Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring a Juniper Sky Advanced Threat Prevention Policy Using the CLI

 

This example shows how to create a Juniper Sky ATP policy using the CLI. It assumes you understand configuring security zones and security policies. See Example: Creating Security Zones.

Requirements

This example uses the following hardware and software components:

  • An SRX1500 device with traffic through packet forwarding.

  • Junos OS Release 15.1X49-D80 or later.

    Note

    Starting in Junos OS Release 15.1X49-D80, the match-then condition has been deprecated from the Juniper Sky ATP policy configuration. For more information, see Juniper Sky Advanced Threat Prevention Release Notes for Junos 15.1X49-D80  . This example includes those updates.

    Note

    Junos OS Release 18.2R1 or later adds explicit web proxy support for anti-malware and security-intelligence policies using the following statements: set services advanced-anti-malware connection proxy-profile proxy_name and set services security-intelligence proxy-profile proxy_name. First use the set services command to configure the web proxy profile, including the proxy host IP address and port number. See Explicit Web Proxy Support for details.

Overview

This example creates a Juniper Sky ATP policy that has the following properties:

  • Policy name is aamwpolicy1.

  • Profile name is default_profile.

  • Block any file if its returned verdict is greater than or equal to 7 and create a log entry.

  • Do not create a log entry if a file has a verdict less than 7.

  • When there is an error condition, allow files to be downloaded and create a log entry.

  • Create a log entry when attempting to download a file from a site listed in the blacklist or whitelist files.

Configuration

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

Note

Starting in Junos OS Release 15.1X49-D80, the match-then condition has been deprecated from the Juniper Sky ATP policy configuration. Configurations made prior to 15.1X49-D80 will continue to work but it is recommended you do not use these statements going forward. For more information, see Juniper Sky ATP Release Notes (for Junos 15.1X49-D80)  .

  1. Create the Juniper Sky ATP policy.
    • Set the policy name to aamwpolicy1 and block any file if its returned verdict is greater than or equal to 7.

      user@host# set services advanced-anti-malware policy aamwpolicy1 verdict-threshold 7

    • Associate the policy with the default_profile profile.

      user@host# set services advanced-anti-malware policy aamwpolicy1 http inspection-profile default_profile

    • Block any file if its returned verdict is greater than or equal to 7 and create a log entry.

      user@host# set services advanced-anti-malware policy aamwpolicy1 http action block notification log

    • When there is an error condition, allow files to be downloaded and create a log entry.

      user@host# set services advanced-anti-malware policy aamwpolicy1 fallback-options action permit

      user@host# set services advanced-anti-malware policy aamwpolicy1 fallback-options notification log

    • Create a log entry when attempting to download a file from a site listed in the blacklist or whitelist files.

      user@host# set services advanced-anti-malware policy aamwpolicy1 blacklist-notification log

      user@host# set services advanced-anti-malware policy aamwpolicy1 whitelist-notification log

    • For smtp, you only need to specify the profile name. The user-defined action-to-take is defined in the Juniper Sky ATP cloud portal.

      user@host# set services advanced-anti-malware policy aamwpolicy1 smtp inspection-profile my_smtp_profile

  2. Configure the firewall policy to enable the advanced anti-malware application service.
  3. Configure the SSL proxy profile to inspect HTTPs traffic.
  4. Configure the SSL forward proxy to inspect HTTPs traffic.

    Note that this command assumes you have already configured ssl-inspect-ca which is used for ssl forward proxy. If you have not already done so, an error occurs when you commit this configuration. See Enabling Juniper Sky ATP for Encrypted HTTPS Connections for more information on configuring ssl-inspect-ca.

  5. Review your policy. It should look similar to this.

Verification

Verifying That the Policy Is Working

Purpose

Action

First, verify that your SRX Series device is connected to the cloud.

Next, clear the statistics to make it easier to read your results.

After some traffic has passed through your SRX Series device, check the statistics to see how many sessions were permitted, blocked, and so forth according to your profile and policy settings.