Help Center User GuideGetting StartedFAQRelease Notes
 
X
User Guide
Getting Started
FAQ
Release Notes

Security Director Getting Started

Ready. Set. Let’s go!

Set up your Security Director with these high-level steps and start managing your SRX Series devices.

Discover Devices

Create Device Discovery Profiles

Procedure

Use a device discovery profile to find a device and synchronize it with the Junos Space Network Management Platform database.

To configure a device discovery profile:

  1. Select Devices > Device Discovery.

    The Device Discovery page appears.

  2. Click the add icon (+).

    The Create Discovery Profile page appears.

  3. Provide relevant data for all fields. Hover over the '?' to know more about a field.
  4. A new device discovery profile is created and you are returned to the Device Discovery page.

Run a Device Discovery Profile

Discover devices with the device discovery profile you just created.

Procedure

To run a device discovery profile:

  1. Select Devices > Device Discovery.

    The Device Discovery page appears.

  2. Select the device discovery profile and click Run Now.
  3. Click OK to return to the Device Discovery page.

Configure Logging and Reporting

Procedure

To enable the Logging and Reporting module for log collection across multiple SRX Series devices:

  1. Set up Security Director Log Collector.

    You can set up Log Collectors in both the VM and JA2500 appliance. You can configure Log Collector as an All in One node or integrated node for small-scale deployments. For easy scaling, begin with a single Log Receiver node and Log Storage node, and incrementally add Log Storage nodes as your needs expand. You can add a maximum of one Log Receiver node and three Log Storage nodes.

    For a VM environment and a JA2500 deployments, a single OVA image is used to deploy the All in One, Log Receiver, and Log Storage nodes. The image presents a configuration script after you log in. Select the appropriate memory and CPU configuration values for the role of the VM.

  2. Add the Log Collector to Security Director.

    Procedure

    1. Select Administration > Logging Management > Logging Nodes, and click the + icon.
    2. Choose the Log Collector type as Security Director Log Collector or Juniper Secure Analytics.

      Note: Starting in Junos Space Security Director Release 17.2, for distributed deployment, you can add only Log Receiver node in Security Director and cannot add Log Storage node.

    3. For Security Director Log Collector, provide the default credentials; username is admin and password is juniper123. You must change the default password using the Log Collector CLI configureNode.sh command. For JSA, provide the admin credentials that is used to login to the JSA console.
    4. The Log Collector node is displayed in the Logging Nodes page with an active status.

    Note: For details on deploying and configuring JSA, see Juniper Secure Analytics documentation.

  3. To configure Security Director and SRX Series devices to receive logs, select Network Management Platform > Devices > Device Management.

Create Addresses

Create addresses to use in Firewall, NAT, IPS, and VPN services and apply them to the corresponding SRX Series devices.

Procedure

To create an address:

  1. Select Configure > Shared Objects > Addresses.
  2. Click Create.
  3. Provide relevant data for all fields. Hover over the '?' to know more about a field.
  4. A new address is created.

Configure Firewall or NAT Policies

Procedure

To configure, publish, and update a firewall or a NAT policy:

  1. Select Configure > Policy-Name > Policies.
  2. Click the add icon (+).

    The Create Policy page appears.

  3. Provide relevant data for all fields. Hover over the '?' to know more about a field.
  4. A new policy is created. To activate the policy, add rules in one or more rulebases. You can click the policy to assign rules inline or select the policy and click the + icon to configure policy rules.
  5. To enable a policy, you must assign it to a domain. See Assign Policies to Domains.
  6. Publish and update the policy to a device. See Publish and Update Policies on Devices.

Configure IPsec VPNs

Procedure

Create IPsec VPNs to securely communicate among remote computers across a public WAN such as the Internet. To configure, publish, and update an IPsec VPN:

  1. Select Configure > IPsec VPN > IPsec VPNs.
  2. Click the add icon (+) to create a new IPsec VPN.
  3. Provide relevant data for all fields. Hover over the '?' to know more about a field.
  4. Publish and update the IPsec VPN to a device. See Publish and Update Policies on Devices.

Manage IPS or App Firewall Policies

To manage intrusion prevention system (IPS) or application firewall policies, you must download the signature database, install it to a device, create an IPS or application firewall policy, and then publish and update them to a device.

Download the Signature Database Configuration

Use the Signature Database page to download and install the signature database to security devices.

Procedure

To download the signature database configuration:

  1. Select Administration > Signature Database.
  2. Click Signature Download Settings .

    The Signature Download Settings page appears.

  3. In the Download URL field, enter the destination URL to download the IPS signature database. By default, https://signatures.juniper.net is specified in this field.
  4. Click Browse to browse for the server certificate.
  5. Enable the Proxy Server field to send the download configuration traffic.
  6. Do one of the following to configure the schedule to download the configuration:
    • Select Run now to download the signature database immediately.

    • Select Schedule at a later time to set the signature database to automatically download at a specified time.

  7. Select Recurrence to enable the schedule to recur in a given time interval.
  8. Click OK.

    The downloaded signatures and configuration details are saved in the System domain.

Install the Signature Database Configuration

Procedure

To install the signature database:

  1. Select Administration > Signature Database.
  2. Click Install Signatures.

    The Install Signatures page appears. You can view the summary of the active signature database version, which will be installed on your device.

  3. Right-click the device on which you want to install the signature database or from the Probe Devices list, select Full Probe or Delta Probe.
  4. Enable Incremental Update to perform an incremental update or a full update of the signature database for the selected device.
  5. Do one of the following to configure the schedule for installing the configuration:
    • Select Run now to install the signature database immediately.

    • Select Schedule at a later time to set the signature database to automatically install at specified time.

  6. Select Recurrence to enable the schedule to recur in a given time interval.
  7. Click OK.

    If there is no Internet connection to download the package, perform an offline update of the signature database files by downloading the latest signature version from the following location and store it on your local system: https://services.netscreen.com/space/2/latest/latest-space-update.zip.

Create Application Firewall Policies

Procedure

To configure an application firewall policy, you must create a policy and then add rules to it. To create an application firewall policy:

  1. Select Configure > Application Firewall Policy > Policies.
  2. Click the add icon (+).

    The Create Application Firewall Policy page appears.

  3. Provide relevant data for all fields. Hover over the '?' to know more about a field.
  4. Click OK.

    A new application firewall policy is created.

  5. Click Add Rules to add rules to this policy to provide additional security.

Create IPS Policy Templates

Use IPS policy templates to create IPS policies. Juniper Networks provides predefined policy templates that you can use as a starting point to create your own policies. To customize these templates to work on your network, select your own source and destination addresses and choose the IPS actions that reflect your security needs. You can modify the template either by using the Advance option in the IPS Policy page or cloning the template.

Procedure

To create an IPS policy template:

  1. Select Configure > IPS Policy > Templates.
  2. Click the add icon (+).

    The Create IPS Policy Template page appears.

  3. Provide relevant data for all fields. Hover over the '?' to know more about a field.
  4. Click OK.

    A new IPS policy template with your configurations is created.

  5. To select the policy template as an active policy template, click the template name and add rules.

    You can now use this policy template in IPS policies.

Create IPS Policies

Create IPS policies to enforce various attack detection and prevention techniques on traffic traversing your network.

Procedure

To configure an IPS policy:

  1. Select Configure > IPS Policy > Policies.
  2. Click the add icon (+).

    The Create IPS Policy page appears.

  3. Provide relevant data for all fields. Hover over the '?' to know more about a field.
  4. A new IPS policy is created. Click the policy to assign rules inline or select the policy and click the + icon to configure policy rules.
  5. To enable the IPS policy, apply it to a domain. See Assign Policies to Domains.
  6. Publish and update the IPS policy to a device. See Publish and Update Policies on Devices.

Apply IPS or Application Firewall Policy to a Firewall Group

You can enable an IPS or application firewall policy for a firewall group policy to scrutinize all of the bits contained within packets to look for both known and unknown attacks.

Procedure

To apply an IPS or application firewall policy on a firewall group policy:

  1. Select Configure > Firewall Policy > Policies.

    The Firewall Policies page appears.

  2. Click Add Rule to create a rule for the new firewall policy.

    The Create Rule page appears.

  3. Provide relevant data for all fields. Hover over the '?' to know more about a field.
  4. Configure the following fields to enable IPS and application firewall policy:
    • Action—Set this field to Permit to permit the traffic using the type of firewall authentication you applied to the policy.

    • IPS—Set this field to On.

    • App Firewall—Select the application firewall policy from the list.

  5. To enable a policy, you must assign it to a domain. See Assign Policies to Domains.
  6. Publish and update the firewall policy to a device. See Publish and Update Policies on Devices.

Create SSL Forward Proxy Profiles

SSL proxy is enabled as an application service within a security policy. You can specify the traffic that you want the SSL proxy enabled on as match criteria and then specify the SSL proxy profile to be applied to the traffic.

Procedure

To create an SSL forward proxy profile:

  1. Select Configure >SSL Profiles > SSL Forward Proxy Profiles.
  2. Click the add icon (+).

    The Create SSL Forward Proxy Profiles page appears.

  3. Provide relevant data for all fields. Hover over the '?' to know more about a field.
  4. An SSL forward proxy profile is created that can be assigned to a firewall policy for advanced security options.

Note: If none of the services (AppFW, IDP, or AppTrack) are configured, then SSL proxy services are bypassed even if an SSL proxy profile is attached to a firewall policy.

Create UTM Policies

Use the Unified Threat Management (UTM) policy page to configure UTM policies. UTM consolidates several security features into one device to protect against multiple threat types.

Procedure

To configure, publish, and update the UTM policy:

  1. Select Configure > UTM Policy > Policies.
  2. Click the add icon (+) to create a new UTM policy.

    The Create UTM Policies wizard appears.

  3. Configure a filtering profile for your UTM policy:
    • Antispam— Examine transmitted e-mail messages to identify e-mail spam over SMTP.

    • Antivirus—Inspect files transmitted over several protocols (HTTP, FTP upload and download, IMAP, SMTP, and POP3) to determine if the files exchanged are known malicious files, similar to how desktop antivirus software scans files for the same purpose.

    • Content filtering—Block or permit certain types of traffic over several protocols (HTTP, FTP upload and download, IMAP, SMTP, and POP3) based on the MIME type, file extension, protocol command, and embedded object type.

    • Web Filtering—Manage Internet usage by preventing access to inappropriate Web content over HTTP.

    • Device—Configure UTM global options for a device. The device profile refers to the antispam, antivirus, and Web filtering profiles.

  4. Provide relevant data for all fields. Hover over the '?' to know more about a field.
  5. Click Finish. A new UTM policy is created.
  6. Publish and update the UTM policy to a device. See Publish and Update Policies on Devices.

Configure Sky ATP with Policy Enforcer (SDSN)

Policy Enforcer provides centralized, integrated management of all your security devices (both physical and virtual), allowing you to combine threat intelligence from different solutions and act on that intelligence from one management point. Using Policy Enforcer and the intelligence feeds it offers through Sky ATP, you can create threat prevention policies that provide monitoring and actionable intelligence for threat types such as known malware, command and control servers, infected hosts, and Geo IP-based server data.

Procedure

To use Policy Enforcer, you must do the following:

  1. Download, deploy, and configure the policy enforcer virtual machine.

    Policy Enforcer is delivered as an OVA package to be deployed inside your VMware ESX network. As with other Juniper Networks virtual appliances, Policy Enforcer requires either a VMware ESX server version 4.0 or later or a VMware ESXi server version 4.0 or later.

    Note: Detailed instructions for downloading Policy Enforcer and creating your policy enforcer virtual machine are provided in the Policy Enforcer Administration Guide and in the Security Director Help Center.

  2. Once installed, you must enter the IP address and login credentials for the policy enforcer virtual machine. You must also select a threat prevention type. In the Security Director UI, go to Administration > Policy Enforcer > Settings. Once this information is entered, you can begin the setup process.

    Note: If you are using Sky ATP without Policy Enforcer (SDSN) or Cloud Feeds only, you must still download Policy Enforcer and create a policy enforcer virtual machine. A Sky ATP license and a Sky ATP account are also needed for all threat prevention types (Sky ATP with SDSN, Sky ATP, and Cloud feeds only). If you do not have a Sky ATP license, contact your local sales office or Juniper Networks partner to place an order for a Sky ATP premium or basic license.

  3. Guided Setup is the most efficient way to complete your initial configuration of Policy Enforcer and Sky ATP. In the Security Director UI, navigate to Configure>Guided Setup>Sky ATP with SDSN. Click Start Setup to begin. The following information is for configuring Sky ATP with SDSN.
  4. Configure Secure Fabric—Secure Fabric is a collection of network devices (switches, routers, firewalls, and other security devices), used by users or user groups, to which policies for aggregated threat prevention are applied. Once created, your secure fabric is located under Devices.
  5. Configure Policy Enforcement Group—A policy enforcement group is a grouping of endpoints ready to receive threat prevention policies. Create a policy enforcement group by adding endpoints (firewalls and switches) under one common group name and later applying a security policy to that group.
  6. Configure Sky ATP Realm—If you have not created a realm from within your Sky ATP account, you can create and register it here by clicking the + sign. Once you register a realm, you can enroll SRX Series devices into the realm. A security realm is a group identifier for an organization used to restrict access to Web applications. You can create one or multiple realms.
  7. Configure Threat Prevention Policy—A threat prevention policy requires you to create a name for the policy, choose one or more profile types depending on the type of threat prevention this policy provides (C&C Server, Infected Host, Malware), and select a log setting. Once configured, you assign policies to policy enforcement groups and click Finish.

Assign Policies to Domains

You must assign or reassign policies to different domains when it is first configured and whenever you want to implement a change. You can assign only one policy at a time to a domain. Security Director validates the domain assignment. If the assignment is not acceptable, a warning message is displayed.

Procedure

To assign a policy to a domain:

  1. Select Configure and select the landing page for the type of policy that you are assigning to a domain.
  2. From the landing page, right-click the policy or select Assign <Policy-Name> to Domain from the More list.

    The Assign <Policy-Name> to Domain page appears.

    Note: <Policy-Name> is the name of the policy that you are assigning to a domain.

  3. Select the required items to assign to a domain.
  4. Enable the ignore option to ignore warning messages, if any.
  5. Click OK.

    A policy is assigned to a domain and you can now use the policy.

Publish and Update Policies on Devices

After you create and verify security policies, you can publish these policies to make them ready to be updated to the security devices. The Publish workflow provides the ability to save and publish different services to be updated at a later time to the appropriate firewalls (during the down time).

Procedure

To publish and update a policy:

  1. Select Configure > Policy-Name Policy > Policies.
  2. Select the policy that you want to publish and update and click Update . The Update Policy page appears.
  3. Select the check boxes next to the devices to which the policy changes must be published or updated.

    Note: You can search for a specific device by entering the search criteria in the search field. You can search the devices by their name and IP address.

  4. Do one of the following:

    • Select Run now to publish or update the policy immediately.

    • Select Schedule at a later time to schedule and publish the policy later.

  5. Click Publish and Update. The Affected Devices page displays the devices on which the policies will be published and updated.

Note: Use the publish work flow to save and publish different services to be updated at a later time. Administrators can review their firewall, VPN, and NAT policies before updating the device. Verify and tweak your security configurations before updating them to the device by viewing the CLI and XML version of the configuration in the Publish workflow.

Import Policies from a Device (Optional)

Security Director allows you to import firewall, NAT, and IPS policies from a device. All objects supported by Security Director are imported during the policy import process.

Procedure

To import a device configuration to Security Director:

  1. Select Devices > Security Devices.
  2. Right-click a device or from the More list, select Import.

    The Import Configuration page appears.

  3. Select the policy to be imported to Security Director.
  4. Click Next.
  5. Resolve any conflicts after you verify the information, if needed.

    Note: Every time you import a policy, Security Director creates a new policy. You will see conflicts when policies have same names but different definitions.

  6. Click Finish.

    Security Director displays a summary of the configuration changes.

  7. Click the Summary Report link.

    The summary report will be downloaded as a PDF file.

  8. Click OK to complete the import process.

    Note: Click Download Summary to download the summary report. The summary report is downloaded as a PDF file.

  9. Click OK.
Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit