Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Juniper Advanced Threat Prevention Cloud Policy

This configuration shows how to create a Juniper ATP Cloud policy using the CLI. It assumes you understand configuring security zones and security policies. See Example: Creating Security Zones.

Requirements

This configuration uses the following hardware and software components:

  • An SRX1500 device with traffic through packet forwarding.

  • Junos OS Release 15.1X49-D80 or later.

    Note:

    Starting in Junos OS Release 15.1X49-D80, the match-then condition has been deprecated from the Juniper ATP Cloud policy configuration. This configuration includes those updates.

    Note:

    Junos OS Release 18.2R1 or later adds explicit web proxy support for anti-malware and security-intelligence policies using the following statements: set services advanced-anti-malware connection proxy-profile proxy_name and set services security-intelligence proxy-profile proxy_name. First use the set services command to configure the web proxy profile, including the proxy host IP address and port number. See Explicit Web Proxy for Juniper ATP Cloud for details.

Overview

The following configuration creates a Juniper ATP Cloud policy that has the following properties:

  • Policy name is aamwpolicy1.

  • Profile name is default_profile.

  • Block any file if its returned verdict is greater than or equal to 7 and create a log entry.

  • Do not create a log entry if a file has a verdict less than 7.

  • When there is an error condition, allow files to be downloaded and create a log entry.

  • Create a log entry when attempting to download a file from a site listed in the blocklist or allowlist files.

Configuration

The following configuration requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

Note:

Starting in Junos OS Release 15.1X49-D80, the match-then condition has been deprecated from the Juniper ATP Cloud policy configuration. Configurations made prior to 15.1X49-D80 will continue to work but it is recommended you do not use these statements going forward.

  1. Create the Juniper ATP Cloud policy.

    • Set the policy name to aamwpolicy1 and block any file if its returned verdict is greater than or equal to 7.

      set services advanced-anti-malware policy aamwpolicy1 verdict-threshold 7

    • Associate the policy with the default_profile profile.

      set services advanced-anti-malware policy aamwpolicy1 http inspection-profile default_profile

    • Block any file if its returned verdict is greater than or equal to 7 and create a log entry.

      set services advanced-anti-malware policy aamwpolicy1 http action block notification log

    • When there is an error condition, allow files to be downloaded and create a log entry.

      set services advanced-anti-malware policy aamwpolicy1 fallback-options action permit

      set services advanced-anti-malware policy aamwpolicy1 fallback-options notification log

    • Create a log entry when attempting to download a file from a site listed in the blocklist or allowlist files.

      set services advanced-anti-malware policy aamwpolicy1 blacklist-notification log

      set services advanced-anti-malware policy aamwpolicy1 whitelist-notification log

    • For smtp, you only need to specify the profile name. The user-defined action-to-take is defined in the Juniper ATP Cloud portal.

      set services advanced-anti-malware policy aamwpolicy1 smtp inspection-profile my_smtp_profile

  2. Configure the firewall policy to enable the advanced anti-malware application service.

  3. Configure the SSL proxy profile to inspect HTTPs traffic.

  4. Configure the SSL forward proxy to inspect HTTPs traffic.

    Note that this command assumes you have already configured ssl-inspect-ca which is used for ssl forward proxy. If you have not already done so, an error occurs when you commit this configuration. See Enable Juniper ATP Cloud for Encrypted HTTPS Connections for more information on configuring ssl-inspect-ca.

  5. Review your policy. It should look similar to this.

Verification

First, verify that your SRX Series Firewall is connected to the cloud.

Next, clear the statistics to make it easier to read your results.

After some traffic has passed through your SRX Series Firewall, check the statistics to see how many sessions were permitted, blocked, and so forth according to your profile and policy settings.