Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

set services security-intelligence

 

Syntax

Release Information

Command introduced in Junos OS 12.1X46. Starting with Junos OS 15.1X49-D110, this command adds the feed-name option which can be used in security intelligence rules. Prior to Junos OS 15.1X49-D100 you could perform HTTP URL redirect based on threat levels. With feed-name, you can now perform HTTP URL redirection based on a feed name.

User notification of infected hosts—As of Junos OS 18.1R1, there is support HTTP URL redirection based on infected hosts with the block action. This allows for administrator notification of Infected Hosts. During the processing of a session IP address, if the IP address is on the infected hosts list and HTTP traffic is using ports 80 or 8080, infected hosts HTTP redirection can be done. If HTTP traffic is using dynamic ports, HTTP traffic redirection cannot be done. See command at bottom of this page.

The disable-global-feed option is introduced in Junos OS Release 20.1R1.

Description

Using this command, you can configure security intelligence profiles and policies to work with security intelligence feeds, such as infected hosts and C&C. You then configure a firewall policy to include the security intelligence policy, for example, block outgoing requests to a C&C host.

A security intelligence rule can have multiple feed names (feed-name) with multiple threat levels. Specifying the threat level is required, but feed-name is optional. Juniper Sky ATP makes sure there is no duplicate feed-name associated with threat levels configured in the same profile. Juniper Sky ATP uses the following approach:

  • If feed-name is configured, it looks up the feed-name first.

  • If no feed-name configured or the feed-name is not match, it uses the threat level rules.

  • If no rules are present or match, the profile’s default rule is used.

Options

authenticationConfigure authentication, such as an auth token or TLS profile, to commute with the feed server. This operation is performed by the ops script used to enroll your devices and is typically not required afterwards. If you have problems establishing a connection with the Juniper Sky ATP cloud server, it is recommended that you rerun the ops script instead of manually entering all the CLI commands.
category (all | category-name)Category to be disabled. You can disable a specific category or all. This option is used for temporarily disabling a category during debugging phases.
disable-global-feed (all | feed-name (CC_IP |CC_URL))Disable the Juniper C&C and URL feed to free the resources on SRX Series devices. The resources are then available for loading custom feeds. The available options are all, CC_IP or CC_URL.
  • all—Applies to all feeds.

  • CC_IP—Applies to global CC IP feed.

  • CC_URL—Applies to global CC URL feed.

policypolicy-name category-profile-nameConfigure the security intelligence policy. You specify the category (such as CC) and the security intelligence profile to associate with this policy.
profile profile-name category rule rule-name (match | then)Configure security intelligence profile. You specify the profile name, the category (such as CC), and any rules and actions (such as threat level scores, permit or drop the session, etc.)
traceoptionsSet security intelligence trace options.
url url-addressConfigure the URL of the feed server. This operation is performed by the ops script used to enroll your devices and is typically not required afterwards. If you have problems establishing a connection with the Juniper Sky ATP cloud server, it is recommended that you rerun the ops script instead of manually entering all the CLI commands.
url-parameter url-parameterThis is an internal option. Do not use this option unless instructed to by Juniper Networks Technical Support.
block close infected host file message|redirect-URLProvides HTTP URL redirection based on infected hosts with the block action.

This allows for administrator notification of Infected Hosts. During the processing of a session IP address, if the IP address is on the infected hosts list and HTTP traffic is using ports 80 or 8080, infected hosts HTTP redirection can be done. If HTTP traffic is using dynamic ports, HTTP traffic redirection cannot be done.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

List of Sample Output

set services security-intelligence profile secintel_profile rule

set services security-intelligence profile

set services security-intelligence profile

set services advanced-anti-malware connection authentication

set services security-intelligence url

set services security-intelligence profile secintel_profile rule secintel_rule2 then action block close infected host|http redirect-url http://www.test.com/url2.html

set services security-intelligence disable-global-feed all

set services security-intelligence disable-global-feed feed-name CC_IP

set services security-intelligence disable-global-feed feed-name CC_URL

Output Fields

There are no output fields for this command.

Sample Output

set services security-intelligence profile secintel_profile rule

This example performs feed name-based URL redirection.

user@host# set services security-intelligence profile secintel_profile rule secintel_rule1 match feed-name custom_feed1

uuser@host# set services security-intelligence profile secintel_profile rule secintel_rule1 match threat-level 7

user@host# set services security-intelligence profile secintel_profile rule secintel_rule1 match threat-level 8

user@host# set services security-intelligence profile secintel_profile rule secintel_rule1 match threat-level 9

user@host# set services security-intelligence profile secintel_profile rule secintel_rule1 match threat-level 10

user@host# set services security-intelligence profile secintel_profile rule secintel_rule1 then action block close http redirect-url http://www.test.com/url1.html



user@host# set services security-intelligence profile secintel_profile rule secintel_rule2 match feed-name custom_feed2

uuser@host# set services security-intelligence profile secintel_profile rule secintel_rule2 match threat-level 7

user@host# set services security-intelligence profile secintel_profile rule secintel_rule2 match threat-level 8

user@host# set services security-intelligence profile secintel_profile rule secintel_rule2 match threat-level 9

user@host# set services security-intelligence profile secintel_profile rule secintel_rule2 match threat-level 10

user@host# set services security-intelligence profile secintel_profile rule secintel_rule2 then action block close http redirect-url http://www.test.com/url2.html

 

set services security-intelligence profile

user@host# set services security-intelligence profile cc_profile category CC

 

set services security-intelligence profile

This example configures a profile name, a profile rule and the threat level scores. Anything that matches these scores is considered malware or an infected host.

user@host# set services security-intelligence profile cc_profile rule CC_rule match threat-level [8 9 10]

 

set services advanced-anti-malware connection authentication

This example defines the TLS profile, typically done by the ops script when enrolling devices.

user@host# set services advanced-anti-malware connection authentication tls-profile aamw-ssl

 

set services security-intelligence url

This example defines the feed server URL, typically done by the ops script when enrolling devices.

user@host# set services security-intelligence url https://cloudfeeds.argon.junipersecurity.net/ api/manifest.xml

set services security-intelligence profile secintel_profile rule secintel_rule2 then action block close infected host|http redirect-url http://www.test.com/url2.html

User notification of infected hosts—(Starting in Junos 18.1R1) This command allows you to configure HTTP URL redirection based on infected hosts with the block action. During the processing of a session IP address, if the IP address is on the infected hosts list and HTTP traffic is using ports 80 or 8080, infected hosts HTTP redirection to a specified URL can be used in conjunction with the block action. This allows administrators to receive a notification of the block action. Note that if HTTP traffic is using dynamic ports, HTTP traffic redirection cannot be done

The syntax for the command is as follows:

Syntax: set services security-intelligence profile <name> then action block close <file message|redirect-URL>

For example:

user@host# set services security-intelligence profile secintel_profile rule secintel_rule2 then action block close infected host|http redirect-url http://www.test.com/url2.html

To view the HTTP URL redirection counter, type show services security-intelligence statistics

set services security-intelligence disable-global-feed all

This example disables the global feed in all SecIntel configurations.

user@host# set services security-intelligence disable-global-feed all

set services security-intelligence disable-global-feed feed-name CC_IP

This example disables the global CC IP feeds in SecIntel configurations.

user@host# set services security-intelligence disable-global-feed feed-name CC_IP

set services security-intelligence disable-global-feed feed-name CC_URL

This example disables the global CC URL feeds in SecIntel configurations.

user@host# set services security-intelligence disable-global-feed feed-name CC_URL