Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

No index entries found.

Example: Configuring Integrated ClearPass to Filter and Rate-limit Threat and Attack Logs

The SRX Series device can dynamically send to the ClearPass Policy Manager (CPPM) information about threats and attacks identified by its security modules that protect network resources. It detects attack and attack threats that pertain to the activity of specific devices and their users, and it generates corresponding logs. To control this transmission, you must configure the type of logs to be sent and the rate at which they are sent. You can then use this information in setting policy rules on the CPPM to harden your network security.

This example shows how to configure the SRX Series integrated ClearPass authentication and enforcement feature to filter and transmit only threat and attack logs to the CPPM and to control the volume and rate at which the SRX Series device transmits them.

Requirements

The topology for this example uses the following hardware and software components:

  • Aruba CPPM implemented in a virtual machine (VM) on a server. The CPPM is configured to use its local authentication source to authenticate users.
  • SRX Series device running Junos OS that includes the integrated ClearPass feature. The SRX Series device is connected to the Juniper Networks EX4300 switch and to the Internet. The SRX Series device communicates with ClearPass over a secure connection.
  • Juniper Networks EX4300 switch used as the wired 802.1 access device. The EX4300 Layer 2 switch connects the endpoint users to the network. The SRX Series device is connected to the switch.
  • Wired, network-connected PC running Microsoft OS. The system is directly connected to the EX4300 switch.

    Threat and attack logs are written for activity from these devices triggered by events that the security features catch and protect against.

Overview

The SRX Series integrated ClearPass authentication and enforcement feature participates with Aruba ClearPass in protecting your company’s resources against actual and potential attacks. The SRX Series device informs the CPPM about threats to your network resources and attacks against them through logs that it sends. You can then use this information to assess configuration of your security policy on the CPPM. Based on this information, you can harden your security in regard to individual users or devices.

To control the behavior of this feature, you must configure the SRX Series device to filter for attack and threat log entries and set rate-limiting conditions.

You can tune the behavior of this function in the following ways:

  • Set a filter to direct the SRX Series device to send only threat and attack logs to the CPPM. This filter allows you to ensure that the SRX Series device and the log server do not need to handle irrelevant logs.
  • Establish rate limit conditions to control the volume of logs that are sent.

    You set the rate-limit parameter to control the volume and rate that logs are sent. For example, you can set the rate-limit parameter to 1000 to specify that a maximum of 1000 logs are sent to ClearPass in 1 second. In this case, if there is an attempt to send 1015 logs, the number of logs over the limit—15 logs, in this case—would be dropped. The logs are not queued or buffered.

You can configure a maximum of three log streams with each individual log defined by its destination, log format, filter, and rate limit. Log messages are sent to all configured log streams. Each stream is individually rate-limited.

Note: To support rate-limiting on high-end platforms, log messages are sent out from the device’s local SPU at a divided rate. In the configuration process, the Routing Engine assigns a divided rate to each SPU. The divided rate is equal to the configured rate divided by the number of SPUs on the device:

divided-rate = configured-rate/number-of-SPUs

Topology

Figure 9shows the topology for this example.

Figure 9: Integrated ClearPass Authentication and Enforcement Deployment Topology

Integrated ClearPass Authentication and Enforcement
Deployment Topology

Configuration

This example covers how to configure a filter to select threat and attack logs to be sent to ClearPass. It also covers how to set a rate limiter to control the volume of logs sent during a given period. It includes these parts:

CLI Quick Configuration

To quickly configure this example, copy the following statements, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the statements into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

set security log stream threat-attack-logs host 12.1.4.5set security log mode streamset security log source-interface ge-0/0/1.0set security log stream to_clearpass format sd-syslog set security log stream to_clearpass filter threat-attackset security log stream to_clearpass rate-limit 1000

Configuring Integrated ClearPass Authentication and Enforcement to Filter for Threat and Attack Logs Sent to the CPPM

Step-by-Step Procedure

  1. Specify CPPM as the destination for the log stream by setting the host IP address of the ClearPass device. Specify the predefined filter threat-attack to control the type of logs that are sent to it.
    [edit security]user@host# set log stream threat-attack host 12.1.4.5
  2. Set the log mode to stream.
    [edit security]user@host# set log mode stream
  3. Set the host source interface number.
    [edit security]user@host#set log source-interface ge-0/0/1.0
  4. Set the log stream to use the structured syslog format for sending logs to ClearPass through syslog.
    [ edit security]user@host# set log stream to_clearpass format sd-syslog
  5. Specify the type of events to be logged.
    [edit security]user@host# set log stream to_clearpass filter threat-attack

    Note: This configuration is mutually exclusive in relation to the current category set for the filter.

  6. Set rate limiting for this stream. The range is from 1 through 65,535.

    This example specifies that up to 1000 logs per second can be sent to ClearPass. When the maximum is reached, any additional logs are dropped.

    [ edit security]user@host# set log stream to_clearpass rate-limit 1000

Results

From configuration mode, confirm your configuration for interfaces by entering the show interfaces command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

mode stream;source-interface ge-0/0/1.0;
stream threat-attack-logs {host {12.1.4.5;}}
stream to_clearpass {format sd-syslog;filter threat-attack;rate-limit {1000;}}

Related Documentation

Modified: 2016-05-01