Contents

ContentsHide

Security Director User Guide
- About the Documentation
- Junos Space Security Director
  - Overview
    - Junos Space Security Director Overview
    - Juniper Networks Software-Defined Secure Network Overview
- Dashboard
  - Overview
    - Dashboard Overview
- Monitor
  - Events and Logs-All Events
    - Events and Logs Overview
    - Creating Alerts
    - Creating Reports
    - Creating Filters
    - Grouping Events
    - Using Events and Logs Settings
    - Selecting Events and Logs Table Columns
    - Viewing Threats
    - Viewing Data for Selected Devices
    - Using the Detailed Log View
    - Using the Raw Log View
    - Showing Exact Match
    - Using Filter on Cell Data
    - Using Exclude Cell Data
    - Showing Firewall Policy
    - Showing Source NAT Policy
    - Showing Destination NAT Policy
    - Downloading Packets Captured
    - Showing Attack Details
    - Using Filters
  - Events and Logs-Firewall
    - Firewall Events and Logs Overview
  - Events and Logs-Web Filtering
    - Web Filtering Events and Log Overview
  - Events and Logs-VPN
    - VPN Events and Logs Overview
  - Events and Logs-Content Filtering
    - Content Filtering Events and Logs Overview
  - Events and Logs-Antispam
    - Antispam Events and Logs Overview
  - Events and Logs-Antivirus
    - Antivirus Events and Logs Overview
  - Events and Logs-IPS
    - IPS Events and Logs Overview
  - Events and Logs-Screen
    - Screen Events and Logs Overview
  - Events and Logs-Sky ATP
    - Sky ATP Events and Logs Overview
  - Events and Logs-Apptrack
    - Apptrack Events and Logs Overview
  - Threat Prevention-Hosts
    - Infected Hosts Overview
    - Infected Host Details
  - Threat Prevention-C&C Servers
    - Command and Control Servers Overview
    - Command and Control Server Details
  - Threat Prevention-HTTP File Download
    - HTTP File Download Overview
    - HTTP File Download Details
  - Threat Prevention-Email Quarantine and Scanning
    - SMTP Quarantine Overview
    - Email Attachments Scanning Overview
    - Email Attachments Scanning Details
  - Threat Prevention-IMAP Block
    - IMAP Block Overview
  - Threat Prevention-Manual Upload
    - File Scanning Limits
  - Threat Prevention-Feed Status
    - Device Feed Status Details
  - Threat Prevention-All Hosts Status
    - All Hosts Status Details
  - Threat Prevention-DDoS Feeds Status
    - DDoS Feeds Status Details
  - Applications
    - Application Visibility Overview
    - Blocking Applications and Users
  - Users
    - User Visibility Overview
    - Blocking Users and Applications
  - Source IP
    - Source IP Visibility Overview
    - Blocking Source IP Addresses
  - Live Threat Map
    - Threat Map Overview
    - Blocking Threat Events
  - Alerts and Alarms - Overview
    - Alerts and Alarms Overview
  - Alerts and Alarms-Alerts
    - Deleting an Alert
    - Searching Alerts
    - Using Generated Alerts
  - Alerts and Alarms-Alert Definitions
    - Creating Alert Definitions
    - Editing Alert Definitions
    - Cloning Alert Definition
    - Deleting Alert Definitions
    - Searching Alert Definitions
    - Alert Definitions Main Page Fields
  - Alerts and Alarms-Alarms
    - Using Device Alarms
    - Device Alarms Main Page Fields
  - VPN
    - IPsec VPN Monitoring Overview
    - About the Overview Page
    - Managing Monitored and Unmonitored VPNs
    - About the Monitored Tunnels Page
    - About the Devices Page
  - Job Management
    - Using Job Management in Security Director
    - Overview of Jobs in Security Director
    - Archiving and Purging Jobs in Security Director
    - Viewing the Details of a Job in Security Director
    - Canceling Jobs in Security Director
    - Reassigning Jobs in Security Director
    - Rescheduling and Modifying the Recurrence of Jobs in Security Director
    - Retrying a Failed Job on Devices in Security Director
    - Exporting the Details of a Job in Security Director
    - Job Management Main Page Fields
  - Audit Logs
    - Using Audit Logs in Security Director
    - Understanding Audit Logs in Security Director
    - Purging or Archiving and Purging Audit Logs in Security Director
    - Exporting Audit Logs in Security Director
    - Viewing the Details of an Audit Log in Security Director
    - Audit Logs Main Page Fields
  - Packet Capture
    - Packet Capture Overview
    - About the Packets Captured Page
    - Setting the Purge Policy
  - NSX Inventory-Security Groups
    - About the Security Groups Page
    - Viewing Members of a Security Group
  - vCenter Server Inventory-Virtual Machines
    - About the Virtual Machines Page
    - Viewing Network Details of a Virtual Machine
    - Viewing Security Groups of a Virtual Machine
- Devices
- Configure
  - Firewall Policy-Standard Policies
    - Firewall Policies Overview
    - Policy Ordering Overview
    - Creating Firewall Policies
    - Firewall Policies Best Practices
    - Creating Firewall Policy Rules
    - Rule Base Overview
    - Firewall Policy Locking Modes
    - Rule Operations on Filtered Rules Overview
    - Creating and Managing Policy Versions
    - Assigning Devices to Policies
    - Comparing Policies
    - Exporting Policies
    - Creating Custom Columns
    - Promoting to Group Policy
    - Converting Standard Policy to Unified Policy
    - Importing Policies
    - Deleting and Replacing Policies and Objects
    - Unassigning Devices from Policies
    - Editing and Cloning Policies and Objects
    - Publishing Policies
    - Showing Duplicate Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Updating Policies on Devices
    - Firewall Policies Main Page Fields
    - Firewall Policy Rules Main Page Fields
  - Firewall Policy-Unified Policies
    - About the Unified Policies Page
    - Unified Policy Overview
    - Creating Unified Firewall Policies
    - Creating Unified Firewall Policy Rules
    - Configuring a Default SSL Proxy Profile
  - Firewall Policy-Devices
    - Devices with Firewall Policies Main Page Fields
  - Firewall Policy-Schedules
    - Schedules Overview
    - Creating Schedules
    - Schedules Main Page Fields
  - Firewall Policy-Profiles
    - Understanding Firewall Policy Profiles
    - Understanding Captive Portal Support for Unauthenticated Browser Users
    - Creating Firewall Policy Profiles
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Assigning Policies and Profiles to Domains
    - Viewing Policy and Shared Object Details
    - Firewall Policy Profiles Main Page Fields
  - Firewall Policy-Templates
    - Understanding Firewall Policy Templates
    - Creating Firewall Policy Templates
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Firewall Policy Templates Main Page Fields
  - Environment
    - Environment Variables and Conditions Overview
    - About the Environment Page
    - Creating a New Environment Variable
    - Editing and Deleting Environment Variables
    - Creating a New Environment Condition
    - Editing and Deleting Environment Conditions
  - Application Firewall Policy-Policies
    - Understanding Application Firewall Policies
    - Creating Application Firewall Policies
    - Deleting and Replacing Policies and Objects
    - Editing and Cloning Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Finding Usages for Policies and Objects
    - Application Firewall Policies Main Page Fields
  - Application Firewall Policy-Signatures
    - Understanding Custom Application Signatures
    - Creating Application Signatures
    - Editing, Cloning, and Deleting Custom Application Signatures
    - Creating Application Signature Groups
    - Application Signatures Main Page Fields
  - Application Firewall Policy-Redirect Profiles
    - About the Redirect Profiles Page
    - Adding a Redirect Profile
    - Cloning, Editing, and Deleting Redirect Profiles
  - SSL Profiles
    - SSL Forward Proxy Overview
    - Creating SSL Forward Proxy Profiles
    - SSL Forward Proxy Profile Main Page Fields
    - Creating SSL Reverse Proxy Profiles
  - User Firewall Management-Active Directory
    - About the Active Directory Profile Page
    - Creating Active Directory Profiles
    - Deploying the Active Directory Profile to SRX Series Devices
    - Editing and Deleting Active Directory Profiles
  - User Firewall Management-Access Profile
    - LDAP Functionality in Integrated User Firewall Overview
    - About the Access Profile Page
    - Creating Access Profiles
    - Deploying the Access Profile to SRX Series Devices
    - Editing and Deleting Access Profiles
  - User Firewall Management-Identity Management
    - Juniper Identity Management Service Overview
    - About the Identity Management Profile Page
    - Creating Identity Management Profiles
    - Editing, Cloning, and Deleting Identity Management Profiles
    - Updating the Identity Management Profile to SRX Series Devices
  - User Firewall Management-End User Profile
    - End User Profile Overview
    - About the End User Profile Page
    - Creating an End User Profile
    - Editing and Deleting End User Profile
    - End User Profile Operations
  - IPS Policy-Policies
    - Understanding IPS Policies
    - Creating IPS Policies
    - Creating IPS Policy Rules
    - Publishing Policies
    - Updating Policies on Devices
    - Assigning Devices to Policies
    - Creating and Managing Policy Versions
    - Creating Rule Name Template
    - Exporting Policies
    - Unassigning Devices to Policies
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Assigning Policies and Profiles to Domains
    - Viewing Policy and Shared Object Details
    - IPS Policies Main Page Fields
  - IPS Policy-Devices
    - Understanding IPS Policies
    - Devices with IPS Policies Main Page Fields
  - IPS Policy-Signatures
    - Understanding IPS Signatures
    - Creating IPS Signatures
    - Creating IPS Signature Static Groups
    - Creating IPS Signature Dynamic Groups
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Viewing Policy and Shared Object Details
    - IPS Policy Signatures Main Page Fields
  - IPS Policy-Templates
    - Understanding IPS Policy Templates
    - Creating IPS Policy Templates
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - IPS Policy Templates Main Page Fields
  - NAT Policy-Policies
    - NAT Overview
    - NAT Global Address Book Overview
    - Creating NAT Policies
    - Publishing Policies
    - NAT Policy Rules Main Page Field
    - Creating NAT Rules
    - Updating Policies on Devices
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Comparing Policies
    - Creating and Managing Policy Versions
    - Assigning Devices to Policies
    - Unassigning Devices to Policies
    - Creating Rule Name Template
    - Configuring NAT Rule Sets
    - Auto Grouping
    - NAT Policies Main Page Fields
  - NAT Policy-Devices
    - Devices with NAT Policies Main Page Fields
  - NAT Policy-Pools
    - Creating NAT Pools
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - NAT Pools Main Page Fields
  - NAT Policy-Port Sets
    - Creating Port Sets
    - Deleting and Replacing Policies and Objects
    - Editing and Cloning Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Port Sets Main Page Fields
  - UTM Policy-Policies
    - UTM Overview
    - Creating UTM Policies
    - Comparing Policies
    - Deleting and Replacing Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Showing Duplicate Policies and Objects
    - Editing and Cloning Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - UTM Policies Main Page Fields
  - UTM Policy-Web Filtering Profiles
    - Creating Web Filtering Profiles
    - Selecting a Web Filtering Solution
    - Web Filtering Profile Main Page Fields
  - UTM Policy-Category Update
    - About the Category Update Page
    - Configuring the Download URL Settings
    - Downloading and Installing URL Categories
    - Uploading and Installing URL Categories
    - Installing URL Categories on SRX Series Devices
  - UTM Policy-Antivirus Profiles
    - Creating Antivirus Profiles
    - Antivirus Profile Main Page Fields
  - UTM Policy-Antispam Profiles
    - Creating Antispam Profiles
    - Antispam Profile Main Page Fields
  - UTM Policy-Content Filtering Profiles
    - Creating Content Filtering Profiles
    - Content Filtering Profile Main Page Fields
  - UTM Policy-Global Device Profiles
    - Creating Device Profiles
    - Device Profiles Main Page Fields
  - UTM Policy-URL Patterns
    - Creating URL Patterns
  - UTM Policy-Custom URL Categories
    - Creating Custom URL Category Lists
  - Application Routing Policies
    - Understanding Application-Based Routing
    - About the Application Routing Policies Page
    - Configuring Advanced Policy-Based Routing Policy
    - About the Rules Page (Advanced Policy-Based Routing)
    - Creating Advanced Policy-Based Routing Rules
    - About the App Based Routing Page
    - Editing and Cloning Policies and Objects
    - Assigning Devices to Policies
    - Customizing Profile Names
    - Publishing Policies
    - Updating Policies on Devices
  - Threat Prevention - Policies
    - Creating Threat Prevention Policies
    - Threat Prevention Policy Overview
    - Threat Policy Analysis Overview
    - Implementing Threat Policy on VMWare NSX
  - Threat Prevention - Feed Sources
    - About the Feed Sources Page
    - Sky ATP Realm Overview
    - Sky ATP Malware Management Overview
    - Sky ATP Email Management Overview
    - File Inspection Profiles Overview
    - Sky ATP Email Management: SMTP Settings
    - Configure IMAP Settings
    - Creating Sky ATP Realms and Enrolling Devices or Associating Sites
    - Modifying Sky ATP Realm
    - Creating File Inspection Profiles
    - Creating Allowlist for Sky ATP Email and Malware Management
    - Creating Blocklists for Sky ATP Email and Malware Management
    - Custom Feed Sources Overview
    - Creating Custom Feeds
    - Example: Creating a Dynamic Address Custom Feed and Firewall Policy
    - Configuring Settings for Custom Feeds
  - IPsec VPN-VPNs
    - IPsec VPN Overview
    - Creating IPsec VPNs
    - Understanding IPsec VPN Modes
    - Comparison of Policy-Based VPNs and Route-Based VPNs
    - Understanding IPsec VPN Routing
    - Understanding IKE Authentication
    - Publishing IPsec VPNs
    - Updating IPSec VPN
    - Modifying VPN Settings
    - Viewing Tunnels
    - Importing IPsec VPNs
    - Deleting IPSec VPN
    - IPsec VPN Main Page Fields
  - IPsec VPN-Extranet Devices
    - Creating Extranet Devices
    - Extranet Devices Main Page Fields
  - IPsec VPN-Profiles
    - VPN Profiles Overview
    - Creating VPN Profiles
    - Editing and Cloning Policies and Objects
    - Assigning Policies and Profiles to Domains
    - VPN Profiles Main Page Fields
  - Shared Objects-Geo IP
    - Creating Geo IP Policies
    - Geo IP Overview
    - Deleting and Replacing Policies and Objects
  - Shared Objects-Policy Enforcement Groups
    - Creating Policy Enforcement Groups
    - Policy Enforcement Groups Overview
    - Deleting and Replacing Policies and Objects
  - Shared Objects-Addresses
    - Addresses and Address Groups Overview
    - Creating Addresses and Address Groups
    - Importing and Exporting CSV Files
    - Assigning Addresses and Address Groups to Domains
    - Showing Duplicate Policies and Objects
    - Addresses Main Page Fields
  - Shared Objects-Services
    - Services and Service Groups Overview
    - Creating Services and Service Groups
    - Showing Duplicate Policies and Objects
  - Shared Objects-Variables
    - Variables Overview
    - Creating Variables
    - Editing Variables
    - Importing and Exporting CSV Files
    - Showing Duplicate Policies and Objects
  - Shared Objects-Zone Sets
    - Understanding Zone Sets
    - Creating Zone Sets
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Finding Usages for Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Zone Sets Main Page Fields
  - Shared Objects-Metadata
    - Metadata-Based Policy Enforcement Overview
    - About the Metadata Page
    - Creating a Metadata
  - Change Management-Change Requests
    - Change Control Workflow Overview
    - Creating a Firewall or NAT Policy Change Request
    - About the Changes Submitted Page
    - Approving and Updating Changes Submitted
    - Creating and Updating a Firewall Policy Using Change Control Workflow
    - Editing, Denying, and Deleting Change Requests
    - About the Changes Not Submitted Page
    - Discarding Policy Changes
    - Viewing Submitted and Unsubmitted Policy Changes
  - Change Management-Change Request History
    - About the Change Request History Page
  - Overview of Policy Enforcer and Sky ATP
    - Juniper Networks Software-Defined Secure Network Overview
    - Policy Enforcer Overview
    - Benefits of Policy Enforcer
    - Sky ATP Overview
  - Concepts and Configuration Types to Understand Before You Begin (Policy Enforcer and Sky ATP)
    - Policy Enforcer Components and Dependencies
    - Policy Enforcer Configuration Concepts
    - Sky ATP Configuration Type Overview
    - Features By Sky ATP Configuration Type
    - Available UI Pages by Sky ATP Configuration Type
    - Comparing the SDSN and non-SDSN Configuration Steps
  - Installing Policy Enforcer
    - Policy Enforcer Installation Overview
    - Deploying and Configuring the Policy Enforcer with OVA files
    - Installing Policy Enforcer with KVM
    - Policy Enforcer Ports
    - Identifying the Policy Enforcer Virtual Machine In Security Director
    - Obtaining a Sky ATP License
    - Creating a Sky ATP Cloud Web Portal Login Account
    - Loading a Root CA
    - Upgrading Your Policy Enforcer Software
  - Configuring Policy Enforcer Settings and Connectors
    - Policy Enforcer Settings
    - Policy Enforcer Connector Overview
    - Creating a Policy Enforcer Connector for Public and Private Clouds
    - Creating a Policy Enforcer Connector for Third-Party Switches
    - Editing and Deleting a Connector
    - Viewing VPC or Projects Details
    - Integrating ForeScout CounterACT with Juniper Networks SDSN
    - ClearPass Configuration for Third-Party Plug-in
    - Cisco ISE Configuration for Third-Party Plug-in
    - Integrating Pulse Policy Secure with Juniper Networks SDSN
  - Guided Setup-Sky ATP with SDSN
    - Using Guided Setup for Sky ATP with SDSN
  - Guided Setup-Sky ATP
    - Using Guided Setup for Sky ATP
  - Guided Setup for No Sky ATP (No Selection)
    - Using Guided Setup for No Sky ATP (No Selection)
  - Manual Configuration-Sky ATP with SDSN
    - Configuring Sky ATP with SDSN (Without Guided Setup) Overview
    - Creating Sky ATP Realms and Enrolling Devices or Associating Sites
    - Secure Fabric Overview
    - Creating Secure Fabric and Sites
    - Editing or Deleting a Secure Fabric
    - Policy Enforcement Groups Overview
    - Creating Policy Enforcement Groups
    - Threat Prevention Policy Overview
    - Creating Threat Prevention Policies
    - Threat Policy Analysis Overview
    - Geo IP Overview
    - Creating Geo IP Policies
  - Manual Configuration-Sky ATP
    - Configuring Sky ATP (No SDSN and No Guided Setup) Overview
    - Sky ATP Realm Overview
    - Creating Sky ATP Realms and Enrolling Devices or Associating Sites
    - Threat Prevention Policy Overview
    - Creating Threat Prevention Policies
  - Configuring Cloud Feeds Only
    - Configuring Cloud Feeds Only
  - Configuring No Sky ATP (No Selection) (without Guided Setup)
    - Secure Fabric Overview
    - Creating Secure Fabric and Sites
    - Creating Policy Enforcement Groups
    - Creating Custom Feeds
    - Threat Prevention Policy Overview
    - Creating Threat Prevention Policies
  - Migration Instructions for Spotlight Secure Customers
    - Moving From Spotlight Secure to Policy Enforcer
- Reports
  - Reports
- Administration
  - My Profile
    - Modifying Your User Profile in Security Director
  - Users and Roles-Users
  - Users and Roles-Roles
  - Users and Roles-Domains
  - Users and Roles-Remote Profiles
  - Logging Management
    - Logging and Reporting Overview
  - Logging Management-Logging Nodes
  - Logging Management-Statistics & Troubleshooting
    - Using the Log Statistics and Troubleshooting
  - Logging Management-Logging Devices
    - Logging Devices Main Page Fields
    - Creating Security Logs
  - Monitor Settings
    - About the Monitor Settings Page
    - Monitor Settings Overview
  - Signature Database
  - Migrating Content from NSM to Security Director
    - NSM Migration

ContentsHide

Security Director User Guide
- About the Documentation
- Junos Space Security Director
  - Overview
    - Junos Space Security Director Overview
    - Juniper Networks Software-Defined Secure Network Overview
- Dashboard
  - Overview
    - Dashboard Overview
- Monitor
  - Events and Logs-All Events
    - Events and Logs Overview
    - Creating Alerts
    - Creating Reports
    - Creating Filters
    - Grouping Events
    - Using Events and Logs Settings
    - Selecting Events and Logs Table Columns
    - Viewing Threats
    - Viewing Data for Selected Devices
    - Using the Detailed Log View
    - Using the Raw Log View
    - Showing Exact Match
    - Using Filter on Cell Data
    - Using Exclude Cell Data
    - Showing Firewall Policy
    - Showing Source NAT Policy
    - Showing Destination NAT Policy
    - Downloading Packets Captured
    - Showing Attack Details
    - Using Filters
  - Events and Logs-Firewall
    - Firewall Events and Logs Overview
  - Events and Logs-Web Filtering
    - Web Filtering Events and Log Overview
  - Events and Logs-VPN
    - VPN Events and Logs Overview
  - Events and Logs-Content Filtering
    - Content Filtering Events and Logs Overview
  - Events and Logs-Antispam
    - Antispam Events and Logs Overview
  - Events and Logs-Antivirus
    - Antivirus Events and Logs Overview
  - Events and Logs-IPS
    - IPS Events and Logs Overview
  - Events and Logs-Screen
    - Screen Events and Logs Overview
  - Events and Logs-Sky ATP
    - Sky ATP Events and Logs Overview
  - Events and Logs-Apptrack
    - Apptrack Events and Logs Overview
  - Threat Prevention-Hosts
    - Infected Hosts Overview
    - Infected Host Details
  - Threat Prevention-C&C Servers
    - Command and Control Servers Overview
    - Command and Control Server Details
  - Threat Prevention-HTTP File Download
    - HTTP File Download Overview
    - HTTP File Download Details
  - Threat Prevention-Email Quarantine and Scanning
    - SMTP Quarantine Overview
    - Email Attachments Scanning Overview
    - Email Attachments Scanning Details
  - Threat Prevention-IMAP Block
    - IMAP Block Overview
  - Threat Prevention-Manual Upload
    - File Scanning Limits
  - Threat Prevention-Feed Status
    - Device Feed Status Details
  - Threat Prevention-All Hosts Status
    - All Hosts Status Details
  - Threat Prevention-DDoS Feeds Status
    - DDoS Feeds Status Details
  - Applications
    - Application Visibility Overview
    - Blocking Applications and Users
  - Users
    - User Visibility Overview
    - Blocking Users and Applications
  - Source IP
    - Source IP Visibility Overview
    - Blocking Source IP Addresses
  - Live Threat Map
    - Threat Map Overview
    - Blocking Threat Events
  - Alerts and Alarms - Overview
    - Alerts and Alarms Overview
  - Alerts and Alarms-Alerts
    - Deleting an Alert
    - Searching Alerts
    - Using Generated Alerts
  - Alerts and Alarms-Alert Definitions
    - Creating Alert Definitions
    - Editing Alert Definitions
    - Cloning Alert Definition
    - Deleting Alert Definitions
    - Searching Alert Definitions
    - Alert Definitions Main Page Fields
  - Alerts and Alarms-Alarms
    - Using Device Alarms
    - Device Alarms Main Page Fields
  - VPN
    - IPsec VPN Monitoring Overview
    - About the Overview Page
    - Managing Monitored and Unmonitored VPNs
    - About the Monitored Tunnels Page
    - About the Devices Page
  - Job Management
    - Using Job Management in Security Director
    - Overview of Jobs in Security Director
    - Archiving and Purging Jobs in Security Director
    - Viewing the Details of a Job in Security Director
    - Canceling Jobs in Security Director
    - Reassigning Jobs in Security Director
    - Rescheduling and Modifying the Recurrence of Jobs in Security Director
    - Retrying a Failed Job on Devices in Security Director
    - Exporting the Details of a Job in Security Director
    - Job Management Main Page Fields
  - Audit Logs
    - Using Audit Logs in Security Director
    - Understanding Audit Logs in Security Director
    - Purging or Archiving and Purging Audit Logs in Security Director
    - Exporting Audit Logs in Security Director
    - Viewing the Details of an Audit Log in Security Director
    - Audit Logs Main Page Fields
  - Packet Capture
    - Packet Capture Overview
    - About the Packets Captured Page
    - Setting the Purge Policy
  - NSX Inventory-Security Groups
    - About the Security Groups Page
    - Viewing Members of a Security Group
  - vCenter Server Inventory-Virtual Machines
    - About the Virtual Machines Page
    - Viewing Network Details of a Virtual Machine
    - Viewing Security Groups of a Virtual Machine
- Devices
- Configure
  - Firewall Policy-Standard Policies
    - Firewall Policies Overview
    - Policy Ordering Overview
    - Creating Firewall Policies
    - Firewall Policies Best Practices
    - Creating Firewall Policy Rules
    - Rule Base Overview
    - Firewall Policy Locking Modes
    - Rule Operations on Filtered Rules Overview
    - Creating and Managing Policy Versions
    - Assigning Devices to Policies
    - Comparing Policies
    - Exporting Policies
    - Creating Custom Columns
    - Promoting to Group Policy
    - Converting Standard Policy to Unified Policy
    - Importing Policies
    - Deleting and Replacing Policies and Objects
    - Unassigning Devices from Policies
    - Editing and Cloning Policies and Objects
    - Publishing Policies
    - Showing Duplicate Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Updating Policies on Devices
    - Firewall Policies Main Page Fields
    - Firewall Policy Rules Main Page Fields
  - Firewall Policy-Unified Policies
    - About the Unified Policies Page
    - Unified Policy Overview
    - Creating Unified Firewall Policies
    - Creating Unified Firewall Policy Rules
    - Configuring a Default SSL Proxy Profile
  - Firewall Policy-Devices
    - Devices with Firewall Policies Main Page Fields
  - Firewall Policy-Schedules
    - Schedules Overview
    - Creating Schedules
    - Schedules Main Page Fields
  - Firewall Policy-Profiles
    - Understanding Firewall Policy Profiles
    - Understanding Captive Portal Support for Unauthenticated Browser Users
    - Creating Firewall Policy Profiles
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Assigning Policies and Profiles to Domains
    - Viewing Policy and Shared Object Details
    - Firewall Policy Profiles Main Page Fields
  - Firewall Policy-Templates
    - Understanding Firewall Policy Templates
    - Creating Firewall Policy Templates
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Firewall Policy Templates Main Page Fields
  - Environment
    - Environment Variables and Conditions Overview
    - About the Environment Page
    - Creating a New Environment Variable
    - Editing and Deleting Environment Variables
    - Creating a New Environment Condition
    - Editing and Deleting Environment Conditions
  - Application Firewall Policy-Policies
    - Understanding Application Firewall Policies
    - Creating Application Firewall Policies
    - Deleting and Replacing Policies and Objects
    - Editing and Cloning Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Finding Usages for Policies and Objects
    - Application Firewall Policies Main Page Fields
  - Application Firewall Policy-Signatures
    - Understanding Custom Application Signatures
    - Creating Application Signatures
    - Editing, Cloning, and Deleting Custom Application Signatures
    - Creating Application Signature Groups
    - Application Signatures Main Page Fields
  - Application Firewall Policy-Redirect Profiles
    - About the Redirect Profiles Page
    - Adding a Redirect Profile
    - Cloning, Editing, and Deleting Redirect Profiles
  - SSL Profiles
    - SSL Forward Proxy Overview
    - Creating SSL Forward Proxy Profiles
    - SSL Forward Proxy Profile Main Page Fields
    - Creating SSL Reverse Proxy Profiles
  - User Firewall Management-Active Directory
    - About the Active Directory Profile Page
    - Creating Active Directory Profiles
    - Deploying the Active Directory Profile to SRX Series Devices
    - Editing and Deleting Active Directory Profiles
  - User Firewall Management-Access Profile
    - LDAP Functionality in Integrated User Firewall Overview
    - About the Access Profile Page
    - Creating Access Profiles
    - Deploying the Access Profile to SRX Series Devices
    - Editing and Deleting Access Profiles
  - User Firewall Management-Identity Management
    - Juniper Identity Management Service Overview
    - About the Identity Management Profile Page
    - Creating Identity Management Profiles
    - Editing, Cloning, and Deleting Identity Management Profiles
    - Updating the Identity Management Profile to SRX Series Devices
  - User Firewall Management-End User Profile
    - End User Profile Overview
    - About the End User Profile Page
    - Creating an End User Profile
    - Editing and Deleting End User Profile
    - End User Profile Operations
  - IPS Policy-Policies
    - Understanding IPS Policies
    - Creating IPS Policies
    - Creating IPS Policy Rules
    - Publishing Policies
    - Updating Policies on Devices
    - Assigning Devices to Policies
    - Creating and Managing Policy Versions
    - Creating Rule Name Template
    - Exporting Policies
    - Unassigning Devices to Policies
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Assigning Policies and Profiles to Domains
    - Viewing Policy and Shared Object Details
    - IPS Policies Main Page Fields
  - IPS Policy-Devices
    - Understanding IPS Policies
    - Devices with IPS Policies Main Page Fields
  - IPS Policy-Signatures
    - Understanding IPS Signatures
    - Creating IPS Signatures
    - Creating IPS Signature Static Groups
    - Creating IPS Signature Dynamic Groups
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Viewing Policy and Shared Object Details
    - IPS Policy Signatures Main Page Fields
  - IPS Policy-Templates
    - Understanding IPS Policy Templates
    - Creating IPS Policy Templates
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - IPS Policy Templates Main Page Fields
  - NAT Policy-Policies
    - NAT Overview
    - NAT Global Address Book Overview
    - Creating NAT Policies
    - Publishing Policies
    - NAT Policy Rules Main Page Field
    - Creating NAT Rules
    - Updating Policies on Devices
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Comparing Policies
    - Creating and Managing Policy Versions
    - Assigning Devices to Policies
    - Unassigning Devices to Policies
    - Creating Rule Name Template
    - Configuring NAT Rule Sets
    - Auto Grouping
    - NAT Policies Main Page Fields
  - NAT Policy-Devices
    - Devices with NAT Policies Main Page Fields
  - NAT Policy-Pools
    - Creating NAT Pools
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - NAT Pools Main Page Fields
  - NAT Policy-Port Sets
    - Creating Port Sets
    - Deleting and Replacing Policies and Objects
    - Editing and Cloning Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Port Sets Main Page Fields
  - UTM Policy-Policies
    - UTM Overview
    - Creating UTM Policies
    - Comparing Policies
    - Deleting and Replacing Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Showing Duplicate Policies and Objects
    - Editing and Cloning Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - UTM Policies Main Page Fields
  - UTM Policy-Web Filtering Profiles
    - Creating Web Filtering Profiles
    - Selecting a Web Filtering Solution
    - Web Filtering Profile Main Page Fields
  - UTM Policy-Category Update
    - About the Category Update Page
    - Configuring the Download URL Settings
    - Downloading and Installing URL Categories
    - Uploading and Installing URL Categories
    - Installing URL Categories on SRX Series Devices
  - UTM Policy-Antivirus Profiles
    - Creating Antivirus Profiles
    - Antivirus Profile Main Page Fields
  - UTM Policy-Antispam Profiles
    - Creating Antispam Profiles
    - Antispam Profile Main Page Fields
  - UTM Policy-Content Filtering Profiles
    - Creating Content Filtering Profiles
    - Content Filtering Profile Main Page Fields
  - UTM Policy-Global Device Profiles
    - Creating Device Profiles
    - Device Profiles Main Page Fields
  - UTM Policy-URL Patterns
    - Creating URL Patterns
  - UTM Policy-Custom URL Categories
    - Creating Custom URL Category Lists
  - Application Routing Policies
    - Understanding Application-Based Routing
    - About the Application Routing Policies Page
    - Configuring Advanced Policy-Based Routing Policy
    - About the Rules Page (Advanced Policy-Based Routing)
    - Creating Advanced Policy-Based Routing Rules
    - About the App Based Routing Page
    - Editing and Cloning Policies and Objects
    - Assigning Devices to Policies
    - Customizing Profile Names
    - Publishing Policies
    - Updating Policies on Devices
  - Threat Prevention - Policies
    - Creating Threat Prevention Policies
    - Threat Prevention Policy Overview
    - Threat Policy Analysis Overview
    - Implementing Threat Policy on VMWare NSX
  - Threat Prevention - Feed Sources
    - About the Feed Sources Page
    - Sky ATP Realm Overview
    - Sky ATP Malware Management Overview
    - Sky ATP Email Management Overview
    - File Inspection Profiles Overview
    - Sky ATP Email Management: SMTP Settings
    - Configure IMAP Settings
    - Creating Sky ATP Realms and Enrolling Devices or Associating Sites
    - Modifying Sky ATP Realm
    - Creating File Inspection Profiles
    - Creating Allowlist for Sky ATP Email and Malware Management
    - Creating Blocklists for Sky ATP Email and Malware Management
    - Custom Feed Sources Overview
    - Creating Custom Feeds
    - Example: Creating a Dynamic Address Custom Feed and Firewall Policy
    - Configuring Settings for Custom Feeds
  - IPsec VPN-VPNs
    - IPsec VPN Overview
    - Creating IPsec VPNs
    - Understanding IPsec VPN Modes
    - Comparison of Policy-Based VPNs and Route-Based VPNs
    - Understanding IPsec VPN Routing
    - Understanding IKE Authentication
    - Publishing IPsec VPNs
    - Updating IPSec VPN
    - Modifying VPN Settings
    - Viewing Tunnels
    - Importing IPsec VPNs
    - Deleting IPSec VPN
    - IPsec VPN Main Page Fields
  - IPsec VPN-Extranet Devices
    - Creating Extranet Devices
    - Extranet Devices Main Page Fields
  - IPsec VPN-Profiles
    - VPN Profiles Overview
    - Creating VPN Profiles
    - Editing and Cloning Policies and Objects
    - Assigning Policies and Profiles to Domains
    - VPN Profiles Main Page Fields
  - Shared Objects-Geo IP
    - Creating Geo IP Policies
    - Geo IP Overview
    - Deleting and Replacing Policies and Objects
  - Shared Objects-Policy Enforcement Groups
    - Creating Policy Enforcement Groups
    - Policy Enforcement Groups Overview
    - Deleting and Replacing Policies and Objects
  - Shared Objects-Addresses
    - Addresses and Address Groups Overview
    - Creating Addresses and Address Groups
    - Importing and Exporting CSV Files
    - Assigning Addresses and Address Groups to Domains
    - Showing Duplicate Policies and Objects
    - Addresses Main Page Fields
  - Shared Objects-Services
    - Services and Service Groups Overview
    - Creating Services and Service Groups
    - Showing Duplicate Policies and Objects
  - Shared Objects-Variables
    - Variables Overview
    - Creating Variables
    - Editing Variables
    - Importing and Exporting CSV Files
    - Showing Duplicate Policies and Objects
  - Shared Objects-Zone Sets
    - Understanding Zone Sets
    - Creating Zone Sets
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Finding Usages for Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Zone Sets Main Page Fields
  - Shared Objects-Metadata
    - Metadata-Based Policy Enforcement Overview
    - About the Metadata Page
    - Creating a Metadata
  - Change Management-Change Requests
    - Change Control Workflow Overview
    - Creating a Firewall or NAT Policy Change Request
    - About the Changes Submitted Page
    - Approving and Updating Changes Submitted
    - Creating and Updating a Firewall Policy Using Change Control Workflow
    - Editing, Denying, and Deleting Change Requests
    - About the Changes Not Submitted Page
    - Discarding Policy Changes
    - Viewing Submitted and Unsubmitted Policy Changes
  - Change Management-Change Request History
    - About the Change Request History Page
  - Overview of Policy Enforcer and Sky ATP
    - Juniper Networks Software-Defined Secure Network Overview
    - Policy Enforcer Overview
    - Benefits of Policy Enforcer
    - Sky ATP Overview
  - Concepts and Configuration Types to Understand Before You Begin (Policy Enforcer and Sky ATP)
    - Policy Enforcer Components and Dependencies
    - Policy Enforcer Configuration Concepts
    - Sky ATP Configuration Type Overview
    - Features By Sky ATP Configuration Type
    - Available UI Pages by Sky ATP Configuration Type
    - Comparing the SDSN and non-SDSN Configuration Steps
  - Installing Policy Enforcer
    - Policy Enforcer Installation Overview
    - Deploying and Configuring the Policy Enforcer with OVA files
    - Installing Policy Enforcer with KVM
    - Policy Enforcer Ports
    - Identifying the Policy Enforcer Virtual Machine In Security Director
    - Obtaining a Sky ATP License
    - Creating a Sky ATP Cloud Web Portal Login Account
    - Loading a Root CA
    - Upgrading Your Policy Enforcer Software
  - Configuring Policy Enforcer Settings and Connectors
    - Policy Enforcer Settings
    - Policy Enforcer Connector Overview
    - Creating a Policy Enforcer Connector for Public and Private Clouds
    - Creating a Policy Enforcer Connector for Third-Party Switches
    - Editing and Deleting a Connector
    - Viewing VPC or Projects Details
    - Integrating ForeScout CounterACT with Juniper Networks SDSN
    - ClearPass Configuration for Third-Party Plug-in
    - Cisco ISE Configuration for Third-Party Plug-in
    - Integrating Pulse Policy Secure with Juniper Networks SDSN
  - Guided Setup-Sky ATP with SDSN
    - Using Guided Setup for Sky ATP with SDSN
  - Guided Setup-Sky ATP
    - Using Guided Setup for Sky ATP
  - Guided Setup for No Sky ATP (No Selection)
    - Using Guided Setup for No Sky ATP (No Selection)
  - Manual Configuration-Sky ATP with SDSN
    - Configuring Sky ATP with SDSN (Without Guided Setup) Overview
    - Creating Sky ATP Realms and Enrolling Devices or Associating Sites
    - Secure Fabric Overview
    - Creating Secure Fabric and Sites
    - Editing or Deleting a Secure Fabric
    - Policy Enforcement Groups Overview
    - Creating Policy Enforcement Groups
    - Threat Prevention Policy Overview
    - Creating Threat Prevention Policies
    - Threat Policy Analysis Overview
    - Geo IP Overview
    - Creating Geo IP Policies
  - Manual Configuration-Sky ATP
    - Configuring Sky ATP (No SDSN and No Guided Setup) Overview
    - Sky ATP Realm Overview
    - Creating Sky ATP Realms and Enrolling Devices or Associating Sites
    - Threat Prevention Policy Overview
    - Creating Threat Prevention Policies
  - Configuring Cloud Feeds Only
    - Configuring Cloud Feeds Only
  - Configuring No Sky ATP (No Selection) (without Guided Setup)
    - Secure Fabric Overview
    - Creating Secure Fabric and Sites
    - Creating Policy Enforcement Groups
    - Creating Custom Feeds
    - Threat Prevention Policy Overview
    - Creating Threat Prevention Policies
  - Migration Instructions for Spotlight Secure Customers
    - Moving From Spotlight Secure to Policy Enforcer
- Reports
  - Reports
- Administration
  - My Profile
    - Modifying Your User Profile in Security Director
  - Users and Roles-Users
  - Users and Roles-Roles
  - Users and Roles-Domains
  - Users and Roles-Remote Profiles
  - Logging Management
    - Logging and Reporting Overview
  - Logging Management-Logging Nodes
  - Logging Management-Statistics & Troubleshooting
    - Using the Log Statistics and Troubleshooting
  - Logging Management-Logging Devices
    - Logging Devices Main Page Fields
    - Creating Security Logs
  - Monitor Settings
    - About the Monitor Settings Page
    - Monitor Settings Overview
  - Signature Database
  - Migrating Content from NSM to Security Director
    - NSM Migration

Implementing Threat Policy on VMWare NSX

VMWare NSX Integration with Policy Enforcer and Sky ATP Overview

Juniper Networks Sky Advanced Threat Prevention (Sky ATP) identifies the infected virtual machines(VMs) running on VMWare NSX and tags these VMs as infected. This is based on a malware file exchange from the infected VMs and/or based on the Command and Control communication with known botnet sites on the internet.

Based on this identification of infected or compromised hosts, you can take one of the following actions:

Enable additional security features such as Layer-7 Application Firewall and Intrusion Prevention (IPS) leveraging vSRX
Enforce Layer-2 to Layer-4 controls using NSX Distributed Firewall
Leverage NSX integration with Host-Based security vendors (https://www.vmware.com/products/nsx/technology-partners.html) to take host-based security actions such as running antivirus or anti malware features on the infected VMs.

Policy Enforcer provides a set of Connector APIs for the third-party adaptors. The NSX Connector integrates with the Policy Enforcer using these APIs to enable enforcement of the infected hosts policy on Secure Fabric. For NSX connectors, the NSX Manager , its associated vCenter, and an edge firewall form the Secure Fabric.

The following topology shows how NSX Manager and the edge firewall create a Secure Fabric to use with Policy Enforcer.

Figure 55: Topology of NSX Integration with Policy Enforcer

Within the NSX Manager, the virtual machines (VM) connect to logical networks, shown as green and yellow colour logical networks, as shown in Figure 55. The logical switches connect to each other using a Distributed Logical Router(DLR). To form the Secure Fabric, configure the edge service gateway (ESG) to point to SRX Series devices or vSRX as the gateway for the networks hosted on NSX. This is implemented by establishing IBGP session between ESG and vSRX or SRX Series device. This ensures that all the north-south traffic passes through the vSRX edge firewall. The vSRX edge gateway is enrolled with Sky ATP for the traffic inspection.

If NAT services are required, it must be configured on the vSRX and not on the ESG. Configure NAT services using the following CLI commands.

set security nat source rule-set trust-to-untrust from zone trust

set security nat source rule-set trust-to-untrust to zone untrust

set security nat source rule-set trust-to-untrust rule snat-rule match source-address 0.0.0.0/0

set security nat source rule-set trust-to-untrust rule snat-rule then source-nat interface

To establish a BGP session, use the following configuration commands:

set routing-options autonomous-system 10

set protocols bgp group nsx neighbor 5.0.0.2 peer-as 10

You can view the BGP configuration in VMWare vCenter Server, as shown in Figure 56.

Figure 56: VMWare vCenter BGP Configuration

Note You can register the NSX Manager with Security Director only when the Policy Enforcer is configured. The NSX micro service is bundled with the Policy Enforcer VM. However, the NSX micro service is packaged as a standalone rpm, so that the NSX micro service upgrade and patches can be performed independent of the Policy Enforcer VM.

Implementation of Infected Hosts Policy Overview

The vSRX or SRX Series devices running as an edge firewall is enrolled to send all the suspected traffic to Sky ATP.

The following steps explain the high-level workflow:

If an infection is detected, Sky ATP notifies the Policy Enforcer about the infected IP addresses
If the infected IP address belongs to Secure Fabric associated with the NSX domain, Policy Enforcer calls the NSX plugin APIs to notify the NSX Connector about the list of infected IP addresses
NSX service will then retrieve the VM corresponding to the IP addresses sent and then calls the NSX API to tag to an appropriate VM with a security tag, SDSN_BLOCK.

You can then create a policy to block the infected hosts using the SDSN_BLOCK tag by creating VMWare Distributed Firewall (DFW) rules. The block policy consists of two rules for ingress block and egress block. The ingress block rule applies to any traffic originating from a security group composed of VMs tagged with a block tag to any destination. Similarly, the egress block rule applies to any traffic destined to security group composed of VMs tagged with block tag from any source.

The creation of security groups associated with the SDSN_BLOCK tag, creation of ingress and egress block rules, and the action to take on the matching packets must be configured by the VMWare administrators. The NSX Connector will simply apply the SDSN_BLOCK tag on the infected VM.

Registering NSX Micro Service as Policy Enforcer Connector Instance Overview

The integration of each NSX manager discovered in Security Director with Policy Enforcer is triggered automatically.

Procedure

The automatic registration of a connector instance involves the following steps:

Discovering the NSX Manager in Security Director. This triggers an auto creation of the Policy Enforcer connector instance.
Secure Fabric is created to manage the discovered NSX Manager.
Creation of threat prevention policy requires the knowledge of Sky ATP realm and the edge firewall device. These are taken as inputs from the user.

Before You Begin

Before you begin to configure NSX with Policy Enforcer, configure the infected hosts workflow in VMWare vCenter Server.

Infected Hosts Workflow in VMware vCenter Server

Infected Hosts Workflow in VMware vCenter Server

Procedure

To block the infected hosts:

Log in to the vSphere Web Client through the VMware vCenter Server.
From the vSphere Web Client, click Networking & Security and then click NSX Managers.
Under the Manage section, click Security Tags column head and create SDSN_BLOCK security tag for NSX, as shown in Figure 57.
Figure 57: SDSN_BLOCK Security Tag
The feed for the infected hosts will be triggered by Sky ATP down to Policy Enforcer. When there is a trigger, the SDSN_BLOCK tag is attached to the VM. Click on the VM Count column to see the VM details attached to the tag.
Select Networking & Security and then click Service Composer.
The Service Composer page appears. From the Service Composer, click the Security Groups tab. The security administrator can create the security group based on the security tag.
Click the New Security Group icon to create a new security group.
Enter a name and description for the security group and then click Next.
On the Define dynamic membership page, define the criteria that an object must meet for it to be added to the security group you are creating.
In the Criteria Details row, select Security Tag from the list and provide the SDSN_BLOCK tag name, as shown in Figure 58.
Figure 58: Define Dynamic Membership Page
Click Next.
In the Ready to Complete page, verify the parameters and click Finish.
In the Service Composer page, under the Security Groups tab, you can see that the security group has been created and the VM with the security tag is assigned to the security group.

Configuring VMware NSX with Policy Enforcer

Procedure

The following steps explain configuring VMWare NSX with Policy Enforcer:

Add the NSX Manager to the Security Director database, as shown in Figure 59. To know more about adding a NSX Manager, see Adding the NSX Manager.
Figure 59: Adding NSX Manager Page
After discovering the NSX Manager in Security Director, use the Guided Setup workflow to configure the following parameters:
- Secure Fabric
- Policy Enforcement Group (PEG)
- Sky ATP Realm
- Threat policies for the following threat types:
  - Command and Control (C&C) Server
  - Infected Hosts
  - Malware
Select Configuration > Guided Setup > Threat Prevention.
The Threat Prevention Policy Setup page appears.
Click Stat Setup.
The Threat Prevention Policy Setup page appears, as shown in Figure 60. Some of the resources are already configured as you discover the NSX Manager.
Figure 60: Guided Setup Page
In the Secure Fabric page, the site is already created. For that site, one enforcement point is also added.
To create a secure fabric site in Policy Enforcer for NSX based environment, you require two parts : NSX Manager and edge firewall. In the Add Enforcement Points page, add vSRX, as shown in the topology, as a edge firewall. Select the vSRX device listed under the Available column and move it to the Selected column. You now have two enforcement points within the Secure Fabric.
Click Next.
In the Policy Enforcement Groups page, the policy enforcement group is already created based on the Location Group Type. The location points to the Secure Fabric site created for NSX.
Click. Next.
In the Sky ATP Realm page, associate the Secure Fabric with a Sky ATP realm.
If the Sky ATP realm is already created, click Assign Sites in the Sites Assigned column and chose the Secure Fabric site. The Sky ATP realm and Secure Fabric are now associated.
Click. Next.
In the Policies page, create a threat prevention policy by choosing the profile types depending on the type of threat prevention this policy provides (C&C Server, Infected Host, Malware) and an action for the profile. The DDoS profile is not supported by the NSX Connector. Once configured, you apply policies to PEGs.
Click Assign groups in the Policy Enforcement Group column to associate the policy enforcement group with the policy.
Security Director takes the snapshot of the firewall by performing the rule analysis and threat remediation rules are pushed into the edge firewall.
Click Finish.
Note The GeoIP feeds are not used with the NSX Connectors.
The last page is a summary of the items you have configured using quick setup. Click OK to be taken to the Policies page under Configure > Threat Prevention > Policies and your policy is listed there.

Example: Creating a Firewall Rule in VMWare vCenter Server Using SDSN_BLOCK Tag

Procedure

The following example shows the firewall rule creation using the SDSN_BLOCK security tag:

Log in to the vSphere Web Client through the VMware vCenter Server.
Select Networking & Security and then click Service Composer.
The Service Composer page appears.
Select Security Policies tab in the Service Composer page.
Create a security policy to block the traffic coming from the infected hosts.
Select the Create Security Policy icon.
The New Security Policy page appears.
Enter a name and description for the security policy, and click Next.
Select the Firewall Rules option from the left pane.
The Firewall Rules page appears.
Select the New Firewall Rule icon (+) to create a new firewall rule.
The New Firewall Rule page appears.
Enter the name of the firewall rule.
In the Action field, select the Block option.
In the Source field, click Change and select the security group.
In the Destination field, click Change and select the security group to add as Any.
Click Ok. Figure 61 shows a sample firewall rule configuration.
Figure 61: New Firewall Rule Page
Click Finish.
A new policy is created. You can apply this policy to the security group.
In the Security Policies page, right-click on the policy name and select Apply Policy.
The Apply Policy to Security Groups page appears, as shown in Figure 62.
Figure 62: Apply Policy to SG Page
Select the security group that you have created and assign to a policy.
Security administrator is now able to block the traffic coming from the infected hosts.

Help us to improve. Rate this article.

Feedback Received. Thank You!

Threat Policy Analysis Overview

About the Feed Sources Page