Help Center User GuideWhat's New
 
X
User Guide
What's New
Contents  

Tenant Systems: Security-Intelligence and Anti-Malware Policies

Tenant systems allow you to allocate virtual system resources, such as memory and CPU, into logical groupings to create multiple virtual firewalls. Each virtual firewall can then identify itself as a stand-alone system within one computing system. Starting in Junos OS 18.4, SRX Series devices support tenant systems for anti-malware and security-intelligence policies. When you associate a tenant system with a realm in Juniper ATP Cloud, that tenant system receives the threat management features configured for the realm. The SRX Series device will then perform policy enforcement based on tenant system and the associated Juniper ATP Cloud realm.

Note For information on using tenant systems with SRX Series devices, please refer to the Junos documentation.

Tenant System Support for SecIntel Feeds

Starting in Junos OS 18.4, you can configure security-intelligence profiles for tenant systems .

Tenant systems enroll to ATP Cloud when the associated SRX Series device is enrolled. All tenant systems with enabled anti-malware or security-intelligence policies appear in the ATP Cloud “Enrolled Devices” page with other SRX Series devices.

Warning Unlike physical devices, which automatically make submissions to the realm they are enrolled in, tenant system submissions are ignored until they are associated with a realm using the Realm Management page in the Juniper ATP Cloud Web UI. See Realm Management for those instructions.

Note that root-logical-system is automatically associated with the realm to which the SRX Series device is enrolled. Only root-logical-system can make submissions by default. Therefore you do not need to make an association for root-logical-system.

Here is an example of the CLI commands for a tenant system security-intelligence policy configuration. The tenant system used in this example (TSYS1) must be associated with the correct realm in Juniper ATP Cloud for the policy to get applied to the intended device:

set logical-systems TSYS1 services security-intelligence profile pf1 category Infected-Hosts
set logical-systems TSYS1 services security-intelligence profile pf1 default-rule then action block drop
set logical-systems TSYS1 services security-intelligence profile pf1 default-rule then log
set logical-systems TSYS1 services security-intelligence policy p1 Infected-Hosts pf1

Use the following example commands to view the infected hosts feed for a tenant system:

root@SRX> show security dynamic-address category-name Infected-Hosts logical-system TSYS1
No.      IP-start        IP-end          Feed             Address
1        10.1.32.131     10.1.32.131     Infected-Hosts/1 ID-2150001a
2        10.1.32.148     10.1.32.148     Infected-Hosts/1 ID-2150001a
3        10.1.32.183     10.1.32.183     Infected-Hosts/1 ID-2150001a
4        10.1.32.201     10.1.32.201     Infected-Hosts/1 ID-2150001a

Or use the following:

User1@SRX:TSYS1> show security dynamic-address category-name Infected-Hosts
No.      IP-start        IP-end          Feed             Address
1        10.1.32.131     10.1.32.131     Infected-Hosts/1 ID-2150001a
2        10.1.32.148     10.1.32.148     Infected-Hosts/1 ID-2150001a
3        10.1.32.183     10.1.32.183     Infected-Hosts/1 ID-2150001a
4        10.1.32.201     10.1.32.201     Infected-Hosts/1 ID-2150001a

Tenant System Support for AAMW

Starting in Junos OS 18.4, you can also configure anti-malware policies on a per tenant system basis. Here is an example of a tenant system anti-malware policy configuration:

As stated previously, the tenant system used in this example (TSYS1) must be associated with the correct realm in ATP Cloud for the policy to get applied to the intended device. See Realm Management for ATP Cloud Web UI configuration details.

set logical-systems TSYS1 services advanced-anti-malware policy LP1 http inspection-profile ldom_profile
set logical-systems TSYS1 services advanced-anti-malware policy LP1 http action block
set logical-systems TSYS1 services advanced-anti-malware policy LP1 http notification log
set logical-systems TSYS1 services advanced-anti-malware policy LP1 smtp inspection-profile default_profile
set logical-systems TSYS1 services advanced-anti-malware policy LP1 smtp notification log
set logical-systems TSYS1 services advanced-anti-malware policy LP1 imap inspection-profile default_profile
set logical-systems TSYS1 services advanced-anti-malware policy LP1 imap notification log
set logical-systems TSYS1 services advanced-anti-malware policy LP1 verdict-threshold 3

Use the following command to view anti-malware policies for a tenant system.

root@SRX> show services advanced-anti-malware policy logical-systems TSYS1

Advanced-anti-malware configuration:
 Policy Name: LP11
  Default-notification  : Log
  Whitelist-notification: Log
  Blacklist-notification: Log
  Fallback options:
    Action: block
    Notification: No Log
  Inspection-profile: ldom_profile
  Applications: HTTP
  Verdict-threshold: 3
  Action: block
  Notification: Log

Or use the following:

User1@SRX:TSYS1> show services advanced-anti-malware policy

Advanced-anti-malware configuration:
 Policy Name: LP1
  Default-notification  : Log
  Whitelist-notification: Log
  Blacklist-notification: Log
  Fallback options:
    Action: block
    Notification: No Log
  Inspection-profile: ldom_profile
  Applications: HTTP
  Verdict-threshold: 3
  Action: block
  Notification: Log

Security Profile CLI

Administrators can configure a single security profile to assign resources to a specific tenant system, use the same security profile for more than one tenant system, or use a mix of both methods. You can configure up to 32 security profiles on an SRX Series device running logical systems.

Security profiles allow you to dedicate various amounts of a resource to the tenant systems and allow them to compete for use of the free resources. They also protect against one logical system exhausting a resource that is required at the same time by other tenant systems.

The following commands are added to the security-profile CLI.

Use the following command to view the security profiles:

show system security-profile all-resource

Note Refer to the Junos documentation for more information on the set system security-profile command for logical systems.

Related Documentation

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit