Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

security-metadata-streaming

Syntax

Hierarchy Level

Description

Configure security metadata streaming policy on SRX Series Firewalls to send the metadata and connection patterns of a network traffic to Juniper Networks ATP Cloud for encrypted traffic insights. After configuring the security metadata streaming policy, attach it to the security policy at zone-level.

set security policies from-zone from-zone to-zone to-zone application-services security-metadata-streaming-policy dns-policy

Options

dns-cache Configure a list of static benign and command-and-control (C2) domains in the Domain Name System (DNS) cache to take immediate action on configured domains. Only wildcard domains are allowed. The domain format must be *.domain_name.domain_ending . The entries configured in DNS Cache via CLI will remain in the DNS Cache until that configuration is deleted from the device. You can configure a maximum of 500 domains each in benign list and c2 list.
  • By default, the action for traffic originating from a benign (allowlisted) domain is permit.​
  • The action for traffic originating from a C2 (blocklisted) domain is based on the action configured under DNS detections.
policy policy-name Configure the security-metadata-streaming policy.
dns Configure DNS options.
cache Store DNS in cache till time-to-live (TTL). The TTL provided by SRX Series Firewall overrides Juniper ATP Cloud provided TTL.
Note:

You must configure at least one DNS detection method to configure DNS cache.

  • benign—(Optional) Set benign TTL value. The range is 60 to 172800 seconds. Default value is 86400.
  • c2—(Optional) Set C2 TTL value. The range is 60 to 172800 seconds. Default value is 86400.
detections Configure the detection type for DNS requests. The available options are all, dga, and tunneling. You can configure any of the following detections.
  • all detections
  • both dga and tunneling detection
  • either dga or tunneling detection
You cannot configure all detections and custom detections(dga and/or tunneling) together. The detections are mutually exclusive.
Note:

Each detection method has a fallback option which is used in case nothing is detected within a certain number of packets (in case of tunneling) or within a certain time period (in case of DGA).

all Configure all detections.
  • action—Specify the action the SRX device will take when a detection is made. The available options are deny, permit, or sinkhole.
  • fallback-options—Fallback options for DNS detections. The fallback action is triggered when DNS-based attacks are not detected (DGA verdict is not received within 100ms (default value of verdict-timeout) and DNS tunnel is not detected within 4 packets (default value of inspection-depth)). The available option is to Log the DNS requests.
  • notification—Global notification action taken for DNS detection methods. The available options are:
    • log—Generates log for DNS requests and DNS detections.
    • log-detections—(recommended) Generates log only for malicious DNS detections.
  • verdict-timeout—(Not configurable) Time to wait for a DGA verdict on DNS packet (milliseconds). Default timeout is 100ms for all detections.
  • inspection-depth—(Not configurable) Number of packets to be inspected for tunnel detection. Default is 4 packets for all detections.
dga Configure to detect DGA-based attacks on DNS packets.
  • action—Specify the action the SRX device will take when a detection is made. The available options are deny, permit, or sinkhole.
  • fallback-options—Fallback options for DNS DGA detection. The fallback options are triggered if DGA verdict is not received from Juniper ATP Cloud within the verdict-timeout configured value. The available option is to log the DNS request.
  • notification— Notification action taken for DNS DGA detection. The available options are:
    • log—Generates log per DNS request and DNS detections.
    • log-detections—(recommended) Generates log only for malicious DNS detections.
  • verdict-timeout—(Optional) Time to wait for a verdict on DNS Packet (milliseconds). The range is 50 to 500. Default timeout is 100ms.
tunneling Configure to detect DNS tunneling.
  • action—Specify the action the SRX device will take when a detection is made. The available options are deny (drops tunnel session), permit (permits tunnel session), or sinkhole (drops the tunnel session and sinkholes the domain).
  • fallback-options—Fallback options for DNS tunneling detection. The fallback options are triggered if a tunnel is not detected within the specified number of packets (inspections-depth). The available option is to log the DNS request.
  • inspection-depth—(Optional) Number of packets to be inspected for tunnel detection. The range is 0 to 10. Default is 4 packets. 0 indicates forever.
  • notification—Notification action taken for DNS tunneling detection. The available options are:
    • log—Generates log per DNS request and DNS detections.
    • log-detections—(recommended) Generates log only for malicious DNS detections.
dynamic-filter Configure dynamic filtering options for security metadata streaming policy on SRX Series Firewalls.
http Configure HTTP options.

  • detections—Configure the detection type for HTTP requests. The available options are all and encryptedc2. You can configure any of the following detections:

    • all detections—All detections can only be configured if no other detection is configured.

    • encryptedc2—Encryptedc2 can be configured to detect Command and Control (C&C) communication.

  • action—Defines the action taken on the traffic. The default action is permit.

  • notification—Defines the notification action taken for the traffic. The available options are:

    • log—Generates log per HTTP request and detections.

    • log-detections—(recommended) Generates log only for malicious detections.

  • fallback-options—Fallback options for HTTP traffic. The fallback options are triggered if HTTP traffic is not detected. The available option is to log the security metadata streaming actions.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 20.2R1 on SRX Series Firewalls with Juniper Advanced Threat Prevention Cloud (Juniper ATP Cloud).

Related Documentation