- play_arrow Introduction
- play_arrow Dashboard
- play_arrow Monitor
- play_arrow Alerts
- play_arrow Logs
- play_arrow Maps and Charts
- play_arrow Tunnel Status
- play_arrow Service Locations
- play_arrow Advanced Threat Prevention
- Hosts Overview
- Host Details
- Threat Sources Overview
- Threat Source Details
- Reverse Shell Overview
- Add IP Address to Allowlist
- HTTP File Download Overview
- HTTP File Download Details
- Signature Details
- Manual Scanning Overview
- SMB File Download Overview
- SMB File Download Details
- Email Attachments Scanning Overview
- Email Attachments Scanning Details
- DNS DGA Detection Overview
- DNS Tunnel Detection Overview
- DNS DGA and Tunneling Detection Details
- Encrypted Traffic Insights Overview
- Encrypted Traffic Insights Details
- SMTP Quarantine Overview
- IMAP Block Overview
- Telemetry Overview
- play_arrow Reports
- play_arrow Report Definitions
- Report Definitions Main Page Fields
- Create and Manage Threat Assessment Report Definitions
- Create and Manage Application User Usage Report Definitions
- Create and Manage IPS Report Definitions
- Create and Manage Rule Analysis Report Definitions
- Create and Manage Security Events Report Definitions
- Create and Manage Top Talkers Report Definitions
- Create and Manage Network Operations Report Definitions
- Create and Manage URLs Visited Per User Report Definitions
- Create and Manage Log Streaming Report Definitions
- Using Report Definitions
- Editing Report Definitions
- Deleting Report Definitions
- play_arrow Generated Reports
- play_arrow ATP Report Definitions
- play_arrow ATP Generated Reports
- play_arrow Secure Edge Reports
-
- play_arrow SRX Device Management
- play_arrow Devices
- Devices Overview
- Add Devices
- Enroll SRX Series Firewalls from ATP Cloud to Juniper Security Director Cloud
- Disenroll SRX Series Firewall from ATP Cloud
- Device Subscriptions
- Add Licenses
- Import Device Certificates
- Configure Security Logs
- Configuration Versions
- Out-of-Band Changes
- Resolve Out-of-Band Changes
- Resynchronize Devices
- Upgrade Devices
- Reboot Devices
- Delete Devices
- play_arrow Device Groups
- play_arrow Preprovision Profiles
- play_arrow Configuration Templates
- play_arrow Images
- play_arrow Security Packages
-
- play_arrow SRX Security Policy
- play_arrow SRX Security Policies
- play_arrow SRX Security Policy Rules
- Security Policy Rules Overview
- Security Policy Rule Analysis Overview
- Add and Manage Security Policy Rules
- Analyze Security Policy Rules
- Edit, Clone, and Delete a Security Policy Rule
- Reorder a Security Policy Rule
- Configure Default Rule Option
- Select a Security Policy Rule Source
- Select a Security Policy Rule Destination
- Select Applications and Services
- Common Operations on a Security Policy Rule
- Add SRX Policy Rules to Secure Edge Policy (From SRX Policy Page)
- play_arrow SRX Security Policy Versions
- play_arrow Device View
-
- play_arrow SRX Security Subsciptions
- play_arrow IPS Profiles
- play_arrow IPS Signatures
- play_arrow Content Security
- play_arrow Content Security Profiles
- play_arrow Web Filtering Profiles
- play_arrow Antivirus Profiles
- play_arrow Antispam Profiles
- play_arrow Content Filtering Profiles
- play_arrow Content Filtering Policies (New)
- play_arrow Decrypt Profiles
- play_arrow SecIntel
- play_arrow SecIntel Profiles
- play_arrow SecIntel Profile Groups
- play_arrow Anti-Malware
- play_arrow Secure Web Proxy
- play_arrow Flow-Based Antivirus
- play_arrow ICAP Redirect Profile
- play_arrow Metadata Streaming Policy
- Security Metadata Streaming Policies Overview
- Create and Manage Metadata Streaming Profiles
- Create and Manage Metadata Streaming Profiles to Detect all DNS Threats
- Create and Manage Metadata Streaming Profiles to Detect DGA-Based Threats
- Create and Manage Metadata Streaming Profiles to Detect DNS Tunnels
- Create and Manage Metadata Streaming Profiles to Detect all HTTP Threats
- Create and Manage Metadata Streaming Profiles to Detect Command-and-Control (C2) Communications
- Edit, Clone, or Delete Metadata Streaming Profile
- Create and Manage Metadata Streaming Rules
- Edit or Delete Metadata Streaming Rule
- Deploy Metadata Streaming Policy
- Import Metadata Streaming Policy and DNS Cache
- play_arrow DNS Filter
-
- play_arrow SRX IPSec VPN
- play_arrow IPsec VPNs
- IPsec VPN Overview
- Understanding IPsec VPN Modes
- Understanding IPsec VPN Routing
- Understanding IKE Authentication
- IPsec VPN Global Settings
- Create a Policy-Based Site-to-Site VPN
- Create a Route-Based Site-to-Site VPN
- Create a Hub-and-Spoke (Establishment All Peers) VPN
- Create a Hub-and-Spoke (Establishment by Spokes) VPN
- Create a Hub-and-Spoke Auto Discovery VPN
- Create a Remote Access VPN—Juniper Secure Connect
- Importing IPsec VPNs
- Deploy an IPsec VPN
- Modify IPsec VPN Settings
- Delete an IPsec VPN
- play_arrow VPN Profiles
- play_arrow Extranet Devices
-
- play_arrow SRX NAT
- play_arrow NAT Policies
- play_arrow NAT Pools
- Devices with NAT Policies
-
- play_arrow SRX Identity
- play_arrow JIMS
- play_arrow Active Directory
- play_arrow Access profile
- play_arrow Address Pools
-
- play_arrow Secure Edge Service Management
- Juniper Secure Edge Overview
- Service Locations Overview
- Create and Manage Service Locations
- Edit and Delete Service Locations
- Sites Overview
- Create and Manage Sites
- Create and Manage Bulk Sites
- Edit and Delete Sites
- About the IPsec Profiles Page
- Create and Manage IPsec Profiles
- Edit or Delete an IPsec Profile
- External Probe Overview
- play_arrow Secure Edge Security Policy
- Secure Edge Policy Overview
- Add and Manage Secure Edge Policy Rules
- Edit, Clone, and Delete a Secure Edge Policy Rule
- Reorder a Security Policy Rule
- Select a Secure Edge Policy Source
- Select a Secure Edge Policy Destination
- Select Applications and Services
- Common Operations on a Secure Edge Policy
- Deploy Secure Edge Policies
- Add SRX Policy Rules to Secure Edge Policy (From Secure Edge Policy Page)
- play_arrow Secure Edge Security Subscriptions
- IPS Policies Overview
- IPS Policies Overview
- Create and Manage IPS Rules
- Edit, Clone, and Delete IPS Rules
- Create and Manage Exempt Rules
- Edit, Clone, and Delete Exempt Rule
- Web Filtering Profiles Overview
- Web Filtering Profiles Overview
- Create and Manage Web Filtering Profiles
- Edit, Clone, and Delete a Web Filtering Profile
- CASB Overview
- CASB Profiles Overview
- Create and Manage CASB Profiles
- Edit and Delete a CASB Profile
- CASB Rules Overview
- Add and Manage CASB Profile Rules
- Edit and Delete a CASB Rule
- Application Instances Overview
- Create and Manage Application Instances
- Edit and Delete an Application Instance
- Application Tagging Overview
- Content Filtering Policies Overview
- Content Filtering Policies Overview
- Create and Manage Content Filtering Policies
- Add and Manage Content Filtering Policy Rules
- Edit and Delete a Content Filtering Policy
- Edit, Clone, and Delete a Content Filtering Policy Rule
- SecIntel Profiles Overview
- SecIntel Profiles Overview
- Create and Manage Command and Control Profiles
- Create and Manage DNS Profiles
- Create and Manage Infected Hosts Profiles
- Edit, Clone, and Delete SecIntel Profile
- SecIntel Profile Groups Overview
- Create and Manage SecIntel Profile Groups
- Edit, Clone, and Delete SecIntel Profile Group
- Anti-malware Profiles Overview
- About Anti-malware Profiles
- Create and Manage Anti-malware Profiles
- Edit, Clone, and Delete Anti-malware Profile
- Create a DNS Security Profile
- Create an Encrypted Traffic Insights Profile
- play_arrow Secure Edge Service Administration
- Certificate Management Overview
- Certificate Management Overview
- Generate and Manage Certificates
- Upload and Download a Certificate
- Regenerate and Delete a Certificate
- Add Juniper Clouds Root CA Certificate on Microsoft Windows
- Add Juniper Clouds Root CA Certificate on MacOS
- Add Juniper Clouds Root CA Certificate in Google Chrome
- Add Juniper Clouds Root CA Certificate in Mozilla Firefox
- Proxy Auto Configuration Files Overview
- Proxy Auto Configuration (PAC) Files Overview
- Edit, Clone, and Delete a Proxy Auto Configuration File
- Distribute a Proxy Auto Configuration File URL to Web Browsers
- Manually Add a Proxy Auto Configuration File URL to a Web Browser
- Configure an Explicit Proxy Profile
- Decrypt Profiles Overview
- Decrypt Profiles Overview
- Create and Manage Decrypt Profiles
- Edit, Clone, and Delete a Decrypt Profile
- play_arrow Secure Edge Identity
- End User Authentication Overview
- About the End User Authentication Page
- Add and Manage End User Profiles
- Create a SAML Profile
- Create an LDAPS Profile
- Manage the Hosted Database
- Edit and Delete an End User Profile
- Add and Manage Groups
- Edit and Delete a Group
- Juniper Identity Management Service Overview
- Juniper Identity Management Service Overview
- JIMS Collector Onboarding Overview
- Onboard JIMS Collector
- Create JIMS Collector Service Accounts
- Install JIMS Collector
- Configure JIMS Collector to Get Information from the Directory Service
- Configure JIMS Collector to Get Microsoft Event Logs
- Configure JIMS Collector to Probe Unknown IP Addresses
- Delete JIMS Collector
- Authentication Settings Overview
- Configure the Authentication Frequency
- play_arrow Secure Edge CASB and DLP
- play_arrow Shared Services Firewall Policies
- play_arrow Rule Options
- play_arrow Redirect Profiles
-
- play_arrow Shared Services Objects
- play_arrow Addresses
- play_arrow GeoIP
- play_arrow Services
- play_arrow Applications
- play_arrow Schedules
- play_arrow URL Patterns
- play_arrow URL Categories
- play_arrow SSL Initiation Profile
-
- play_arrow Administration
- play_arrow Subscriptions
- play_arrow Users & Roles
- play_arrow Single Sign-On Configuration
- play_arrow Two-Factor Authentication
- play_arrow Audit Logs
- play_arrow Service Updates
- play_arrow Jobs
- play_arrow Data Management
- play_arrow Log Streaming
- play_arrow URL Recategorization
- play_arrow API Security
- play_arrow Organization
- play_arrow ATP Mapping
- play_arrow ATP Audit Logs
- play_arrow ATP Application Tokens
-
SecIntel Feeds Overview
SecIntel provides carefully curated and verified threat intelligence from Juniper Networks’ Advanced Threat Prevention (ATP) Cloud, Juniper Threat Labs, Dynamic Address Group (DAG), and industry-leading threat feeds to Juniper Secure Edge, MX Series routers, SRX Series Firewalls, and NFX Series Network Services Platform to block Command and Control (C&C) communications at line rate. SecIntel delivers real-time threat intelligence by enabling automatic and responsive traffic filtering.
SecIntel integrates with EX Series and QFX Series switches and enables these switches to subscribe to SecIntel’s infected host feed. This enables you to block compromised hosts at the switch port. You can now extend SecIntel throughout your entire network and increase the number of security enforcement points.
Benefits of SecIntel Feeds
You can view all the default feeds that are available with your current license.
Using this page, you can enable the following feeds for integration with Juniper ATP Cloud.
Juniper threat feeds
Third party threat feeds—IP threat feeds and URL threat feeds.
Dynamic address group feeds—Juniper DAG feeds and Third-party DAG feeds.
The total number of CC feeds are 32, out of which four feeds are reserved for cc_ip, cc_url, cc_ipv6, and cc_cert_sha1. So, you can enable up to 28 feeds to the CC category, which includes CC custom feeds and CC third-party feeds. This limit is applicable if you are injecting additional feeds using the available open API.
Information to know if you are enabling external feeds:
If a hit is detected on an enabled external feed, this event appears under Monitor>ATP with a threat level of 10.
On Juniper Secure Edge, you can configure policies with the permit or block action for each feed. Note that C&C and Infected Host feeds require an enabled Security Intelligence policy on Juniper Secure Edge in order to work.
External feeds are updated once every 24 hours.
Understand that these are open source feeds managed by third parties and determining the accuracy of the feed is left up to the Juniper ATP Cloud administrator. Juniper will not investigate false positives generated by these feeds.
Juniper Secure Edge policies will block malicious IP addresses based on enabled third party feeds, but these events do not affect host threat scores. Only events from Juniper ATP Cloud feeds affect host threat scores.
To enable the available feeds, do the following:
Navigate to Configure>SecIntel Feeds.
For each feed, select the toggle button to enable the feed. Refer to the guidelines in Table 1.
Note:The Infected Host feed is enabled for all license tiers. All other Juniper SecIntel feeds are enabled only with Secure Edge Advanced or higher license.
Click the Go to feed site link to view feed information, including the contents of the feed.
Table 1: SecIntel Feeds Field
Guidelines
Juniper Threat Feeds Command and Control
Displays whether the C&C feed is enabled or not.
C&C feeds are essentially a list of servers that are known command and control for botnets. The list also includes servers that are known sources for malware downloads.
Malicious Domains
Displays whether the DNS feed is enabled or not.
List of domains that are known to be connected to malicious activity.
Infected Host Feed
Displays whether the infected host feed is enabled or not.
Infected hosts indicate local devices that are potentially compromised because they appear to be part of a C&C network or exhibit other symptoms.
Third Party Threat Feeds IP Threat Feeds
Block List
Click the toggle button to enable block list feeds as third party feeds.
Threatfox IP
Click the toggle button to enable Threatfox feeds as third party feeds.
Feodo Tracker
Click the toggle button to enable Feodo feeds as third party feeds.
DShield
Click the toggle button to enable DShield feeds as third party feeds.
Tor
Click the toggle button to enable tor feeds as third party feeds.
URL Threat Feeds
Threatfox URL
Click the toggle button to enable Threatfox feed as third party feeds. ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers. The IOC can be an IP address, domain name, or URL.
URLhaus URL Threat Feed
Click the toggle button to enable URLhaus feed as third party feeds. URLhaus is a threat intelligence feed that shares malicious URLs that are used for malware distribution.
Open Phish
Click the toggle button to enable OpenPhish feed as third party feeds. OpenPhish is a fully automated self-contained platform for phishing intelligence. It identifies phishing sites and performs intelligence analysis in real time without human intervention and without using any external resources, such as blocklists. For malware inspection, SecIntel will analyze traffic using URLs in this feed.
Domain Threat Feeds
Threatfox Domains
Click the toggle button to enable Threatfox feed as third party feeds.
Dynamic Address Group Feeds Juniper DAG Feeds
GeoIP Feed
Displays whether the GeoIP feed is enabled or not. GeoIP feed is an up-to-date mapping of IP addresses to geographical regions. This gives you the ability to filter traffic to and from specific geographies in the world.
Third Party DAG Feeds
office365
Click the toggle button to enable office365 IP filter feed as a third party feed. The office365 IP filter feed is an up-to-date list of published IP addresses for Office 365 service endpoints which you can use in security policies. This feed works differently from others on this page and requires certain configuration parameters, including a pre-defined cloud feed name of “ipfilter_office365”.
Pre-defined cloud feed name— ipfilter_office365
facebook
Click the toggle button to enable feeds from Facebook.
Pre-defined cloud feed name— ipfilter_facebook
google
Click the toggle button to enable feeds from Google.
Pre-defined cloud feed name— ipfilter_google
atlassian
Click the toggle button to enable feeds from Atlassian.
Pre-defined cloud feed name— ipfilter_atlassian
zscaler
Click the toggle button to enable feeds from Zscaler.
Pre-defined cloud feed name— ipfilter_zscaler
oracleoci
Click the toggle button to enable feeds from Oracle oci.
Pre-defined cloud feed name— ipfilter_oracleoci
cloudflare
Click the toggle button to enable feeds from Cloudflare.
Pre-defined cloud feed name— ipfilter_cloudflare
zoom
Click the toggle button to enable feeds from Zoom.
Pre-defined cloud feed name— ipfilter_zoom
microsoftazure
Click the toggle button to enable feeds from Microsoft Azure.
Pre-defined cloud feed name— ipfilter_microsoftazure
amazonaws
Click the toggle button to enable feeds from Amazon AWS.
Pre-defined cloud feed name— ipfilter_amazonaws
okta
Click the toggle button to enable feeds from Okta.
Pre-defined cloud feed name— ipfilter_okta
paypal
Click the toggle button to enable feeds from Paypal.
Pre-defined cloud feed name— ipfilter_paypal
Note:Since Ransomware Tracker and Malware Domain list are deprecated, ransomware tracker and malware domain list IP feeds are not supported on Juniper ATP Cloud. If you had enabled this feed earlier, you might stop receiving these feeds.
- The update interval for a third party Internet service feed is one day.
Using the office365 Feed
Enable the Using the office365 Feed check box in Juniper ATP Cloud to push Microsoft Office 365 services endpoint information (IP addresses) to Juniper Secure Edge. The office365 feed works differently from other feeds on this page and requires certain configuration parameters, including a pre-defined name of “ipfilter_office365”.
After you enable the check box, you must create a dynamic address object on Juniper Secure Edge that refers to the ipfilter_office365 feed.
