with the Juniper ATP Cloud server, it is recommended that you rerun the ops script instead of manually entering all the CLI commands. |
url-parameter url-parameter |
This is an internal option. Do not use this option unless instructed to by Juniper Networks Technical Support. |
block close infected host file message|redirect-URL |
Provides HTTP URL redirection based on infected hosts with the block action. This allows for administrator notification of Infected Hosts. During the processing of a session IP address, if the IP address is on the infected hosts list and HTTP traffic is using ports 80 or 8080, infected hosts HTTP redirection can be done. If HTTP traffic is using dynamic ports, HTTP traffic redirection cannot be done. |
set services security-intelligence profile secintel_profile rule
This example performs feed name-based URL redirection.
user@host# set services security-intelligence profile secintel_profile rule secintel_rule1 match feed-name custom_feed1 uuser@host# set services security-intelligence profile secintel_profile rule secintel_rule1 match threat-level 7 user@host# set services security-intelligence profile secintel_profile rule secintel_rule1 match threat-level 8 user@host# set services security-intelligence profile secintel_profile rule secintel_rule1 match threat-level 9 user@host# set services security-intelligence profile secintel_profile rule secintel_rule1 match threat-level 10 user@host# set services security-intelligence profile secintel_profile rule secintel_rule1 then action block close http redirect-url http://www.test.com/url1.html user@host# set services security-intelligence profile secintel_profile rule secintel_rule2 match feed-name custom_feed2 uuser@host# set services security-intelligence profile secintel_profile rule secintel_rule2 match threat-level 7 user@host# set services security-intelligence profile secintel_profile rule secintel_rule2 match threat-level 8 user@host# set services security-intelligence profile secintel_profile rule secintel_rule2 match threat-level 9 user@host# set services security-intelligence profile secintel_profile rule secintel_rule2 match threat-level 10 user@host# set services security-intelligence profile secintel_profile rule secintel_rule2 then action block close http redirect-url http://www.test.com/url2.html
set services security-intelligence profile
user@host# set services security-intelligence profile cc_profile category CC
set services security-intelligence profile
This example configures a profile name, a profile rule and the threat level scores. Anything that matches these scores is considered malware or an infected host.
user@host# set services security-intelligence profile cc_profile rule CC_rule match threat-level [8 9 10]
set services advanced-anti-malware connection authentication
This example defines the TLS profile, typically done by the ops script when enrolling devices.
user@host# set services advanced-anti-malware connection authentication tls-profile aamw-ssl
set services security-intelligence url
This example defines the feed server URL, typically done by the ops script when enrolling devices.
user@host# set services security-intelligence url https://cloudfeeds.argon.junipersecurity.net/ api/manifest.xml
set services security-intelligence profile secintel_profile rule secintel_rule2 then action block close infected host|http redirect-url http://www.test.com/url2.html
User notification of infected hosts—(Starting in Junos 18.1R1) This command allows you to configure HTTP URL redirection based on infected hosts with the block action. During the processing of a session IP address, if the IP address is on the infected hosts list and HTTP traffic is using ports 80 or 8080, infected hosts HTTP redirection to a specified URL can be used in conjunction with the block action. This allows administrators to receive a notification of the block action. Note that if HTTP traffic is using dynamic ports, HTTP traffic redirection cannot be done
The syntax for the command is as follows:
Syntax: set services security-intelligence profile <name> then action block close <file message|redirect-URL>
For example:
user@host# set services security-intelligence profile secintel_profile rule secintel_rule2 then action block close infected host|http redirect-url http://www.test.com/url2.html
To view the HTTP URL redirection counter, type show services security-intelligence statistics
set services security-intelligence disable-global-feed all
This example disables the global feed in all SecIntel configurations.
user@host# set services security-intelligence disable-global-feed all
set services security-intelligence disable-global-feed feed-name CC_IP
This example disables the global CC IP feeds in SecIntel configurations.
user@host# set services security-intelligence disable-global-feed feed-name CC_IP
set services security-intelligence disable-global-feed feed-name CC_URL
This example disables the global CC URL feeds in SecIntel configurations.
user@host# set services security-intelligence disable-global-feed feed-name CC_URL
All the security intelligence services are enabled by default. To disable the services, you must use the configuration commands:
-
set services security-intelligence category category-name GeoIP disable
This example disables the GeoIP feeds in SecIntel configurations.
user@host# set services security-intelligence category category-name GeoIP disable
-
set services security-intelligence category category-name Whitelist disable
This example disables allowlist category in SecIntel configurations.
user@host# set services security-intelligence category category-name Whitelist disable
-
set services security-intelligence category category-name Blacklist disable
This example disables blocklist category in SecIntel configurations.
user@host# set services security-intelligence category category-name Blacklist disable
-
set services security-intelligence category category-name IPFilter disable
This example disables IPFilter category in SecIntel configurations.
user@host# set services security-intelligence category category-name IPFilter disable
Use the show services security-intelligence
CLI command to verify
your settings. Your output should look similar to the following:
[edit] user@host# show services security-intelligence category { category-name { Whitelist { disable; } IPFilter { disable; } GeoIP { disable; } Blacklist { disable; } } } policy p1 { IPFilter; ## Warning: missing mandatory statement(s): <profile-name> }
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Command introduced in Junos OS 12.1X46. Starting with Junos OS 15.1X49-D110, this
command adds the feed-name
option which can be used in security
intelligence rules. Prior to Junos OS 15.1X49-D100 you could perform HTTP URL
redirect based on threat levels. With feed-name
, you can now
perform HTTP URL redirection based on a feed name.
User notification of infected hosts—As of Junos OS 18.1R1, there is support HTTP URL redirection based on infected hosts with the block action. This allows for administrator notification of Infected Hosts. During the processing of a session IP address, if the IP address is on the infected hosts list and HTTP traffic is using ports 80 or 8080, infected hosts HTTP redirection can be done. If HTTP traffic is using dynamic ports, HTTP traffic redirection cannot be done. See command at bottom of this page.
The disable-global-feed
option is introduced in Junos OS Release
20.1R1.
The DNS
option is introduced in Junos OS Release 20.4R1.
The Reverse-Shell
category is introduced in Junos OS Release 23.3
R1.