Help Center User GuideGetting StartedFAQsRelease Notes
 
X
User Guide
Getting Started
FAQs
Release Notes
Contents  

Creating Threat Prevention Policies

To access this page, click Configure>Threat Prevention > Policy.

You can create threat prevention policies from the policy page.

Note: If you are creating policies for the first time, you are given the option of setting up Policy Enforcer with Sky ATP or configuring Sky ATP alone. Clicking either button takes you to quick setup for your selection. See Comparing the SDSN and non-SDSN Configuration Steps for a configuration comparison.

Before You Begin

Procedure

To create a threat prevention policy:

  1. Select Configure>Threat Prevention > Policy.
  2. Click the + icon.
  3. Complete the configuration by using the guidelines in theTable 165 below.
  4. Click OK.

Table 203: Fields on the Threat Prevention Policy Page

Field

Description

Name

Enter a unique string that must begin with an alphanumeric character and can include underscores; no spaces allowed; 63-character maximum.

Description

Enter a description; maximum length is 1024 characters. You should make this description as useful as possible for all administrators.

Profiles

Command and Control Server

Select and choose settings for command and control servers. A C&C is a centralized computer that issues commands to botnets (compromised networks of computers) and receives reports back from them. Botnets can be used to gather sensitive information, such as account numbers or credit card information, or to participate in a distributed denial-of-service (DDoS) attack.

Include C& C profile in policy

Select the check box to include management for this threat type in the policy.

Threat Score

Use the slider to change the action to be taken based on the threat score. Threat scores are assigned using several criteria. Refer to the monitoring pages in the UI to investigate, located under Monitor > Threat Management.

Actions

If the threat score is high enough to cause a connection to be blocked, you have following configurable options:

  • Drop connection silently (This is the default and recommended setting.)
  • Close connection and do not send a message
    • Close connection and redirect to URL—In the field provided, enter a URL to redirect users to when connections are dropped.
    • Send custom message—In the field provided, enter a message to be shown to users when connections are dropped.

Infected Host

Infected hosts are systems for which there is a high confidence that attackers have gained unauthorized access. Infected hosts data feeds are listed with the IP address or IP subnet of the host, along with a threat score.

Include infected host profile in policy

Select the check box to include management for this threat type in the policy.

Note: If you want to enforce an infected host policy within the network, you must include a switch in the site.

Actions

You have following options:

  • Drop connection silently (This is the default and recommended setting.)
  • Quarantine—In the field provided, enter a VLAN to which quarantined files are sent. (Note that the fallback option is to block and drop the connection silently.)

Malware (HTTP file download and SMTP File attachment)

Malware is files that are downloaded by hosts or received as email attachments and found to be suspicious based on known signatures, URLs. or other heuristics.

Include malware profile in policy

Select the check box to include management for this threat type in the policy.

HTTP file download

Turn this feature on to scan files downloaded over HTTP and then select a file scanning device profile already configured through Sky ATP.

Scan HTTPS

Turn this feature to scan encrypted files downloaded over HTTPS.

Device Profile

Select a Sky ATP device profile. This is configured through Sky ATP. Sky ATP profiles let you define which files to send to the cloud for inspection. You can group types of files to be scanned together under a common name and create multiple profiles based on the content you want scanned.Device Profiles Overview.

Threat Score

Use the slider to change the action to be taken based on the threat score. Threat scores are assigned using several criteria. (Note: There is no monitoring setting for malware.)

Refer to the monitoring pages in the UI to investigate, located under Monitor > Threat Management.

Actions

If the threat score is high enough to cause a connection to be blocked, you have following configurable options:

  • Drop connection silently (This is the default and recommended setting.)
  • Close connection and do not send a message
    • Close connection and redirect to URL—In the field provided, enter a URL to redirect users to when connections are dropped.
    • Send custom message—In the field provided, enter a message to be shown to users when connections are dropped.

SMTP File Attachment

Turn this feature on inspect files received as email attachments (over SMTP only).

Device Profile

If you do not click the Change button to select a device profile for SMTP scanning, the device profile selected for HTTP will be used by default.

Select Change to use a different device profile for SMTP.

Device profile are configured through Sky ATP and define which files to send to the cloud for inspection

Threat Score

Use the slider to change the action to be taken based on the threat score. Threat scores are assigned using several criteria.

Actions

Actions for SMTP File Attachment include: Quarantine, Deliver malicious messages with warning headers added, and Permit. This actions are set in Sky ATP.

Log Setting (Policy setting for all profiles)

Select the log setting for the policy. You can log all traffic, log only blocked traffic, or log no traffic.

Procedure

Once you have a threat prevention policy, you assign one or more groups to it:

  1. In the threat prevention policy main page (located under Configure>Threat Prevention > Policy), find the appropriate policy.
  2. In the Groups column, click the Assign to Groups link that appears here when there are no policy enforcement groups assigned or click the group name that appears in this column to edit the existing list of assigned groups. You can also select the check box beside a policy and click the Assign to Groups button at the top of the page. See Policy Enforcement Groups Overview .
  3. In the Assign to Groups page, select the check box beside a group in the Available list and click the > icon to move it to the Selected list. The groups in the Selected list will be assigned to the policy.
  4. Click OK.
  5. Once one or more policy enforcement groups have been assigned, a Ready to Update link appears in the Status column. You must update to apply your new or edited policy configuration. Clicking the Ready to Update link takes you the Threat Policy Analysis page. See Threat Policy Analysis Overview. From there you can view your changes and choose to Update now, Update later, or Save them in draft form without updating.
  6. If you are using Sky ATP without Policy Enforcer, you must assign your threat prevention policy to a firewall rule for it to take affect. Navigate to Configure > Firewall Policy > Policies. In the Advanced Security column, click an item to access the Edit Advanced Security page and select the threat prevention policy from the Threat Prevention pulldown list.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit