Contents

ContentsHide

Juniper Advanced Threat Prevention Cloud Administration Guide
- About the Documentation
- Overview and Installation
  - Juniper Advanced Threat Prevention Cloud Overview
  - Install Juniper Advanced Threat Cloud Prevention
- The Web Portal and Enrolling SRX Series Devices
  - The Juniper ATP Cloud Web Portal
  - Enroll SRX Series Devices
- Configure
  - Allowlists and Blocklists
    - Allowlist and Blocklist Overview
    - Creating Allowlists and Blocklists
  - Email Scanning: Juniper ATP Cloud
  - Email Scanning: SRX Series Device
  - File Inspection Profiles
    - File Inspection Profiles Overview
    - Creating File Inspection Profiles
  - Adaptive Threat Profiling
    - Adaptive Threat Profiling Overview
    - Create an Adaptive Threat Profiling Feed
  - SecIntel Feeds
    - SecIntel Feeds Overview
    - Juniper SecIntel Feeds Overview
  - Global Configurations
- Monitor and Take Action
  - Reports
    - Reports Overview
    - Configure Report Definitions
  - Hosts
    - Hosts Overview
    - Host Details
  - Identifying Infected Hosts
    - Compromised Hosts: More Information
    - Configuring the SRX Series Devices to Block Infected Hosts
  - Threat Sources
    - Threat Sources Overview
    - Threat Source Details
  - Identify Hosts Communicating with Command and Control Servers
    - Command and Control Servers: More Information
    - Configuring the SRX Series Device to Block Outbound Requests to a C&C Host
  - File Scanning
  - Email Scanning
  - Telemetry
    - Telemetry Overview
    - Telemetry Details
  - Encrypted Traffic Insights
    - Encrypted Traffic Insights Overview
    - Encrypted Traffic Insights Details
- Policies on the SRX Series Device
  - Configure Juniper ATP Cloud Policies on the SRX Series Device
  - Configure IP-Based Geolocations on the SRX Series Device
    - Geolocation IPs and Juniper Advanced Threat Prevention Cloud
    - Configuring Juniper Advanced Threat Prevention Cloud With Geolocation IP
  - Integrate Amazon Web Services GuardDuty with vSRX Firewalls
    - Integrate AWS GuardDuty with vSRX Firewalls
  - Configure DNS Request Filtering on the SRX Series Device
    - DNS Request Filtering for Disallowed Domains
- Administration
  - Juniper ATP Cloud Administration
- Troubleshoot
  - Troubleshooting Topics
- More Documentation
  - ATP Cloud Tech Library Page Links
    - Links to Documentation on Juniper.net

ContentsHide

Juniper Advanced Threat Prevention Cloud Administration Guide
- About the Documentation
- Overview and Installation
  - Juniper Advanced Threat Prevention Cloud Overview
  - Install Juniper Advanced Threat Cloud Prevention
- The Web Portal and Enrolling SRX Series Devices
  - The Juniper ATP Cloud Web Portal
  - Enroll SRX Series Devices
- Configure
  - Allowlists and Blocklists
    - Allowlist and Blocklist Overview
    - Creating Allowlists and Blocklists
  - Email Scanning: Juniper ATP Cloud
  - Email Scanning: SRX Series Device
  - File Inspection Profiles
    - File Inspection Profiles Overview
    - Creating File Inspection Profiles
  - Adaptive Threat Profiling
    - Adaptive Threat Profiling Overview
    - Create an Adaptive Threat Profiling Feed
  - SecIntel Feeds
    - SecIntel Feeds Overview
    - Juniper SecIntel Feeds Overview
  - Global Configurations
- Monitor and Take Action
  - Reports
    - Reports Overview
    - Configure Report Definitions
  - Hosts
    - Hosts Overview
    - Host Details
  - Identifying Infected Hosts
    - Compromised Hosts: More Information
    - Configuring the SRX Series Devices to Block Infected Hosts
  - Threat Sources
    - Threat Sources Overview
    - Threat Source Details
  - Identify Hosts Communicating with Command and Control Servers
    - Command and Control Servers: More Information
    - Configuring the SRX Series Device to Block Outbound Requests to a C&C Host
  - File Scanning
  - Email Scanning
  - Telemetry
    - Telemetry Overview
    - Telemetry Details
  - Encrypted Traffic Insights
    - Encrypted Traffic Insights Overview
    - Encrypted Traffic Insights Details
- Policies on the SRX Series Device
  - Configure Juniper ATP Cloud Policies on the SRX Series Device
  - Configure IP-Based Geolocations on the SRX Series Device
    - Geolocation IPs and Juniper Advanced Threat Prevention Cloud
    - Configuring Juniper Advanced Threat Prevention Cloud With Geolocation IP
  - Integrate Amazon Web Services GuardDuty with vSRX Firewalls
    - Integrate AWS GuardDuty with vSRX Firewalls
  - Configure DNS Request Filtering on the SRX Series Device
    - DNS Request Filtering for Disallowed Domains
- Administration
  - Juniper ATP Cloud Administration
- Troubleshoot
  - Troubleshooting Topics
- More Documentation
  - ATP Cloud Tech Library Page Links
    - Links to Documentation on Juniper.net

Integrate AWS GuardDuty with vSRX Firewalls

Solution Overview

Amazon Web Services (AWS) GuardDuty is a continuous security monitoring service that identifies unexpected, potentially unauthorized, and malicious activity within your AWS environment. The threats detected by AWS GuardDuty is sent as a security feed to the vSRX firewalls in the your AWS environment. The vSRX firewalls can access the feeds either by directly downloading it from the AWS S3 bucket, or if the firewall device is enrolled with ATP Cloud, the feed is pushed to the firewall device along with the ATP Cloud security intelligence (SecIntel) feeds. In turn, the vSRX firewall enables you to take actions on the feed and block or log connections to the threat sources identified in the feed.

The threats are sent as a security feed to the SRX Series devices in the your AWS environment. The device can access the feeds either by directly downloading it from the AWS S3 bucket or, if the SRX Series device is enrolled with Juniper ATP Cloud, the feed is pushed to the device along with the security intelligence (SecIntel) feeds. For more information about AWS components, see AWS Documentation.

The deployment scenarios that are supported in this solution are:

Integration of AWS GuardDuty with vSRX firewalls
You don’t need a Juniper ATP Cloud license for this deployment. The threat feeds from AWS GuardDuty are processed through the AWS Lambda function and then stored in the AWS S3 bucket. You must configure, and deploy the AWS Lambda function. Once deployed, the Lambda function translates the data from AWS GuardDuty findings into a list of malicious IP addresses and URLs. The resultant list is stored in a configured AWS S3 bucket in the format that can be ingested by the vSRX firewalls. You must configure vSRX firewalls to periodically download the threat feeds from the AWS S3 bucket.
Figure 24: Direct Ingestion of threat feeds by vSRX Firewalls
Integration of AWS GuardDuty with vSRX firewalls using ATP Cloud
You must install a Juniper ATP Cloud premium license on your SRX Series devices and vSRX instances for this deployment. The threat feeds from AWS GuardDuty are processed through the AWS Lambda function. You must configure and deploy the Lambda function and enable ATP Cloud on your vSRX firewalls. The AWS Lambda function sends the threat feed to ATP Cloud (upload feeds to C&C category) using OpenAPIs. The threat feeds are pushed to all enrolled vSRX firewalls along with the ATP Cloud security intelligence (SecIntel) feeds.
Figure 25: Ingestion of threat feeds through ATP Cloud

Workflow to Integrate AWS GuardDuty with vSRX Firewalls

Set up AWS Environment

Procedure

(Optional) Configure S3 bucket.
This step is required only if the threat feeds are directly ingested by vSRX firewalls. You need not configure S3 bucket if the ingestion of threat feeds is through ATP Cloud.
- For S3 configuration details, see Setting up Amazon S3.
- Upload the manifest.xml and cc_schema files from the GitHub repository https://github.com/Juniper/vSRX-AWS to the S3 bucket. The manifest.xml and cc_schema files are available in SRX-GD-ThreatFeed folder.
Note
- Make a note of the S3 bucket name for future references.
- Configure the S3 bucket such that download or read operation does not require any API keys
- Write access on S3 bucket is only available with the Lambda function.
Configure GuardDuty.
GuardDuty findings can be exported to either S3 bucket or CloudWatch events. In this solution we export the findings to CloudWatch events. Eventually CloudWatch events rule will trigger Lambda Function to convert findings into a compatible format with vSRX firewalls and push to AWS S3 bucket.
Procedure
1. Log in to your AWS account.
2. Click Services tab and search for GuardDuty.
3. Select GuardDuty service.
  The GuardDuty Findings page appears displaying the list of events that are generated by GuardDuty.
4. Click Settings in the left pane.
  The About GuardDuty page appears.
5. In Finding export options section, select the frequency for updated findings. The available options are:
  - Update CWE and S3 every 6 hours (default)
  - Update CWE and S3 every 1 hour
  - Update CWE and S3 every 15 minutes
  Based on the frequency that you have selected, the GuardDuty service generates events at regular intervals and share the events with Cloud Watch Events (CWE) Service.

Create and configure Lambda function.

AWS Lambda function uploads GuardDuty findings to ATP Cloud using the ATP Cloud OpenAPI. Lambda function updates the AWS S3 bucket with feed information in the standard SRX manifest file format. Lambda must be configured with the application token generated per realm in the ATP Cloud Web Portal. The threat feed is available under the C&C category.

Procedure

To create Lambda function.

Navigate to Services > Lambda > Create.
Select Runtime python 3.6.
Provide appropriate Identity and Access Management (IAM) role. Create a new IAM role and assign the role to the Lambda function. This enables Lambda function to upload or write/read objects to/from the S3 bucket. For more information, see Create an IAM user.

Procedure

To upload a Lambda file:

Log in to GitHub repository https://github.com/Juniper/vSRX-AWS, navigate to SRX-GD-ThreatFeed folder, and download the SRX-GD-ThreatFeed.zip lambda file.
Navigate to Lambda > Functions > your_lambda_function_name.
Click Actions > Upload a .zip file. Upload SRX-GD-ThreatFeed.zip file from Function code section.
Click OK.
The Lambda configurations are displayed in the Environment variables section. Follow the guidelines in Table 65 to configure Lambda.

Procedure

To configure Lambda function:

Navigate to Lambda > Functions > your_lambda_function_name > Edit Environment variables.
Complete the configurations according to guidelines provided in Table 65.
Click Save.

To configure time-out settings, navigate to Lambda > Functions > your_lambda_function_name > Basic settings and update Timeout to 10sec.

Table 65: AWS Lambda Configurations

Parameters	Description
MAX_ENTRIES	Defines the maximum number of entries that will be retained in the corresponding data file. Older entries will expire once this limit is reached. Default value: 10000 Range:1000-100000 Example: 1000
IP_FEED_NAME	Defines the CC IP feed name, which is also the key name for S3 data file. If there is a False Alarm entry that needs to be removed; you must manually delete it from the corresponding key derived from IP_FEED_NAME parameter. Example: custom_cc_(content_type)_data
DNS_FEED	Defines the CC DNS feed name, which is also the key name for S3 data file. If there is a False Alarm entry that needs to be removed; you must manually delete it from the corresponding key derived from DNS_FEED parameter. Example: custom_cc_dns_(content_type)_data
S3_BUCKET	Name of S3 Bucket. The bucket name is used in S3 URL name as well. Example: guardduty-integration-test
SEVERITY_LEVEL	Level beyond which AWS Guardduty event IPs/URLs are added to the feed file. Note: Severity Level maps one-to-one with ATP Cloud Threat Levels. Default value: 8 Range: 1-10 Example: 4
SKY_APPLICATION_TOKEN	Used to upload entries into the ATP Cloud OpenAPI. You must log in to Juniper ATP Cloud Web Portal and generate the application token. You must have at least one device configured with premium license to generate the application token. Example: TOKEN_VALUE
SKY_OPENAPI_BASE_PATH	Base path for the Sky Open APIs, which are used to upload feeds from Lambda function to ATP Cloud. Example: https://threat-api.sky.junipersecurity.net/v1/cloudfeeds
FEED_TTL	Use the Time to Live (TTL) to specify the number of days for the feed to be active. The feed entries will expire on SRX Series device if it is not updated within the TTL. Default value: 3456000 Range: 86400-31556952
FEED_UPDATE_INTERVAL	Update interval for the feeds. Default value: 300 Range: 300-86400

Note

In case of Direct Ingestion of threat feeds by vSRX firewalls, you need not define SKY_APPLICATION_TOKEN and SKY_OPENAPI_BASE_PATH parameters. If these parameters are not configured, the feeds are directly uploaded to AWS S3 bucket.
In case of Ingestion of threat feeds through ATP Cloud, you must define SKY_APPLICATION_TOKEN and SKY_OPENAPI_BASE_PATH parameters. These parameters must be configured to upload the feeds from AWS Lambda to ATP Cloud. You need not define S3_BUCKET parameter.

Configure CloudWatch.
Create rules and specify the event source (GuardDuty) and event target (Lambda function).
Procedure
To create rules:
1. Select Events > Rules.
  The Rules page appears.
2. Click Create Rule.
3. Under Event Source section, select the service name as GuardDuty and event type as GuardDuty Finding.
4. Under Targets section, select the Lambda function.

Configure vSRX Firewall

The following section lists the CLI configurations that are required on vSRX firewalls.

Procedure

This example configures a profile name, a profile rule and the threat level scores. Anything that matches these threat level scores is considered malware or an infected host. The ATP Cloud threat level maps one-to-one with the Severity Level in AWS GuardDuty.

Note You can change the severity level in AWS GuardDuty anytime, but the severity level must always match the threat level that you configure on your vSRX firewalls.

To configure vSRX firewall with AWS GuardDuty:

Enroll vSRX to ATP Cloud. See Enrolling an SRX Series Device With Juniper Advanced Threat Prevention Cloud.
Configure security intelligence URL.
set services security-intelligence url https://guardduty-integration-test.s3-us-west-2.amazonaws.com/manifest.xml
Configure security intelligence profile and policy. In this example the profile name is secintel_profile and threat levels 8 and above are blocked.
set services security-intelligence profile secintel_profile category CC
set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 8
set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 9
set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 10
set services security-intelligence profile secintel_profile rule secintel_rule then action block drop
set services security-intelligence profile secintel_profile rule secintel_rule then log
set services security-intelligence policy secintel_policy CC secintel_profile
Configure a security policy and assign the security intelligence policy to the security policy.
set security policies from-zone trust to-zone untrust policy 1 then permit application-services security-intelligence-policy secintel_policy
commit

Procedure

To configure vSRX firewall with AWS GuardDuty using ATP Cloud:

Install ATP Cloud license.
Enroll vSRX to ATP Cloud. See Enrolling an SRX Series Device With Juniper Advanced Threat Prevention Cloud.
The enrollment script will generate the aamw-ssl tls profile, which will be used in the Step 3.
Configure security intelligence URL.
set services security-intelligence url https://cloudfeeds.argonqa.junipersecurity.net/api/manifest.xml
set services security-intelligence authentication tls-profile aamw-ssl
Configure security intelligence profiles and policies. In this example the profile name is secintel_profile and threat level 8 and above are blocked.
set services security-intelligence profile secintel_profile category CC
set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 8
set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 9
set services security-intelligence profile secintel_profile rule secintel_rule match threat-level 10
set services security-intelligence profile secintel_profile rule secintel_rule then action block drop
set services security-intelligence profile secintel_profile rule secintel_rule then log
set services security-intelligence profile ih_profile category Infected-Hosts
set services security-intelligence profile ih_profile rule ih_rule match threat-level 8
set services security-intelligence profile ih_profile rule ih_rule match threat-level 9
set services security-intelligence profile ih_profile rule ih_rule match threat-level 10
set services security-intelligence profile ih_profile rule ih_rule then action block drop
set services security-intelligence profile ih_profile rule ih_rule then log
set services security-intelligence policy secintel_policy Infected-Hosts ih_profile
set services security-intelligence policy secintel_policy CC secintel_profile
Configure a security policy and assign the security intelligence policy to the security policy.
set security policies from-zone trust to-zone untrust policy 1 then permit application-services security-intelligence-policy secintel_policy
commit

To check the security-intelligence status, use the show services security-intelligence update status command.

show services security-intelligence update status  
  
Current action        :Downloading feed cc_ip_data (20200330.35) in category CC.
Last update status    :Feed cc_ip_data (20200330.4) of category CC not changed
Last connection status:succeeded
Last update time      :2020-03-30 14:42:05 PDT

To check the security intelligence statistics, use the show services security-intelligence statistics command.

Sample output of SecIntel Statistics on vSRX firewalls with AWS GuardDuty is as follows:

> show services security-intelligence statistics 
Logical system: root-logical-system
Category CC:
  Profile secintel_profile:
    Total processed sessions: 0
    Permit sessions:          0
    Block drop sessions:      0
    Block close sessions:     0
    Close redirect sessions:  0

Sample output of SecIntel Statistics on vSRX firewalls with ATP Cloud and AWS GuardDuty is as follows:

> show services security-intelligence statistics 

Logical system: root-logical-system
Category Whitelist:
  Profile Whitelist:
    Total processed sessions: 0
    Permit sessions:          0
Category Blacklist:
  Profile Blacklist:
    Total processed sessions: 0
    Block drop sessions:      0
Category CC:
  Profile secintel_profile:
    Total processed sessions: 0
    Permit sessions:          0
    Block drop sessions:      0
    Block close sessions:     0
    Close redirect sessions:  0
Category Infected-Hosts:
  Profile ih_profile:
    Total processed sessions: 0
    Permit sessions:          0
    Block drop sessions:      0
    Block close sessions:     0
    Close redirect sessions:  0

No additional configuration is required in ATP Cloud Web portal when the vSRX firewall is integrated with ATP Cloud. All settings, including the SecIntel configuration, is automatically created while enrolling the vSRX firewall with ATP Cloud.

Help us to improve. Rate this article.

Feedback Received. Thank You!

Configuring Juniper Advanced Threat Prevention Cloud With Geolocation IP

DNS Request Filtering for Disallowed Domains