Help Center User GuideWhat's New
 
X
User Guide
What's New
Contents  

Juniper Advanced Threat Prevention Cloud Policy Overview

The connection to the Juniper ATP Cloud cloud is launched on-demand. It is established only when a condition is met and a file or URL must be sent to the cloud. The cloud inspects the file and returns a verdict number (1 through 10). A verdict number is a score or threat level. The higher the number, the higher the malware threat. The SRX Series device compares this verdict number to the Juniper ATP Cloud policy settings and either permits or denies the session. If the session is denied, a reset packet is sent to the client and the packets are dropped from the server.

Juniper ATP Cloud policies are an extension to the Junos OS security policies. Table 64 shows the additions.

Note Starting in Junos OS Release 15.1X49-D80, the match-then condition has been deprecated from the Juniper ATP Cloud policy configuration. For more information, see Juniper Sky Advanced Threat Prevention Release Notes for Junos 15.1X49-D80. The examples below are for Junos OS Release 15.1X49-D80 and later.

Table 64: Juniper ATP Cloud Security Policy Additions

Addition

Description

Action and notification based on the verdict number and threshold

Defines the threshold value and what to do when the verdict number is greater than or equal to the threshold. For example, if the threshold is 7 (the recommended value) and Juniper ATP Cloud returns a verdict number of 8 for a file, then that file is blocked from being downloaded and a log entry is created.

set services advanced-anti-malware policy aamwpolicy1 verdict-threshold recommended

set services advanced-anti-malware policy aamwpolicy1 http action block notification log

Default action and notification

Defines what to do when the verdict number is less than the threshold. For example, if the threshold is 7 and Juniper ATP Cloud returns a verdict number of 3 for a file, then that file is downloaded and a log file is created.

set services advanced-anti-malware policy aamwpolicy1 default-notification log

Name of the inspection profile

Name of the Juniper ATP Cloud profile that defines the types of file to scan.

set services advanced-anti-malware policy aamwpolicy1 http inspection-profile default_profile

Fallback options

Defines what to do when error conditions occur or when there is a lack of resources. The following fallback options are available:

  • action—Permit or block the file regardless of its threat level.

  • notification—Add or do not add this event to the log file.

set services advanced-anti-malware policy aamwpolicy1 fallback-options action permit
set services advanced-anti-malware policy aamwpolicy1 fallback-options notification log

Note: The above actions assume a valid session is present. If no valid session is present, Juniper ATP Cloud permits the file, regardless of whether you set the fallback option to block.

Blocklist notification

Defines whether to create a log entry when attempting to download a file from a site listed in the blocklist file.

set services advanced-anti-malware policy aamwpolicy1 blacklist-notification log

Whitelist notification

Defines whether to create a log entry when attempting to download a file from a site listed in the allowlist file.

set services advanced-anti-malware policy aamwpolicy1 whitelist-notification log

Name of smtp inspection profile

Name of the inspection profile for SMTP email attachments. The “actions to take” are defined in the Web UI and not through CLI commands.

set services advanced-anti-malware policy aamwpolicy1 smtp inspection-profile my_smtp_profile

Use the show services advanced-anti-malware policy CLI command to view your Juniper ATP Cloud policy settings.

user@host> show services advanced-anti-malware policy aamwpolicy1
Advanced-anti-malware configuration:
Policy Name: aamwpolicy1
  Default-notification  : No Log
  Whitelist-notification: Log
  Blacklist-notification: Log
  Fallback options:
    Action: permit
    Notification: Log
  Protocol: HTTP
  Verdict-threshold: recommended (7)
    Action: block
    Notification: Log
    Inspection-profile: default_profile
  Protocol: SMTP
  Verdict-threshold: recommended (7)
    Action: User-Defined-in-Cloud (permit)
    Notification: No Log
    Inspection-profile: my_smtp_profile

Use the show security policies CLI command to view your firewall policy settings.

user@host# show security policies
from-zone trust to-zone untrust {
    policy 1 {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                application-services {
                    security-intelligence-policy SecIntel;
                }
            }
        }
    }
    policy firewall-policy1 {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                application-services {
                    ssl-proxy {
                        profile-name ssl-inspect-profile;
                    }
                    advanced-anti-malware-policy aamwpolicy1;
                }
            }
        }
    }
}

For more examples, see Example: Configuring a Juniper Advanced Threat Prevention Cloud Policy Using the CLI.

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit