advanced-anti-malware policy
Syntax
Release Information
Command introduced in Junos OS Release 15.1X49-D33.
Description
The connection to the Juniper Advanced Threat Prevention Cloud is launched on-demand. It is established only when a condition is met and a file or URL must be sent to the cloud. The cloud inspects the file and returns a verdict number (1 through 10). A verdict number is a score or threat level. The higher the number, the higher the malware threat. The SRX Series device compares this verdict number to the Juniper Advanced Threat Prevention Cloud policy settings and either permits or denies the session. If the session is denied, a reset packet is sent to the client and the packets are dropped from the server.
Juniper Advanced Threat Prevention Cloud policies append to the Junos OS security policies by defining the actions to take when a file is considered malware or when an attempt is made to download a file from a location that’s on a custom blocklist or allowlist.
Use this command to configure the Juniper Advanced Threat Prevention Cloud policy.
Options
Starting in Junos OS Release 18.2R1, for unified policies, a default-policy can be used for anti-malware and security-intelligence policies. The commands are: set services security-intelligence default-policy and set services advanced-anti-malware default-policy. During the initial policy lookup phase, which occurs prior to a dynamic application being identified, if there are multiple policies present in the potential policy list which contains different security intelligence or anti-malware policies, the SRX Series device applies the default policy until a more explicit match has occurred. See the Juniper ATP Cloud Administration Guide and your SRX Series documentation for more details on unified policies.
Table 1 shows examples of using the Juniper Advanced Threat Prevention Cloud policy options.
Table 1: Juniper Advanced Threat Prevention Cloud Security Policy Additions
Addition | Description |
---|---|
Action and notification based on the verdict number and threshold | Defines the threshold value and what to do when the verdict number is greater than or equal to the threshold. For example, if the threshold is 7 and Juniper Advanced Threat Prevention Cloud returns a verdict number of 9 for a file, then that file is blocked from being downloaded and a log entry is created. set services advanced-anti-malware policy aamwpol1 match verdict-threshold 7 |
Default action and notification | Defines what to do when the verdict number is less than the threshold. For example, if the threshold is 7 and Juniper Advanced Threat Prevention Cloud returns a verdict number of 3 for a file, then that file is allowed to be downloaded and create a log entry. set services advanced-anti-malware policy aamwpol1 default-notification log |
Name of the inspection profile | Name of the Juniper Advanced Threat Prevention Cloud profile that defines the types of file to scan. set services advanced-anti-malware policy aamwpol1 inspection-profile profile1 |
Fallback options | Defines what to do when error conditions occur or when there is a lack of resources. The following fallback options are available:
set services advanced-anti-malware policy aamwpol1 fallback-options action block set services advanced-anti-malware policy aamwpol1 fallback-options notification log |
Blocklist notification | Defines whether to create a log entry when attempting to download a file from a site listed in the blocklist file. set services advanced-anti-malware policy aamwpol1 blacklist-notification log |
Whitelist notification | Defines whether to create a log entry when attempting to download a file from a site listed in the allowlist file. set services advanced-anti-malware policy aamwpol1 whitelist-notification log |
User notification of malware on block action | (Starting in Junos 19.3R1) This command allows you to configure HTTP and HTTPS URL redirection for a customized client notification based on detected malware with the block action. A block message can only be sent when a block action is configured. Note: See request services advanced-anti-malware redirect-file for details on adding a custom file. set services advanced-anti-malware policy p1 http client-notify message set services advanced-anti-malware policy p1 http client-notify file set services advanced-anti-malware policy p1 http client-notify redirect-url <enter URL> |
Block or permit malware when file verdict is “unknown” | (Starting in Junos 19.3R1) This command allows you to permit or block malware based on the detected file having a verdict of “unknown.” By default, an “unknown” file verdict is permitted. (Note this only applies to HTTP and HTTPS traffic.) set services advanced-anti-malware policy p1 http file-verdict-unknown <block|permit> |
Additional Information
The easiest way to verify that the policy is working as expected is to test data traffic. You can also inspect the SRX session table:
user@host# show security flow session
Use the show services advanced-anti-malware policy CLI command to view your Juniper Advanced Threat Prevention Cloud policy settings.
user@host> show services advanced-anti-malware policy Advanced anti-malware configuration: Policy Name: p1 Inspection-profile: default_profile Applications: HTTP Verdict-threshold: 9 Action: Block Notification: Log Default-Notification: Log Whitelist-Notification: Log Blacklist-Notification: Log Fallback Options: Action: Permit Notification: Log
Required Privilege Level
view
Related Documentation
List of Sample Output
Output Fields
This command has no output.