Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Creating a Policy Enforcer Connector for Public and Private Clouds

Before You Begin

  • For Amazon Web Services (AWS) connector:

    • Create access key and password for your AWS account. This will be a unique username and password for your Amazon account required to create a connector. See Managing Access Keys for Your AWS Account.

    • Create Virtual Private Clouds(VPC) for the required region. See Getting Started With Amazon VPC.

    • Instantiate the vSRX instance in the required VPC and set the tag identifier, for example AWS_SDSN_VSRX. This tag identifier must match with the vSRX instance tag key in AWS.

    • Create a Security Group in AWS required to create a threat prevention policy for the AWS connector.

    • Deploy workloads in the required VPC and set the resource tags to the workloads.

  • For Microsoft Azure connector:

Perform the following actions to configure connectors for the public and private clouds.

To configure threat remediation for a public or private cloud, you must install and register the threat remediation plug-in with Policy Enforcer as follows:

  1. Select Administration > Policy Enforcer > Connectors.

    The Connectors page appears.

  2. Click the create icon (+).

    The Create Connector page appears.

  3. Complete the configuration using the information in Table 1.
  4. Click OK.
    Note:

    Once configured, you select the connector name as an Enforcement Point in your Secure Fabric.

Table 1: Fields on the Create Connector Page for AWS and Contrail

Field

Description

General

Name

Enter a unique string that must begin with an alphanumeric character and can include underscores; no spaces allowed; 63 characters maximum.

Description

Enter a description; maximum length is 1024 characters. You should make this description as useful as possible for all administrators.

Connector Type

Select Amazon Web Services, Contrail, or Microsoft Azure from the list to connect to your secure fabric and create policies for this network.

IP Address/URL

Enter the IP (IPv4 or IPv6) address or URL of AWS, Contrail, or Microsoft Azure.

For AWS, this field is set to www.aws.amazon.com, by default. This is where all VPCs are located. You cannot edit this field.

For Microsoft Azure, this field is set to management.azure.com, by default. This is where all virtual networks are located. You cannot edit this field.

Port

For AWS and Microsoft Azure connectors, the port is set to 443 by default and you cannot edit this field.

For Contrail connector, provide the port number as 8081.

Username

Enter the username of the server for the selected connector type.

For AWS, enter the generated access key for your Amazon account. This is not same as your Amazon account username.

Password

Enter the password for the selected connector type.

For AWS, enter your secret password generated along with your access key. This is not same password as your amazon account.

Subscription ID

(only for Microsoft Azure connector)

Enter the Azure subscription ID available per tenant basis.

Tenant ID

(only for Microsoft Azure connector)

Enter the Microsoft Azure tenant ID.

Network Details

Connector Type: AWS

Virtual Private Clouds

One or more virtual networks under the AWS account are discovered. They are called virtual private cloud (VPC). Only VPCs having vSRX instances deployed are managed. The VPCs are region specific. Select a region from the Region list and the corresponding VPCs are listed. By default, the VPCs for the first available region are listed.

Security Director suggests a default Secure Fabric site name for the VPC, in the <connector name>_<vpc name>_site format. Click the Secure Fabric site name to edit it. When you edit the name, you will also see the other Secure Fabric sites that do not have any switches or connectors assigned to them. You can also assign these Secure Fabric sites to the connectors. If the edited site name is already existing with a connector or a switch, an alert message is shown and the Secure Fabric site name is reverted to its previous name.

You must enable either Threat Remediation or Next Generation Firewall options or both. You cannot create a connector instance without enabling at least one option. If you navigate to the next page without enabling these options, an error message is shown insisting the user to enable either Threat Remediation or Next Generation Firewall to proceed further.

You can get a detailed view of the VPC by hovering over the name and clicking the Detailed View icon. See Viewing VPC or Projects Details.

Note:

You can perform search on VPCs. Search is not supported for the site names.

Connector Type: Microsoft Azure

Virtual Networks

One or more virtual networks under the Microsoft Azure account are discovered. These virtual networks are based on the Azure subscription per tenant basis. A tenant can have more than one subscription and a single subscription can contain one or more virtual networks.

Security Director suggests a default site name for the project, in the <connector name>_<virtual network name>_site format. Click the site name to edit it. When you edit the site name, you will also see the other sites that do not have any switches or connectors assigned to them. You can also assign these sites to the connectors. If the edited site name is already existing with a connector or a switch, an alert message is shown and the site name is reverted to its previous name.

You must enable either Threat Remediation or Next Generation Firewall options or both. You cannot create a connector instance without enabling at least one of the two options. If you navigate to the next page without enabling these options, an error message is shown insisting the user to enable either Threat Remediation or Next Generation Firewall to proceed further.

You can get a detailed view of the virtual network by hovering over the name and clicking the Detailed View icon.

Connector Type: Contrail

Project

Tenant information determined from the Contrail connector is listed.

Security Director suggests a default site name for the project, in the <connector name>_<project name>_site format. Click the site name to edit it. When you edit the site name, you will also see the other sites that do not have any switches or connectors assigned to them. You can also assign these sites to the connectors. If the edited site name is already existing with a connector or a switch, an alert message is shown and the site name is reverted to its previous name.

You must enable either Threat Remediation or Next Generation Firewall options or both. You cannot create a connector instance without enabling at least one of the two options. If you navigate to the next page without enabling these options, an error message is shown insisting the user to enable either Threat Remediation or Next Generation Firewall to proceed further.

You can get a detailed view of the project by hovering over the name and clicking the Detailed View icon. See Viewing VPC or Projects Details.

Note:

You can perform search on Project names. Search is not supported for the site names.

Subnets

The subnet information for Contrail, Microsoft Azure, and AWS is determined from the respective systems. For AWS and Microsoft Azure, subnets are the availability zones and for Contrail, subnets are virtual networks. You can create Policy Enforcement Groups for one or more of the subnets, if threat remediation is selected.

Subnets for AWS, Microsoft Azure, and Contrail are allocated to be within the tenant IP Address Management (IPAM) scheme.

Configuration

Configuration

Metadata

Specifies the resource tag information and the resource tag values that you have determined from the projects or VPC. The tag information appears only if the Next Generation Firewall option is enabled.

For AWS and Microsoft Azure connector, the resource tag values are fetched from AWS and Microsoft Azure for all the endpoints and then mapped them to the Security Director generated metadata names.

Based on the resource tag name, Security Director checks if a metadata with the same resource tag name is already available. If available, it automatically maps the resource tag name to its metadata. If there is no match found, Security Director suggests a new metadata name for the corresponding tag. The suggested metadata name is same as the resource tag name. You can also edit the suggested metadata name and customize the resource tag name.

However, in the Generated MetaData Name column, you cannot use the following predefined metadata names:

  • Tenant

  • Provider

  • Controller

If you provide these names, an appropriate error message is shown to choose a different name.

Select the Map option to map the resource tag to the generated Security Director Metadata while creating the connector instance. If the Map option is not selected, the connector instance is created for a project or VPC without any resource tags. For example, if you have multiple resource tags for a project, you can choose one or more resource tags to map to the corresponding generated metadata, by selecting the Import option. The project or VPC with the selected resource tags are created when the connector instance is created.

Mapping of Contrail, Microsoft Azure, and AWS connector resource tags to Security Director metadata enables you to create the next generation firewall policy definitions for the source and destination rules, based on the metadata expressions. Policy Enforcer dynamically determines the matching VM instances in AWS, Microsoft Azure, or Contrail connector to the metadata expressions and pushes the IP address content as dynamic address groups to the enforcement points in the tenant specific vSRX firewall instance.

In the Configuration Value column, provide any additional information required for this particular connector connection. For example, if the connector type is ForeScout CounterACT, you are required to provide the WebAPI username and password. Similarly for other connectors if the additional configuration parameters are required, they are listed in this column.

After the successful completion, the subnet you have created is mapped to that particular connector instance.

For AWS and Microsoft Azure, provide the following configuration parameters:

  • SRX username—Specify the username of the vSRX device that you have instantiated for a VPC or a virtual network.

  • SRX identifier tag—Specify the tag name of the vSRX device, if the recommended vSRX name was not used. If you do not specify any value for this field, Policy Enforcer uses vSRX as a default tag name to identify the device.

    This enables discovery of this particular vSRX device in Junos Space. This vSRX device is also added to a specific secure fabric site.

  • Infected Host Security Group—Specify the security group name that you would want to tag an infected workload for threat remediation.

  • SRX authentication key—Specify the authentication key file to access the vSRX device. Editing this in the grid prompts you to either upload the authentication key file or view an already existing uploaded authentication key.

For Contrail, provide the following configuration parameters:

  • SRX username

  • SRX password

  • Infected host security group

Note:
  • For AWS, Microsoft Azure, and Contrail connectors, the site association is achieved in the Connectors page itself.

  • When a connector is added to the site, Policy Enforcer discovers the vSRX Series associated with the connector and assigns it to the site. Hover over the connector name to view the corresponding vSRX with its IP address as a tool tip.

  • If the mode in PE Setting page is Juniper Connected Security with ATP Cloud, then you must create ATP Cloud realm and assign the sites associated with the VPC or Project to the realm. Otherwise the vSRX instances in the VPC or Project does not download the dynamic address group objects, that is the list of workloads in the VPC or Project that match a policy metadata expression.

Threat Remediation Workflow

Once you create an AWS, Microsoft Azure, or a Contrail connector with Threat Remediation option, a site is created in the Secure Fabric page.

Perform the following actions for threat remediation:

  1. Select Configure > Threat Prevention > ATP Cloud Realms.

    Select the associated Secure Fabric sites to the respective VPC, virtual networks, or Project that is successfully added. Add the secure fabric site to a Juniper ATP Cloud realm and enrol the vSRX devices to the Juniper ATP Cloud. Enroll devices by clicking Add Devices in the list view once the realm is created.

  2. Select Configure > Shared Objects > Policy Enforcement Groups.

    Click the add icon to create a new policy enforcement group. You will see a list of all subnets that you have created in a VPC or virtual network. Select the required subnets for this VPC or a virtual network and create a policy enforcement group. Associate this policy enforcement group to threat remediation policy.

  3. Select Configure > Threat Prevention > Policies.

    Click the add icon to create a new threat prevention policy. Add the threat prevention policy, including profiles for one or more threat types. The security group that you had selected during connector configuration is used when the host gets infected within a corresponding VPC or a virtual network.

Next Generation Firewall Workflow

When you create an AWS, Microsoft Azure, or a contrail connector with Next Generation Firewall option, it means that for a particular VPC or a virtual network, Layer 7 firewall policy is enabled. Perform the following actions to enable next generation firewall:

  1. Select Configure > Firewall Policy.

  2. Select the policy for which you want to define rules and click Add Rule.

    The Create Rules page appears.

  3. In the General tab, enter the name of the rule and description of the rule

  4. In the Source tab, click Select for the Address(es) field to select the source address.

    The Source Address page appears.

    • In the Address Selection field, click By Metadata Filter option.

    • In the Metadata Provider field, select PE as a provider from the list.

    • In the Metadata Filter field, all the generated metadatas during the connector configuration are listed. Using these metadatas, create a required metadata expression. For example, Application = Web and Tier = App.

    • In the Matched Addresses field, addresses matching the selected metadata are listed. This address is used as a source address. For every metadata expression, a unique dynamic address group (DAG) is created.

    • Click Ok and complete configuring other parameters for the rule.

    • Publish and update the configuration immediately or schedule it later.