Guided Setup is the most efficient way to complete your initial configuration. Locate Guided Setup from the Configuration > Guided Setup > Threat Prevention menu.
You would make no Sky ATP selection to configure Juniper Connected Security using only custom feeds. Custom feeds are the only threat prevention type available if you make no selection for Sky ATP Configuration Type in the Policy Enforcer Settings page.
Before you begin the guided setup process, you must enter the IP address and login credentials for the policy enforcer virtual machine on the Policy Enforcer Settings page. If you haven’t yet done that, go to Administration > Policy Enforcer > Settings and enter the necessary information. See Policy Enforcer Settings for more information.
There are some concepts you should understand before you begin the configuration. It is recommended you read about them here in advance. Policy Enforcer Configuration Concepts.
The Guided Setup process offers the following steps for configuring threat prevention with custom feeds (No Sky ATP selection). Click Start Setup to begin.
Note In Policy Enforcer Release 20.1R1, only MX series devices support LSYS and VRF. Also, only root-logical system is supported. All the sites of a realm are either with tenants or without tenants.
Sites—A site is a collection of network devices participating in threat prevention. Using quick setup, you can create your own site, but note that a device can only belong to one site and you must remove it from the any other site where it is used to use it elsewhere.
Click Add Devices in the Device Name column or in the IP address column to add devices to a site. Using the check boxes in the device list, you should indicate which devices are firewalls or switches.
Once configured, policy enforcement groups are located under Configure > Shared Objects. A policy enforcement groups has the following fields:
Name and Description.
Group Type—IP Address, Subnet, or Location
Endpoint—IP addresses included in the group
The following types of custom threat feeds are available:
Dynamic Address—A dynamic address is a group of IP addresses that can be imported from external sources. These IP addresses are for specific domains or for entities that have a common attribute such as a particular undesired location that poses a threat. You can then configure security policies to use the dynamic addresses within a security policy.
Whitelist—An allowlist contains known trusted IP addresses, URLs, and domains. Content downloaded from locations on the allowlist does not have to be inspected for malware.
Blacklist—A blocklist contains known untrusted IP addresses, URLs, and domains. Access to locations on the blocklist is blocked, and therefore no content can be downloaded from those sites.
Infected Host—Infected hosts are hosts known to be compromised.
Note The Juniper Sky ATP advanced anti-malware detection of the infected host is not supported in SRX Series 300 and SRX Series 320 devices, if these devices are running Junos OS release prior to 18.3R1.
Once configured, threat prevention policies are located under Configure > Threat Prevention > Policies. A policy has the following fields:
Name and Description.
Profiles—The type of threat this policy manages:
Infected Hosts—An infected host profile would provide information on compromised hosts and their associated threat levels. Host information includes IP address, threat level, blocked status, when the threat was seen, command and control hits, and malware detections.
Logging—All traffic is logged by default. Use the pulldown to narrow the types of traffic to be logged.
Group—Once your policy is created, it is applied to the policy enforcement group.
© 2020 Juniper Networks, Inc. All rights reserved