Help Center User GuideWhat's New
 
X
User Guide
What's New
Contents  

Configuring the SRX Series Devices to Block Infected Hosts

An Infected-Host feed lists the hosts that have been compromised and need to be quarantined from communicating with other devices. The feed is in the format of IP addresses all with a threat level of 10, for example xxx.xxx.xxx.133 with threat level 10. You can configure security policies to take enforcement actions on the inbound and outbound traffic to and from a host whose IP address is listed in the feed. The Infected-Host feed is downloaded to the SRX Series device only when the infected host profile is configured and enabled in a firewall policy.

Note Once the Juniper ATP Cloud global threshold for is met for an infected host (see Global Configuration for Infected Hosts), that host is added to the infected hosts feed and assigned a threat level of 10 by the cloud. Therefore all IP addresses in the infected hosts feed are threat level 10.

Procedure

To create the infected host profile and policy and firewall policy:

  1. Define a profile for both the infected host and CC. In this example, the infected host profile is named ih-profile and the action is block drop anything with a threat level higher than 5. The CC host profile is named cc-profile and is based on outbound requests to a C&C host, so add C&C rules to the profile (threat levels 8 and above are blocked.)
    root@host# 
    set services security-intelligence profile ih-profile category Infected-Hosts rule if-rule match threat-level [5 6 7 8 9 10]
    root@host# set services security-intelligence profile ih-profile category Infected-Hosts rule if-rule then action block drop
    root@host# set services security-intelligence profile ih-profile category Infected-Hosts rule if-rule then log
    
    root@host# set services security-intelligence profile cc-profile category CC
    root@host# set services security-intelligence profile cc-profile rule CC_rule match threat-level [8 9 10] 
    root@host# set services security-intelligence profile cc-profile rule CC_rule then action block drop
    root@host# set services security-intelligence profile cc-profile rule CC_rule then log
    root@host# set services security-intelligence profile cc-profile default-rule then action permit

    As of Junos 18.1R1. there is support for the block action with HTTP URL redirection for Infected Hosts. During the processing of a session IP address, if the IP address in on the infected hosts list and HTTP traffic is using ports 80 or 8080, infected hosts HTTP redirection can be done. If HTTP traffic is using dynamic ports, HTTP traffic redirection cannot be done. See command below.

  2. Verify your command using the show services security-intelligence CLI command. It should look similar to this:
    root@host# show services security-intelligence profile ih-profile
    category Infected-Hosts;
    rule if-rule {
        match {
            threat-level [ 5 6 7 8 9 10 ];
        }
        then {
            action {
                block {
                    drop;
                }
            }
            log;
        }
    }
    
    root@host# show services security-intelligence profile cc-profile
    category CC;
    rule CC_rule {
        match {
            threat-level [ 8 9 10 ];
        }
        then {
            action {
                block {
                    drop;
                }
            }
            log;
        }
    }
    
  3. Configure the security intelligence policy to include both profiles created in Step 1. In this example, the policy is named infected-host-cc-policy.
    root@host# set services security-intelligence policy infected-host-cc-policy Infected-Hosts ih-profile
    root@host# set services security-intelligence policy infected-host-cc-policy CC cc-profile
  4. Configure the firewall policy to include the security intelligence policy. This example sets the trust-to-untrust zone.
    root@host# set security policies from-zone trust to-zone untrust policy p2 match source-address any destination-address any application any
    root@host# set security policies from-zone trust to-zone untrust policy p2 then permit application-services security-intelligence-policy infected-host-cc-policy
    
  5. Verify your command using the show security policies CLI command. It should look similar to this:
    root@host# show security policies
    ...
    from-zone trust to-zone untrust { policy p2 { match { source-address any; destination-address any; application any; } then { permit { application-services { security-intelligence-policy infected-host-cc-policy; } } } } } ... [edit]
  6. Commit your changes.
Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit