ON THIS PAGE
Configure Juniper Advanced Threat Prevention Cloud Policy
This configuration shows how to create a Juniper ATP Cloud policy using the CLI. It assumes you understand configuring security zones and security policies. See Example: Creating Security Zones.
Requirements
This configuration uses the following hardware and software components:
-
An SRX1500 device with traffic through packet forwarding.
-
Junos OS Release 15.1X49-D80 or later.
Note:Starting in Junos OS Release 15.1X49-D80, the match-then condition has been deprecated from the Juniper ATP Cloud policy configuration. This configuration includes those updates.
Note:Junos OS Release 18.2R1 or later adds explicit web proxy support for anti-malware and security-intelligence policies using the following statements:
set services advanced-anti-malware connection proxy-profile proxy_name
andset services security-intelligence proxy-profile proxy_name
. First use the set services command to configure the web proxy profile, including the proxy host IP address and port number. See Explicit Web Proxy for Juniper ATP Cloud for details.
Overview
The following configuration creates a Juniper ATP Cloud policy that has the following properties:
-
Policy name is aamwpolicy1.
-
Profile name is default_profile.
-
Block any file if its returned verdict is greater than or equal to 7 and create a log entry.
-
Do not create a log entry if a file has a verdict less than 7.
-
When there is an error condition, allow files to be downloaded and create a log entry.
-
Create a log entry when attempting to download a file from a site listed in the blocklist or allowlist files.
Configuration
The following configuration requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
Starting in Junos OS Release 15.1X49-D80, the match-then
condition has
been deprecated from the Juniper ATP Cloud policy configuration. Configurations made prior
to 15.1X49-D80 will continue to work but it is recommended you do not use these statements
going forward.
-
Create the Juniper ATP Cloud policy.
-
Set the policy name to aamwpolicy1 and block any file if its returned verdict is greater than or equal to 7.
set services advanced-anti-malware policy aamwpolicy1 verdict-threshold 7
-
Associate the policy with the
default_profile
profile.set services advanced-anti-malware policy aamwpolicy1 http inspection-profile default_profile
-
Block any file if its returned verdict is greater than or equal to 7 and create a log entry.
set services advanced-anti-malware policy aamwpolicy1 http action block notification log
-
When there is an error condition, allow files to be downloaded and create a log entry.
set services advanced-anti-malware policy aamwpolicy1 fallback-options action permit
set services advanced-anti-malware policy aamwpolicy1 fallback-options notification log
-
Create a log entry when attempting to download a file from a site listed in the blocklist or allowlist files.
set services advanced-anti-malware policy aamwpolicy1 blacklist-notification log
set services advanced-anti-malware policy aamwpolicy1 whitelist-notification log
-
For smtp, you only need to specify the profile name. The user-defined action-to-take is defined in the Juniper ATP Cloud portal.
set services advanced-anti-malware policy aamwpolicy1 smtp inspection-profile my_smtp_profile
-
-
Configure the firewall policy to enable the advanced anti-malware application service.
set security policies from-zone trust to-zone untrust policy firewall-policy1 match source-address any set security policies from-zone trust to-zone untrust policy firewall-policy1 match destination-address any set security policies from-zone trust to-zone untrust policy firewall-policy1 match application any set security policies from-zone trust to-zone untrust policy firewall-policy1 then permit application-services advanced-anti-malware aamwpolicy1
-
Configure the SSL proxy profile to inspect HTTPs traffic.
set services ssl proxy profile ssl-inspect-profile root-ca ssl-inspect-ca
-
Configure the SSL forward proxy to inspect HTTPs traffic.
Note that this command assumes you have already configured ssl-inspect-ca which is used for ssl forward proxy. If you have not already done so, an error occurs when you commit this configuration. See Enable Juniper ATP Cloud for Encrypted HTTPS Connections for more information on configuring ssl-inspect-ca.
set security policies from-zone trust to-zone untrust policy firewall-policy1 then permit application-services ssl-proxy profile-name ssl-inspect-profile
-
Review your policy. It should look similar to this.
show services advanced-anti-malware policy Advanced-anti-malware configuration: Policy Name: aamwpolicy1 Default-notification : No Log Whitelist-notification: Log Blacklist-notification: Log Fallback options: Action: permit Notification: Log Protocol: HTTP Verdict-threshold: 7 Action: block Notification: Log Inspection-profile: default_profile Protocol: SMTP Verdict-threshold: 7 Action: User-Defined-in-Cloud (permit) Notification: No Log Inspection-profile: my_smtp_profile
Verification
First, verify that your SRX Series Firewall is connected to the cloud.
show services advanced-anti-malware status
Next, clear the statistics to make it easier to read your results.
clear services advanced-anti-malware statistics
After some traffic has passed through your SRX Series Firewall, check the statistics to see how many sessions were permitted, blocked, and so forth according to your profile and policy settings.
show services advanced-anti-malware statistics