Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Tenant Systems: Security-Intelligence and Anti-Malware Policies

 

Tenant systems allow you to allocate virtual system resources, such as memory and CPU, into logical groupings to create multiple virtual firewalls. Each virtual firewall can then identify itself as a stand-alone system within one computing system. Starting in Junos OS 18.4, SRX Series devices support tenant systems for anti-malware and security-intelligence policies. When you associate a tenant system with a realm in Juniper ATP Cloud, that tenant system receives the threat management features configured for the realm. The SRX Series device will then perform policy enforcement based on tenant system and the associated Juniper ATP Cloud realm.

Note

For information on using tenant systems with SRX Series devices, please refer to the Junos documentation.

Tenant System Support for SecIntel Feeds

Starting in Junos OS 18.4, you can configure security-intelligence profiles for tenant systems .

Tenant systems enroll to ATP Cloud when the associated SRX Series device is enrolled. All tenant systems with enabled anti-malware or security-intelligence policies appear in the ATP Cloud “Enrolled Devices” page with other SRX Series devices.

Warning

Unlike physical devices, which automatically make submissions to the realm they are enrolled in, tenant system submissions are ignored until they are associated with a realm using the Realm Management page in the Juniper ATP Cloud Web UI. See Realm Management for those instructions.

Note that root-logical-system is automatically associated with the realm to which the SRX Series device is enrolled. Only root-logical-system can make submissions by default. Therefore you do not need to make an association for root-logical-system.

Here is an example of the CLI commands for a tenant system security-intelligence policy configuration. The tenant system used in this example (TSYS1) must be associated with the correct realm in Juniper ATP Cloud for the policy to get applied to the intended device:

Use the following example commands to view the infected hosts feed for a tenant system:

Or use the following:

Tenant System Support for AAMW

Starting in Junos OS 18.4, you can also configure anti-malware policies on a per tenant system basis. Here is an example of a tenant system anti-malware policy configuration:

As stated previously, the tenant system used in this example (TSYS1) must be associated with the correct realm in ATP Cloud for the policy to get applied to the intended device. See Realm Management for ATP Cloud Web UI configuration details.

Use the following command to view anti-malware policies for a tenant system.

root@SRX> show services advanced-anti-malware policy logical-systems TSYS1

Or use the following:

User1@SRX:TSYS1> show services advanced-anti-malware policy

Security Profile CLI

Administrators can configure a single security profile to assign resources to a specific tenant system, use the same security profile for more than one tenant system, or use a mix of both methods. You can configure up to 32 security profiles on an SRX Series device running logical systems.

Security profiles allow you to dedicate various amounts of a resource to the tenant systems and allow them to compete for use of the free resources. They also protect against one logical system exhausting a resource that is required at the same time by other tenant systems.

The following commands are added to the security-profile CLI.

  • aamw-policy

    For example: set system security-profile <name> aamw-policy maximum 32

  • secintel-policy

    For example: set system security-profile <name> secintel-policy maximum 32

Use the following command to view the security profiles:

show system security-profile all-resource

Note

Refer to the Junos documentation for more information on the set system security-profile command for logical systems.

Related Documentation