Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configure Policy Enforcer for Security Director Insights Mitigation

 

Security Director Insights performs mitigation using Juniper® Advanced Threat Prevention Cloud (Juniper ATP Cloud) or Policy Enforcer. This topic explains how to configure Policy Enforcer for mitigation. Policy Enforcer is integrated within the Security Director Insights virtual machine (VM). You can mitigate the IP addresses with either the Security Director Insights integrated Policy Enforcer or the legacy standalone Policy Enforcer. If you are using the integrated Policy Enforcer for mitigation, use the IP address of the Security Director Insights VM wherever Policy Enforcer details need to be entered.

Add Security Director Insights Nodes

To add the Security Director Insights node:

  1. Log in to the Security Director GUI and navigate to Administration > Insights Management > Insights Nodes.
  2. Enter the Security Director Insights IP address and the admin password.
  3. Click Save.

    The Security Director Insights VM is added to Security Director. To know more about adding Security Director Insights nodes, see Add Insights Nodes.

Configure Security Director Insights as Integrated Policy Enforcer

To configure the integrated Policy Enforcer:

  1. Select Security Director > Administration > Policy enforcer > Settings.

    The Settings page appears.

  2. In the IP Address field, enter the IP address of the Security Director Insights VM.

    The IP address used in the Deploy OVF Template page must be used in the Settings page, as shown in Figure 1 and Figure 2.

    Figure 1: Deploy OVF Template Page
    Deploy OVF Template
Page
    Figure 2: Policy Enforcer Settings Page
    Policy Enforcer
Settings Page
  3. In the Username field, enter “admin” as the username for the integrated Policy Enforcer.
  4. In the Password field, enter the admin password that you used to bring up the Security Director Insights VM.
  5. In the SkyATP Configuration Type field, select Sky ATP/JATP with Juniper Connected Security from the list and click OK.

    A confirmation page appears displaying the Policy Enforcer configuration success message and to confirm setting up the threat prevention policy.

  6. Click OK.

    The Threat Prevention Policy Guided Setup page appears.

  7. Click Start Setup.
  8. In the Tenants page, do not create any tenants. Skip this step and click Next.

    The Security Fabric page appears.

  9. In the Security Fabric page, perform the following configuration:
    • Select an existing site or click + to create a new site.

    • In the Enforcement Point column, click Add Enforcement Point to add the SRX Series device as an enforcement point. This enables the SRX Series device to receive feeds from Security Director Insights.

    • Click Next.

      The Policy Enforcement Group page appears.

  10. In the Policy Enforcement Group page, perform the following configuration:
    • Click + to create a new policy enforcement group or use an existing group.

    • Click Next.

      The SkyATP Realm page appears.

  11. In the SkyATP Realm page, perform the following configuration:
    • Click + and enter the existing ATP Cloud realm credentials. If you do not have the credentials, you will get an option to create the ATP Cloud realm credentials.

    • Click OK.

      If the ATP Cloud realm is added successfully, assign a site in the Sites Assigned column.

    • Click Next.

      The Policies page appears.

  12. In the Policies page, perform the following configuration:
    • Click + to create a threat prevention policy.

    • In the Name field, enter a name for the policy and description in the Description field.

    • In the Profiles section, select the following profiles: Include C&C profile in policy, Include infected host profile in policy, and Include malware profile in policy.

    • Click OK.

      You are taken back to the Policies page.

    • Click Next.

      The Geo IP page appears.

  13. In the Geo IP page, skip the configuration and click Finish.

    The Summary page appears.

  14. Review the configuration summary and click OK.

    A new threat prevention policy is created.

Create Custom Feeds for Mitigation

To mitigate incidents through Policy Enforcer, you must create custom feeds for blocklist and infected host.

To create the Policy Enforcer custom feeds:

  1. Select Security Director > Configure > Threat Prevention > Feed Sources > Custom Feeds.
  2. Click Create and select Feeds with local files from the drop-down list.

    The Create local custom feed page appears.

  3. In the Name field, enter a name for the custom feed and description in the Description field.
  4. From the Feed Type drop-down list, select Blacklist.
  5. From the Zones/Realms drop-down list, select the Juniper ATP Cloud realm you created using the Guided Setup.
  6. From the User Input Type drop-down list, select IP, Subnet and Range.
  7. Click OK.

    A new custom feed for blocklist is created and you are taken back to the Custom Feeds page.

  8. Repeat Steps 1 to 7 to create another custom feed for the infected host. In the Feed Type field, select Infected-Hosts from the list.

You will see two new custom feeds listed on the Custom Feeds page: one for blocklist and one for infected host.

Configure Security Director Insights Mitigation Using Policy Enforcer

To configure mitigation settings using Policy Enforcer:

  1. Select Security Director > Administration > Insights Management > Mitigation Settings.

    The Mitigation Settings page appears.

  2. Select the Policy Enforcer tab.
  3. Complete the configuration by using the guidelines in Table 1.
  4. Click Save.

    If all the parameters are correct, mitigation is enabled.

Table 1: Policy Enforcer Mitigation Guidelines

Setting

Guideline

Policy Enforcer Hostname

The Policy Enforcer virtual machine IP address automatically appears. This is the IP address that you configure in the Policy Enforcer > Settings page.

Policy Enforcer SSH User Name

The SSH username automatically appears. This is the same username that you configure in the Policy Enforcer > Settings page.

Policy Enforcer SSH Password

Enter the Policy Enforcer SSH password. This is the same password that you enter in the Policy Enforcer > Settings page.

API User Name

If you have the credentials for the Policy Enforcer Controller APIs, enter the existing API username. Else, enter a name and Security Director Insights will create a new username.

API Password

If you have the credentials for the Policy Enforcer Controller APIs, enter the existing API password. Else, enter a password and Security Director Insights will create a new password.

Blocklist Feed Name

Enter the blocklist custom feed name that you created in the Configure > Threat Prevention > Feed Sources > Custom Feeds page.

Infected-Host Feed Name

Enter the infected host custom feed name that you created in the Configure > Threat Prevention > Feed Sources > Custom Feeds page.

Note

Security Director Insights supports mitigation using Juniper ATP Cloud and Policy Enforcer. Only one plugin can be active at a given time. Before you enable Policy Enforcer mitigation settings, ensure to disable the Juniper ATP Cloud plugin if it is enabled.

Monitor Mitigation Through Policy Enforcer

The following example shows how to mitigate incidents through Policy Enforcer.

To monitor the mitigation:

  1. Select Security Director > Monitor > Insights > Mitigation.

    The Mitigation page appears.

  2. Select one or more IP addresses and click Enable Mitigation.

    If the mitigation is Successful, the status column displays Successful, as shown in Figure 3.

    Figure 3: Mitigation Successful
    Mitigation Successful

    The mitigated IP addresses listed under the Source IP Filtering tab are added to the custom blocklist feed.

    The mitigated IP addresses listed under the Endpoint IP Filtering tab are added to the infected host custom feed.

  3. Verify the blocklisted IP addresses in the SRX Series device that was added as an endpoint in Policy Enforcer. The device receives one blocklist feed with the IP address that you mitigated in Step 2, as shown in Figure 4.
    Figure 4: Blocklisted IP Address
    Blocklisted IP Address