Help Center User GuideWhat's New
 
X
User Guide
What's New
Contents  

Integrate AWS GuardDuty with vSRX Firewalls

Solution Overview

Amazon Web Services (AWS) GuardDuty is a continuous security monitoring service that identifies unexpected, potentially unauthorized, and malicious activity within your AWS environment. The threats detected by AWS GuardDuty is sent as a security feed to the vSRX firewalls in the your AWS environment. The vSRX firewalls can access the feeds either by directly downloading it from the AWS S3 bucket, or if the firewall device is enrolled with ATP Cloud, the feed is pushed to the firewall device along with the ATP Cloud security intelligence (SecIntel) feeds. In turn, the vSRX firewall enables you to take actions on the feed and block or log connections to the threat sources identified in the feed.

The threats are sent as a security feed to the SRX Series devices in the your AWS environment. The device can access the feeds either by directly downloading it from the AWS S3 bucket or, if the SRX Series device is enrolled with Juniper ATP Cloud, the feed is pushed to the device along with the security intelligence (SecIntel) feeds. For more information about AWS components, see AWS Documentation.

The deployment scenarios that are supported in this solution are:

Workflow to Integrate AWS GuardDuty with vSRX Firewalls

Set up AWS Environment

Procedure

  1. (Optional) Configure S3 bucket.

    This step is required only if the threat feeds are directly ingested by vSRX firewalls. You need not configure S3 bucket if the ingestion of threat feeds is through ATP Cloud.

    Note 

    • Make a note of the S3 bucket name for future references.

    • Configure the S3 bucket such that download or read operation does not require any API keys

    • Write access on S3 bucket is only available with the Lambda function.

  2. Configure GuardDuty.

    GuardDuty findings can be exported to either S3 bucket or CloudWatch events. In this solution we export the findings to CloudWatch events. Eventually CloudWatch events rule will trigger Lambda Function to convert findings into a compatible format with vSRX firewalls and push to AWS S3 bucket.

    Procedure

    1. Log in to your AWS account.
    2. Click Services tab and search for GuardDuty.
    3. Select GuardDuty service.

      The GuardDuty Findings page appears displaying the list of events that are generated by GuardDuty.

    4. Click Settings in the left pane.

      The About GuardDuty page appears.

    5. In Finding export options section, select the frequency for updated findings. The available options are:
      • Update CWE and S3 every 6 hours (default)

      • Update CWE and S3 every 1 hour

      • Update CWE and S3 every 15 minutes

      Based on the frequency that you have selected, the GuardDuty service generates events at regular intervals and share the events with Cloud Watch Events (CWE) Service.

  3. Create and configure Lambda function.

    AWS Lambda function uploads GuardDuty findings to ATP Cloud using the ATP Cloud OpenAPI. Lambda function updates the AWS S3 bucket with feed information in the standard SRX manifest file format. Lambda must be configured with the application token generated per realm in the ATP Cloud Web Portal. The threat feed is available under the C&C category.

    Procedure

    To create Lambda function.

    1. Navigate to Services > Lambda > Create.
    2. Select Runtime python 3.6.
    3. Provide appropriate Identity and Access Management (IAM) role. Create a new IAM role and assign the role to the Lambda function. This enables Lambda function to upload or write/read objects to/from the S3 bucket. For more information, see Create an IAM user.

    Procedure

    To upload a Lambda file:

    1. Log in to GitHub repository https://github.com/Juniper/vSRX-AWS, navigate to SRX-GD-ThreatFeed folder, and download the SRX-GD-ThreatFeed.zip lambda file.
    2. Navigate to Lambda > Functions > your_lambda_function_name.
    3. Click Actions > Upload a .zip file. Upload SRX-GD-ThreatFeed.zip file from Function code section.
    4. Click OK.

      The Lambda configurations are displayed in the Environment variables section. Follow the guidelines in Table 65 to configure Lambda.

    Procedure

    To configure Lambda function:

    1. Navigate to Lambda > Functions > your_lambda_function_name > Edit Environment variables.
    2. Complete the configurations according to guidelines provided in Table 65.
    3. Click Save.

    To configure time-out settings, navigate to Lambda > Functions > your_lambda_function_name > Basic settings and update Timeout to 10sec.

    Table 65: AWS Lambda Configurations

    Parameters

    Description

    MAX_ENTRIES

    Defines the maximum number of entries that will be retained in the corresponding data file. Older entries will expire once this limit is reached.

    Default value: 10000

    Range:1000-100000

    Example: 1000

    IP_FEED_NAME

    Defines the CC IP feed name, which is also the key name for S3 data file. If there is a False Alarm entry that needs to be removed; you must manually delete it from the corresponding key derived from IP_FEED_NAME parameter.

    Example: custom_cc_(content_type)_data

    DNS_FEED

    Defines the CC DNS feed name, which is also the key name for S3 data file. If there is a False Alarm entry that needs to be removed; you must manually delete it from the corresponding key derived from DNS_FEED parameter.

    Example: custom_cc_dns_(content_type)_data

    S3_BUCKET

    Name of S3 Bucket. The bucket name is used in S3 URL name as well.

    Example: guardduty-integration-test

    SEVERITY_LEVEL

    Level beyond which AWS Guardduty event IPs/URLs are added to the feed file.

    Note: Severity Level maps one-to-one with ATP Cloud Threat Levels.

    Default value: 8

    Range: 1-10

    Example: 4

    SKY_APPLICATION_TOKEN

    Used to upload entries into the ATP Cloud OpenAPI. You must log in to Juniper ATP Cloud Web Portal and generate the application token. You must have at least one device configured with premium license to generate the application token.

    Example: TOKEN_VALUE

    SKY_OPENAPI_BASE_PATH

    Base path for the Sky Open APIs, which are used to upload feeds from Lambda function to ATP Cloud.

    Example: https://threat-api.sky.junipersecurity.net/v1/cloudfeeds

    FEED_TTL

    Use the Time to Live (TTL) to specify the number of days for the feed to be active. The feed entries will expire on SRX Series device if it is not updated within the TTL.

    Default value: 3456000

    Range: 86400-31556952

    FEED_UPDATE_INTERVAL

    Update interval for the feeds.

    Default value: 300

    Range: 300-86400

    Note 

    • In case of Direct Ingestion of threat feeds by vSRX firewalls, you need not define SKY_APPLICATION_TOKEN and SKY_OPENAPI_BASE_PATH parameters. If these parameters are not configured, the feeds are directly uploaded to AWS S3 bucket.

    • In case of Ingestion of threat feeds through ATP Cloud, you must define SKY_APPLICATION_TOKEN and SKY_OPENAPI_BASE_PATH parameters. These parameters must be configured to upload the feeds from AWS Lambda to ATP Cloud. You need not define S3_BUCKET parameter.

  4. Configure CloudWatch.

    Create rules and specify the event source (GuardDuty) and event target (Lambda function).

    Procedure

    To create rules:

    1. Select Events > Rules.

      The Rules page appears.

    2. Click Create Rule.
    3. Under Event Source section, select the service name as GuardDuty and event type as GuardDuty Finding.
    4. Under Targets section, select the Lambda function.

Configure vSRX Firewall

The following section lists the CLI configurations that are required on vSRX firewalls.

Procedure

This example configures a profile name, a profile rule and the threat level scores. Anything that matches these threat level scores is considered malware or an infected host. The ATP Cloud threat level maps one-to-one with the Severity Level in AWS GuardDuty.

Note You can change the severity level in AWS GuardDuty anytime, but the severity level must always match the threat level that you configure on your vSRX firewalls.

To configure vSRX firewall with AWS GuardDuty:

  1. Enroll vSRX to ATP Cloud. See Enrolling an SRX Series Device With Juniper Advanced Threat Prevention Cloud.
  2. Configure security intelligence URL.

    set services security-intelligence url https://guardduty-integration-test.s3-us-west-2.amazonaws.com/manifest.xml

  3. Configure security intelligence profile and policy. In this example the profile name is secintel_profile and threat levels 8 and above are blocked.

    set services security-intelligence profile secintel_profile category CC

    set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 8

    set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 9

    set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 10

    set services security-intelligence profile secintel_profile rule secintel_rule then action block drop

    set services security-intelligence profile secintel_profile rule secintel_rule then log

    set services security-intelligence policy secintel_policy CC secintel_profile

  4. Configure a security policy and assign the security intelligence policy to the security policy.

    set security policies from-zone trust to-zone untrust policy 1 then permit application-services security-intelligence-policy secintel_policy

    commit

Procedure

To configure vSRX firewall with AWS GuardDuty using ATP Cloud:

  1. Install ATP Cloud license.
  2. Enroll vSRX to ATP Cloud. See Enrolling an SRX Series Device With Juniper Advanced Threat Prevention Cloud.

    The enrollment script will generate the aamw-ssl tls profile, which will be used in the Step 3.

  3. Configure security intelligence URL.

    set services security-intelligence url https://cloudfeeds.argonqa.junipersecurity.net/api/manifest.xml

    set services security-intelligence authentication tls-profile aamw-ssl

  4. Configure security intelligence profiles and policies. In this example the profile name is secintel_profile and threat level 8 and above are blocked.

    set services security-intelligence profile secintel_profile category CC

    set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 8

    set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 9

    set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 10

    set services security-intelligence profile secintel_profile rule secintel_rule then action block drop

    set services security-intelligence profile secintel_profile rule secintel_rule then log

    set services security-intelligence profile ih_profile category Infected-Hosts

    set services security-intelligence profile ih_profile rule ih_rule match threat-level 8

    set services security-intelligence profile ih_profile rule ih_rule match threat-level 9

    set services security-intelligence profile ih_profile rule ih_rule match threat-level 10

    set services security-intelligence profile ih_profile rule ih_rule then action block drop

    set services security-intelligence profile ih_profile rule ih_rule then log

    set services security-intelligence policy secintel_policy Infected-Hosts ih_profile

    set services security-intelligence policy secintel_policy CC secintel_profile

  5. Configure a security policy and assign the security intelligence policy to the security policy.

    set security policies from-zone trust to-zone untrust policy 1 then permit application-services security-intelligence-policy secintel_policy

    commit

To check the security-intelligence status, use the show services security-intelligence update status command.

show services security-intelligence update status  
  
Current action        :Downloading feed cc_ip_data (20200330.35) in category CC.
Last update status    :Feed cc_ip_data (20200330.4) of category CC not changed
Last connection status:succeeded
Last update time      :2020-03-30 14:42:05 PDT

To check the security intelligence statistics, use the show services security-intelligence statistics command.

Sample output of SecIntel Statistics on vSRX firewalls with AWS GuardDuty is as follows:

> show services security-intelligence statistics 
Logical system: root-logical-system
Category CC:
  Profile secintel_profile:
    Total processed sessions: 0
    Permit sessions:          0
    Block drop sessions:      0
    Block close sessions:     0
    Close redirect sessions:  0

Sample output of SecIntel Statistics on vSRX firewalls with ATP Cloud and AWS GuardDuty is as follows:

> show services security-intelligence statistics 

Logical system: root-logical-system
Category Whitelist:
  Profile Whitelist:
    Total processed sessions: 0
    Permit sessions:          0
Category Blacklist:
  Profile Blacklist:
    Total processed sessions: 0
    Block drop sessions:      0
Category CC:
  Profile secintel_profile:
    Total processed sessions: 0
    Permit sessions:          0
    Block drop sessions:      0
    Block close sessions:     0
    Close redirect sessions:  0
Category Infected-Hosts:
  Profile ih_profile:
    Total processed sessions: 0
    Permit sessions:          0
    Block drop sessions:      0
    Block close sessions:     0
    Close redirect sessions:  0

No additional configuration is required in ATP Cloud Web portal when the vSRX firewall is integrated with ATP Cloud. All settings, including the SecIntel configuration, is automatically created while enrolling the vSRX firewall with ATP Cloud.

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit