Using Guided Setup for Sky ATP with SDSN

The Guided Setup process offers five steps for configuring Sky ATP with SDSN threat prevention. Click Start Setup to begin.

Procedure

1. Secure Fabric—Secure Fabric is a collection of network devices (switches, routers, firewalls, and other security devices), used by users or user groups, to which policies for aggregated threat prevention are applied. Once created, secure fabric is located under Devices. For secure fabric, the following is configured:

   • Sites—A site is a collection of network devices participating in threat prevention. Using quick setup, you can create your own site, but note that a device can only belong to one site and you must remove it from the any other site where it is used to use it elsewhere.

     Click Add Devices in the Device Name column or in the IP address column to add devices to a site. Using the check boxes in the device list, you should indicate which devices are firewalls or switches. Policy Enforcer needs to know which devices are firewalls so they can be enrolled in Sky ATP realms and receive feed downloads.

     Note: Firewall devices are automatically enrolled with Sky ATP as part of this step. No manual enrollment is required.

2. Policy Enforcement Group—A policy enforcement group is a grouping of endpoints ready to receive advance threat prevention policies. Create a policy enforcement group by adding endpoints (firewalls and switches) under one common group name and later applying a security policy to that group. For policy enforcement group, the following is configured:

   • Once configured, policy enforcement groups are located under Configure > Shared Objects. A policy enforcement groups has the following fields:

     • Name and Description.

     • Group Type—IP Address, Subnet, or Location

     • Endpoint—IP addresses included in the group

3. Sky ATP Realm— If you have not created a realm from within your Sky ATP account, you can create and register it here by clicking the + sign. Once you register a realm, you can enroll SRX Series devices into the realm. A security realm is a group identifier for an organization used to restrict access to Web applications. You can create one or multiple realms. A realm has the following configuration fields

   • Username and Password—These are credentials you must provide, obtained through your Sky ATP account.

   • Realm—This is the name of the realm you are creating.

   If a realm is already created with a site assigned, all devices in a site are listed under the Devices in Site(s) column that includes EX Series, SRX Series, all enforcement points and devices that are originally from a realm . Devices that are marked as perimeter firewall devices are listed under the Perimeter Firewall column.

4. Threat Prevention Policy—A threat prevention policy requires you to create a name for the policy, choose one or more profile types depending on the type of threat prevention this policy provides (C&C Server, Infected Host, Malware), and select a log setting. Once configured, you apply policies to policy enforcement groups.

   • Once configured, threat prevention policies are located under Configure > Threat Prevention > Policies. A policy has the following fields:

     • Name and Description.

     • Profiles—The type of threat this policy manages:

       • C&C Server (Command and Control Server)—A C&C server is a centralized computer that issues commands to botnets (compromised networks of computers) and receives reports back from them. A C&C profile would provide information on C&C servers that have attempted to contact and compromise hosts on your network. Information such as IP address, threat level, and country of origin are gathered.

       • Infected Host—An infected host profile would provide information on compromised hosts and their associated threat levels. Host information includes IP address, threat level, blocked status, when the threat was seen, command and control hits, and malware detections.

       • Malware—A malware profile would provide information on files downloaded by hosts and found to be suspicious based on known signatures or URLs. The filename, file type, signature, date and time of download, download host, URL, and file verdict are gathered.

     • Logging—All traffic is logged by default. Use the pulldown to narrow the types of traffic to be logged.

   • Group—Once your policy is created, it is applied to the policy enforcement group.

5. Geo IP—Geo IP refers to the method of locating a computer terminal's geographic location by identifying that terminal's IP address. A Geo IP feed is an up-to-date mapping of IP addresses to geographical regions. By mapping IP address to the sources of attack traffic, geographic regions of origin can be determined, giving you the ability to filter traffic to and from specific locations in the world. For Geo IP, you configure the following:

   • Name and Description

   • Countries—Select the check box beside the countries in the Available list and click the > icon to move them to the Selected list. The countries in the Selected list will be included in the policy and action will be taken according to their threat level.

   • Block Traffic—Choose what traffic to block from the selected countries. Incoming traffic, Outgoing traffic, or Incoming and Outgoing traffic.

6. The last page is a summary of the items you have configured using quick setup. Click OK to be taken to the Policies page under Configure > Threat Prevention > Policies and your policy is listed there.
7. You must update to apply your new or edited policy configuration. Clicking the Ready to Update link takes you the Threat Policy Analysis page. See Threat Policy Analysis Overview. From there you can view your changes and choose to Update now, Update later, or Save them in draft form without updating.

Related Documentation

• Policy Enforcer Configuration Concepts

• Policy Enforcer Settings

• Configuring Sky ATP with SDSN (Without Guided Setup) Overview

• Using Guided Setup for Sky ATP