Help Center User GuideGetting StartedFAQRelease Notes
 
X
User Guide
Getting Started
FAQ
Release Notes
Contents  

Integrating Pulse Policy Secure with Juniper Networks Connected Security

Overview

This topic provides instructions on how to integrate the third-party device Pulse Policy Secure(PPS) with Juniper Networks Connected Security solution to remediate threats from infected hosts for enterprises. The Juniper Connected Security solution provides end-to-end network visibility that enables enterprises to secure their entire physical and virtual networks. PPS provides visibility into the network by detecting and continuously monitoring the network. Using the threat detection and policy enforcement, the PPS and Juniper Connected Security solution automates the network security and supports centralised management, in a multi-vendor environment.

PPS integrates with Juniper Networks Connected Security solution through RESTful APIs and takes appropriate action based on the admission control policies. The PPS integration with Juniper Connected Security solution detects and enforces threat prevention policies and provides a collaborative and comprehensive approach towards complete network security. It enables users to leverage the existing trusted threat feed sources to provide a consistent and automated defense across diverse environments.

Benefits of the Pulse Policy Secure Integration with Juniper Connected Security

Deployment of Pulse Policy Secure with Juniper Connected Security

The following high level workflow describes the deployment of PPS with Juniper Connected Security. PPS receives the threat alert information from Juniper Connected Security solution and takes an action on the endpoint based on the admission control policies.

  1. User successfully authenticates with the PPS server.

  2. User downloads a file from the Internet. The perimeter firewall (SRX Series device) scans the file and based on the user-defined policies, sends the scanned file to Sky ATP for analysis.

  3. Sky ATP detects that the file contains malware, identifies the endpoint as an infected host, and notifies the SRX Series device and Policy Enforcer.

  4. Policy Enforcer downloads the infected host feed and sends a threat action to PPS.

  5. The PPS server quarantines or blocks the endpoint.

    PPS tracks the infected host and does not allow the infected host to acquire full access until the endpoint is disinfected. When the host is disinfected and cleared from Sky ATP or Policy Enforcer, PPS receives a clear event from the Policy Enforcer connector. After receiving the clear event, PPS removes the infected host. The host is now authenticated and an appropriate role is assigned to it.

Configuring Pulse Policy Secure with Juniper Connected Security

The network security devices are configured with PPS for admission access control.

Procedure

A high-level overview of the configuration steps required to set up and run the integration is described below:

  1. The administrator configures the basic PPS configurations such as creating an authentication server, authenticating realm, user roles, and role mapping rules. To know more about configuring your PPS, see Pulse Policy Secure Administration Guide.
  2. Configure Policy Enforcer as a client in PPS. PPS acts as a RESTful API server for Policy Enforcer.

    The RESTful API access for the admin user must be enabled by accessing the serial console or alternatively from the PPS admin user interface (UI). Select Authentication>Auth Server>Administrators>Users. Click Admin and enable the Allow access to REST APIs option.

  3. Configure PPS to block or quarantine the endpoint based on the threat prevention policy.

    You must configure the admission control client to obtain the Policy Enforcer IP address that sends events to PPS and admission control policy to understand the PPS event types such as, events-block-endpoint, quarantine-endpoint, clear-blocked-endpoint, and clear-quarantine-endpoint.

  4. Configure the Switches or WLC as RADIUS Client in PPS by selecting Endpoint Policy>Network Access>Radius Clients>New Radius Client. The switch is configured with PPS as a RADIUS server.

  5. Configure RADIUS return attribute policies, to define the action upon receiving the quarantine event.
    • Quarantine using VLANs:

      The PPS determines which quarantine VLAN to send to RADIUS Client when a quarantine-endpoint event is received, as shown in Figure 126.

      Figure 126: RADIUS Return Attributes for Quarantine-Host

      RADIUS
Return Attributes for Quarantine-Host
    • Quarantine using ACLs:

      For environments that has flat VLAN, the PPS provides the ability to quarantine users by applying a preconfigured firewall filter. Also, this is a preferred method in environments that use static IP address assignment for end devices.

      The following example shows the firewall filter configuration on the switch. The firewall filter name is then passed on as RADIUS return attribute, as shown in Figure 127.

      Configure the PERMIT-PULSE-ONLY and PERMIT-ALL firewall filters on the switch using the following commands:

      set firewall family ethernet-switching filter PERMIT-PULSE-ONLY term pps from destination-address 10.92.81.113/32

      set firewall family ethernet-switching filter PERMIT-PULSE-ONLY term pps then accept

      set firewall family ethernet-switching filter PERMIT-PULSE-ONLY term dhcp_allow from destination-port 67

      set firewall family ethernet-switching filter PERMIT-PULSE-ONLY term dhcp_allow then accept

      set firewall family ethernet-switching filter PERMIT-PULSE-ONLY term pps-discard then discard

      deactivate firewall family ethernet-switching filter PERMIT-PULSE-ONLY

      set firewall family ethernet-switching filter PERMIT-ALL term ALLOW-ALL from destination-address 0.0.0.0/0

      set firewall family ethernet-switching filter PERMIT-ALL term ALLOW-ALL then accept

      deactivate firewall family ethernet-switching filter PERMIT-ALL

    To assign these filters in PPS, select Endpoint Policy>Network Access>Radius Attributes>Return Attributes.

    Figure 127: RADIUS Return Attributes for Clear-Quarantine

    RADIUS
Return Attributes for Clear-Quarantine

Note 

  • Ensure that PPS has the endpoint IP address for the enforcement to work correctly.

  • Since the endpoint IP address is mandatory, deployments where the user is behind a NAT might not work as expected. This is because PPS might have the actual IP address, and Juniper Connected Security might send the NATed IP address.

  • To receive the endpoint IP address (accounting information) by PPS, you must use the Pulse Secure client on endpoints when they are connected to EX4300 Series switches.

Admission Control Template

The admission control template provides a list of possible events that can be received from the network security device along with the regular expression to parse the message. The template also provides possible actions that can be taken for an event.

PPS is loaded with default templates for Policy Enforcer. The administrators can create templates for other security devices and upload those templates.

To view the admission control templates, select Endpoint Policy>Admission Control>Templates, as shown in Figure 128. You can view the list of configured integration templates with the list of network security devices and the supported protocol types.

Figure 128: Pulse Secure Templates Page

Pulse Secure
Templates Page

Admission Control Policies

The admission control policies define the list of actions to be performed on PPS for the user sessions. The actions are based on the event and the severity of the information received from the network security device.

Procedure

To view and add the new integration policy:

  1. Select Endpoint Policy>Admission Control>Policies.
  2. Click New Policy.

    The New Policy page appears, as shown in Figure 129.

    Figure 129: Pulse Secure - New Policy Page

    Pulse Secure
- New Policy Page
  3. Enter the policy name.
  4. Select Juniper Networks Policy Enforcer as a template.
  5. In the Rule on receiving section, select one of the following event types and the severity level. The event types and the severity level are based on the selected template.

    The following event types are supported on sessions:

    • Block-endpoint—Blocks the host MAC Address on the PPS permanently. If the administrator chooses to clear the blocked endpoint, it can be cleared either by using the Junos Space Security Director application or by using the PPS Administration UI.

    • Quarantine-endpoint (Change user roles)—Changes the roles assigned to the user on PPS so that restrictions or privileges for the user can be changed. The administrator can choose to apply these roles permanently or temporarily. If it is permanent, system is directly quarantined regardless of which network it connects to.

    • Clear Blocked Endpoint—Clears a previously blocked MAC Address.

    • Clear Quarantined Endpoint—Clears a previously quarantined MAC Address.

  6. In the then perform this action section, select the following desired action:
    • Select a role and assign it to the endpoint to put that endpoint into a quarantine network.

    • In the Make this role assignment option, specify the following actions:

      • Permanent—To apply the role assignment permanently. This is the recommended option. Choose this option for the action to persist.

      • For this session only—To apply the role assignment only for the current session.

  7. In the Roles section, specify the following options:
    • Policy applies to ALL roles—To apply the policy to all users.

    • Policy applies to SELECTED roles—To apply this policy only to users who are mapped to roles in the Selected roles list. You must add roles to this list from the Available roles list.

    • Policy applies to all roles OTHER THAN those selected below—To apply this policy to all users except for those who are mapped to the roles in the Selected roles list. You must add roles to this list from the Available roles list.

    Note These options are applicable to both quarantine and block actions.

  8. Click Save changes.

Once the policy is created, you can see the summary page. Figure 130 shows the different policies created for different events with different user roles.

Figure 130: Pulse Secure - Policies Configure Page

Pulse
Secure - Policies Configure Page

Admission Control Client

The admission control clients are the network security devices on which the syslog forwarding is enabled. The messages are received by the syslog server module running on PPS.

Procedure

To add a client:

  1. Select Endpoint Policy>Admission Control>Clients.
  2. Click New Client.

    The New Client page appears, as shown in Figure 131.

    Figure 131: Pulse Secure - New Client Page

    Pulse Secure
- New Client Page
  3. Enter the name of the Juniper Networks Policy Enforcer. This is added as a client in the PPS.
  4. Enter the description.
  5. Enter the IP address of the client.
  6. Select the template used by the client: JuniperNerworks-Policy Enforcer-HTTP-JSON.
  7. Click Save Changes.

    Policy Enforcer is added a new client in the PPS.

Creating Pulse Policy Secure Connector in Security Director

Once you add Policy Enforcer as a client in PPS, create a connector for PPS to configure the Juniper Connected Security to send the event information.

Procedure

To create a connector for PPS and configure Juniper Connected Security using Security Director:

  1. Select Security Director>Administration>Policy Enforcer>Connectors.

    The Connectors page appears.

  2. Click the create icon (+).

    The Create Connector page appears, as shown in Figure 132.

    Figure 132: Create Connector Page

    Create Connector
Page
  3. In the General tab, select Pulse Policy Secure in the ConnectorType list.
  4. In the IP Address/URL field, enter the IP address of PPS.
  5. Retain the default port number as 443.
  6. Enter the username and password of PPS.

    Note that you must have enabled the REST API access on PPS (Authentication > Auth Server > Administrators > Users > click “admin”, enable Allow access to REST APIs).

  7. Click Next.
  8. In the Network Details section, configure the IP subnets, as shown in Figure 133.

    Figure 133: Create Connector Network Details Page

    Create
Connector Network Details Page
  9. In the Configuration tab, provide any additional information required for this specific connector connection.
  10. Click Finish.

    Once the configuration is successful the following page is displayed, as shown in Figure 134.

    Figure 134: Connectors Page

    Connectors Page
  11. Verify that the communication between Policy Enforcer and PPS is working.

    After installing PPS and configuring a connector, in the PPS UI, create policies for PPS to take the necessary action on the infected hosts.

Troubleshooting

The following troubleshooting logs are available:

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit