Help Center User GuideGetting StartedFAQRelease Notes
 
X
User Guide
Getting Started
FAQ
Release Notes
Contents  

Integrating ForeScout CounterACT with Juniper Networks SDSN

This topic provides instructions on how to integrate the third-party device ForeScout CounterACT with Juniper Networks Software-Defined Secure Networks (SDSN) solution to remediate threats from infected hosts for enterprises. ForeScout CounterACT is an agentless security appliance that dynamically identifies and evaluates network endpoints and applications the instant they connect to your network. CounterACT applies an agentless approach and integrates with SDSN to block or quarantine infected hosts on Juniper Networks’ devices, third-party switches, and wireless access controllers with or without 802.1x protocol integration.

To integrate ForeScout CounterACT with SDSN, you must create a connector in Policy Enforcer that enables CounterACT to connect to your secure fabric and create policies for CounterACT. Before you configure the ForeScout CounterACT connector, you must ensure that ForeScout CounterACT is installed and running with the Open Integration Module (OIM). The ForeScout OIM consists of two plug-ins: Data Exchange (DEX) and Web API. Install both the plug-ins and ensure that they are running. You must configure these plug-ins before you create a connector in Policy Enforcer.

If you do not have ForeScout CounterACT installed in your network, obtain an evaluation copy from here.

This topic includes the following sections:

Configuring the DEX Plug-in

The DEX plug-in receives API information about infected hosts from the ForeScout CounterACT connector. Messages from infected hosts are either blocked or quarantined.

When you configure the DEX plug-in, you also configure a new property, Test, for DEX. When configured, this property ensures that Web services are available for Policy Enforcer, monitors the network status, and validates usernames and passwords.

Procedure

To configure the DEX plug-in:

  1. Select Tools > Options > Data Exchange (DEX) in the CounterACT UI.

    The Data Exchange configuration page appears.

  2. On the Data Exchange (DEX) page, select the CounterACT Web Services > Accounts tab, as shown in Figure 98.

    The DEX Accounts page appears.

    Figure 98: DEX Accounts Page

    DEX Accounts Page
  3. Select Add.

    The Add page appears.

  4. In the Name field, enter the name for the CounterACT Web service account.

    Enter this name in the DEX User Role field (see Step 3) while configuring the ForeScout connector in Security Director.

  5. In the Description field, enter a brief description of the purpose of the Web service account.
  6. In the Username field, enter the username that will be used to authorize CounterACT to access the Web service account.
  7. In the Password field, enter the password that will be used to authorize CounterACT to access this Web service account.
  8. Click OK.
  9. In the Properties tab, click Add.

    The General pane of the Add Property from CounterACT Web Service wizard opens, as shown in Figure 99.

    Figure 99: Add Property-General Pane Page

    Add Property-General
Pane Page
  10. Add properties such as block, quarantine, and Test, as shown in Figure 100.

    You must include the Test property. Otherwise, you cannot add CounterACT as a third-party connector to Policy Enforcer successfully.

    Figure 100: DEX Properties Page

    DEX Properties Page
  11. In the Security Settings tab, click Add and add the IP address range from where communication is expected, as shown in Figure 101.

    Figure 101: Add IP Range Page

    Add IP Range Page

    Click OK. The IP address appears in the IP Address Range list, as shown in Figure 102.

    Figure 102: DEX Security Settings Page

    DEX Security
Settings Page
  12. On the Data Exchange (DEX) page, click Apply.

    The configuration is saved and the configuration settings are applied.

Configuring the Web API Plug-in

The Web API plug-in enables external entities to communicate with CounterACT by using simple, yet powerful Web service requests based on HTTP interaction. You configure the Web API plug-in to create an account for Policy Enforcer integration.

Procedure

To configure the Web API plug-in:

  1. Select Tools > Options > Web API in the CounterACT UI.

    The Web API page appears.

  2. In the User Settings tab, select Add.

    The Add Credentials page appears.

  3. Use the same username and password that you created for the DEX configuration (see Step 6 and Step 7) and click OK, as shown in Figure 103.

    Figure 103: Web API User Settings Page

    Web API User Settings
Page
  4. Select the Client IPs tab and click Add.

    Add the Policy Enforcer IP address into the access list.

  5. Click OK.

    The IP address appears in the IP Address Range list, as shown in Figure 104.

    Figure 104: Web API Client IPs Page

    Web API Client IPs
Page
  6. Click Apply to save and apply your configuration.

Creating ForeScout CounterACT Connector in Security Director

After you configure the DEX and Web API plug-ins, you need to create a connector for ForeScout CounterACT in Policy Enforcer.

Procedure

To create a ForeScout CounterACT connector in Junos Space Security Director:

  1. Select Security Director > Administration > Policy Enforcer > Connectors.

    The Connectors page appears.

  2. Click the create icon (+).

    The Create Connector page appears.

  3. In the General tab, select ForeScout CounterACT as the connector type and provide the username, DEX user role, and password, as shown in Figure 105. ( The DEX user role is the one that you created in Step 4).

    Specify 443 as the port number for communication.

    Figure 105: Edit Connector Page

    Edit Connector Page
  4. In the Network Details tab, configure the IP subnets, as shown in Figure 106.

    CounterACT treats the IP subnets as endpoints and takes action.

    Figure 106: Edit Connector - Network Details Page

    Edit
Connector - Network Details Page
  5. In the Configuration tab, specify the Web API username and password, as shown in Figure 107.

    Figure 107: ForeScout Connector - Configuration Tab

    ForeScout
Connector - Configuration Tab
  6. Click Finish.

    A new ForeScout CounterACT connector is created.

  7. Verify that the communication between Policy Enforcer and CounterACT is working.

After installing ForeScout CounterACT and configuring a connector, in the CounterACT UI, create policies for CounterACT to take the necessary action on the infected hosts. The Hosts page lists compromised hosts and their associated threat levels, as shown in Figure 108.

Figure 108: Host Information

Host Information

Table 300 shows the recommended actions performed by CounterACT on the infected hosts that are blocked or quarantined.

Table 300: Recommended Action to Be Performed on the Infected Hosts

Infected Host Policy Enforcer Action

Connection State

Action Performed by CounterACT

Blocked

Wired

Apply access control list (ACL) to block inbound and outbound traffic for a specific MAC address.

Wireless

Apply WLAN block on the endpoint, which will block the traffic based on the wireless MAC address.

Dot1x

Apply CoA.

Quarantined

Wired

Apply VLAN. This action is specified by Policy Enforcer.

Wireless

Apply VLAN. This action is specified by Policy Enforcer.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit