Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating Sky Advanced Threat Prevention Whitelists and Blacklists

    To create Sky Advanced Threat Prevention whitelists and blacklists:

    1. Select Configuration.

      The landing page appears.

      Figure 1: Whitelist and Blacklist Window

      Whitelist and Blacklist Window
    2. Click Whitelists to create a whitelist or click Blacklists to create a blacklist, and click Create.

      You can create whitelists or blacklists using one type or multiple types. You can change types using the Type list in the Create window. See Figure 2.

      Figure 2: Selecting the Whitelist or Blacklist Type From the Create Window

      Selecting the Whitelist or
Blacklist Type From the Create Window

      Note: If you select a type, such as whitelist URL, from the left nav before clicking Create, you can create only that particular type. See Figure 3.

      Figure 3: Preselecting the Whitelist or Blacklist Type Limits You to That Type

      Preselecting the Whitelist or
Blacklist Type Limits You to That Type
    3. Create your entry using the following guidelines (For more example, see the Web UI infotips):

      Type

      Description

      Examples

      URLs

      Wildcard (*) is not supported. All URLs are assumed to have a starting wildcard. So “juniper.net” is the same as *.juniper.net and the following examples are included: a.juniper.net, a.b.juniper.net, and a.juniper.net/asd. If a.juniper.net is entered, then b.a.juniper.net is included, but not c.juniper.net.

      Do not include protocols, such as HTTP or HTTPS, in your entry. Protocols are automatically handled by Sky Advanced Threat Prevention.

      Paths are supported. If juniper.net/asd is entered, then x.juniper.net/asd/good is included but not juniper.net/qwe.

      juniper.net — Matches webdownload.juniper.net, juniper.net/about, and so forth.

      juniper.net/techpubs

      IPs

      IP Address—Only IPv4 addressses are supported with this release

      IP Range—IP addresses can also be shown as a range.

      CIDR—Classless Interdomain Routing (CIDR) notation specifies an IP address and its associated routing prefix.

      172.16.254.1

      172.16.0.0 – 172.31.255.255 or 122.140.201-205.*

      192.168.0.1.0/24.

      Domains

      The name must have fewer than 63 characters. Wildcard characters are not supported.

      juniper.net

    4. Click OK.

    To edit an existing whitelist or blacklist entry, select the check box next to the entry you want to edit and click the pencil icon.

    Sky Advanced Threat Prevention periodically polls for new and updated content and automatically downloads them to your SRX Series device. There is no need to manually push your whitelist or blacklist files.

    Use the show security dynamic-address instance advanced-anti-malware CLI command to view the IP-based whitelists and blacklists on your SRX Series device. There is no CLI command to show the domain-based or URL-based whitelists and blacklists at this time.

    Example show security dynamic-address instance advanced-anti-malware Output

    user@host> show security dynamic-address instance advanced-anti-malware 
    No.      IP-start        IP-end          Feed             Address           
    1        5.5.0.0         5.5.0.10        global_whitelist ID-00000003      
    2        11.11.0.0       11.11.0.10      global_blacklist ID-00000004      
    

    If you do not see your updates, wait a few minutes and try the command again. You might be outside the Sky Advanced Threat Prevention polling period.

    Next, create an advanced anti-malware policy to log (or don’t log) when attempting to download a file from a site listed in the blacklist or white list files. For example, the following creates a policy named aawmpolicy1 and creates log entries.

    set services advanced-anti-malware policy aamwpolicy1 blacklist-notification log
    set services advanced-anti-malware policy aamwpolicy1 whitelist-notification log

    For more information on Sky Advanced Threat Prevention policies, see Sky Advanced Threat Prevention Policy Overview

    Modified: 2016-02-01