Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Use Case Implementation: Juniper Connected Security Automated Threat Remediation with ForeScout CounterACT and Juniper Networks Devices

 

This use case shows how to integrate and configure a ForeScout CounterACT security appliance, a Windows 7 supplicant, a Juniper Networks vSRX virtual firewall, a Juniper Networks EX4300 switch, and a Juniper Networks QFX series switch into a Juniper Connected Security.

To implement this use case for threat remediation (block or quarantine) of infected hosts with ForeScout CounterACT, perform the following required set of installation, configuration, and verification steps:

Requirements

This use case uses the following hardware and software components:

  • vSRX virtual firewall running Junos OS Release 15.1X49-D110.4 or later

  • a QFX series switch running Junos OS Release 15.1X53-D60.4 or later

  • an EX4300 switch running Junos OS Release 15.1R5.5 or later

  • Advanced Threat Prevention Cloud (ATP Cloud)

  • Junos Space Network Management Platform, Release 17.2R1 or later

  • Junos Space Security Director, Release 17.2R2 or later

  • Log Collector, Release 17.2R2 or later

  • Policy Enforcer, Release 17.2R2 or later

  • ForeScout CounterACT version 7.0.0-513-2.3.0-1605

  • A virtual machine (VM) running Windows 7 with 2x dual NIC hosts

For a list of supported devices, please refer to the Policy Enforcer Release Notes  .

Use Case Topology

The use case topology is illustrated in Figure 1

Figure 1: Juniper Connected Security Automated Threat Remediation with ForeScout CounterACT and Juniper Networks Devices Use Case Topology
Juniper
Connected Security Automated Threat Remediation with ForeScout
CounterACT and Juniper Networks Devices Use Case Topology

The Forescout CounterACT security appliance applies an agentless approach to network security and integrates with Juniper Connected Security to block or quarantine infected hosts on Juniper Networks’ devices, third-party switches, and wireless access controllers that support and do not support 802.1X protocol integration.

In this use case, the infected end user is quarantined into the user vlan VLAN31 on the EX4300 switch. The EX4300 switch has enabled ForeScout CounterACT and has 802.1X authentication enabled on ge-0/0/19. The end user authenticates to the network using 802.1X.

The following events occur in this use case:

  1. The infected endpoint is detected by ATP Cloud.
  2. Policy Enforcer downloads the infected host feed, and then enforces the infected host policy through CounterACT.
  3. CounterACT queries the server for endpoint details for the infected host’s IP address.
  4. CounterACT sends a message to the EX4300 switch, telling it to terminate the session by blocking or quarantining vlan31.
  5. Enforcement occurs on the EX4300 switch on which the endpoint is authenticated.
  6. CounterACT inventories the applications, services, and processes running on the device, checks the OS version and registry settings, and verifies the presence of security agents. As a result, a complete profile of the device and its security status is obtained.

Install and Configure Junos Space, Security Director, and Log Collector

This section shows how to install and configure Junos Space, Security Directory, and Log Collector for this use cases. These applications are used in this use case to provide the centralized policy and management application for consistent network security policies.

This section covers the following procedures:

Install Junos Space, Security Director, and Log Collector

  1. Download the Junos Space Network Management Platform image from https://www.juniper.net/support/downloads/?p=space#sw.
  2. Install Junos Space using the instructions at https://www.juniper.net/documentation/en_US/junos-space17.2/information-products/pathway-pages/junos-space-virtual-appliance-pwp.html.
  3. Install Junos Security Director using the instructions at https://www.juniper.net/documentation/en_US/junos-space17.2/topics/task/multi-task/junos-space-sd-log-collector-installing.html.
  4. Install Log Collector using the instructions at https://www.juniper.net/documentation/en_US/junos-space17.2/topics/task/multi-task/junos-space-sd-log-collector-installing.html.

Configure Basic Junos Space Networking

To configure basic Junos Space Networking in this use case:

  1. Configure relevant routes, netmask, gateway, DNS, and NTP so that all components except Log Collector can connect to the Internet.
  2. Ensure all components are in same time zone.
  3. Ensure that SSH is enabled.
  4. Ensure that Security Director can connect to the ATP Cloud server, Policy Enforcer, and all devices.

For additional information on configuring Junos Space, see Junos Space Network Management Platform Documentation.

Install the required DMI Schemas on Security Director

Download and install the correct matching Junos OS schemas to manage the Juniper Networks’ devices:

  1. Add the DMI schemas for the Juniper Networks’ devices using the instructions at https://www.juniper.net/documentation/en_US/junos-space17.2/platform/topics/task/operational/dmi-schemas-adding-updating.html.
  2. Ensure that device software version and schema version match for all managed devices (SRX Series and EX Series devices).

Install and Configure SRX Series, EX Series, and QFX Series Devices

To install and configure vSRX virtual firewalls, EX Series switches, and QFX Series switches for this use case:

  1. Configure the vSRX device as the enforcement point per your requirements. Click CLI Configuration for SRX Series Device to review the detailed Junos OS CLI code for this use case.
  2. Configure the EX4300 switch per your requirements. Click CLI Configuration for EX4300 Switch to review the detailed Junos OS CLI code for this use case. You configure the EX4300 as an 802.1X authenticator and forward the Windows 7 Supplicant’s credentials to ForeScout CounterACT through the RADIUS protocol. The EX4300 switch also mirrors traffic entering from the port where the Windows 7 Supplicant is connected to a destination port that is connected to the “Monitor” interface of the ForeScout CounterACT virtual appliance.Note

    For detailed instructions on how to deploy both the EX4300 switch and the QFX switch , click the following links:

  3. Configure the QFX switch per your requirements. Click CLI Configuration for QFX Switch to review the detailed Junos OS CLI code for this use case. You configure the QFX switch as standard access switch. The QFX switch’s uplink port on the EX4300 switch also mirrors traffic to a destination port that is connected to the Monitor interface of the ForeScout CounterACT virtual appliance.
  4. Configure basic networking on Junos devices:
    1. On all Junos devices, configure the necessary routing and DNS settings to enable Internet access, as well as connectivity to Junos Space, Policy Enforcer, and the ATP Cloud server.

    2. For the SRX device, ensure that Internet access is enabled both in-band and out-of-band.

  5. Add devices to the Junos Space Network Management platform:
    1. In Junos Space, discover and import the SRX device in your environment.

    2. In Security Director, assign, publish, and update any existing firewall policies to ensure Security Director and the SRX device are in sync.

Install and Configure Microsoft Windows Server and Active Directory

Because ForeScout CounterACT does not have a local user database to use for 802.1X authentication, you must install and configure a Windows Server 2008R2 with Active Directory.

  1. To set up and configure Windows Server 2008R2, click https://docs.microsoft.com/en-us/iis/install/installing-iis-7/install-windows-server-2008-and-windows-server-2008-r2.
  2. To set up and configure Active Directory, click https://www.petri.com/installing-active-directory-windows-server-2008.
  3. Create a user domain account to use later during 802.1X authentication.

Download, Deploy, and Configure Policy Enforcer Virtual Machine

To download, deploy, and configure the Policy Enforcer Virtual Machine:

  1. Download the Policy Enforcer virtual machine image from http://www.juniper.net/support/downloads/?p=sdpe to the management station where the vSphere client is installed.
  2. On the vSphere client, select File > Deploy OVF Template from the menu bar.
  3. Click Browse to locate the OVA file that was downloaded.
  4. Click Next and follow the instructions in the installation wizard.
  5. Once the installation is complete, log in to the virtual machine using root and abc123 as the username and password, respectively.
  6. Configure the network settings, NTP information, and customer information, and complete the wizard.

For more detailed instructions, see https://www.juniper.net/documentation/en_US/release-independent/policy-enforcer/topics/task/installation/policy-enforcer-vm-config.html.

Identify and Connect Policy Enforcer to Security Director

To identify and connect Policy Enforcer to Security Director:

  1. In Security Director, identify the Policy Enforcer virtual machine.
  2. Log in to Security Director and select Administration > PE Settings.
  3. Enter the IP address of the Policy Enforcer virtual machine and the root password, and click OK.
  4. Select Threat Prevention Type as Sky ATP with PE.Note

    At this point, do not run the wizard/guided setup.

Obtain an ATP Cloud license and Create an ATP Cloud Web Portal Account

To obtain an ATP Cloud license and create an ATP Cloud Web Portal account:

  1. ATP Cloud has three service levels: free, basic, and premium. The free license provides limited functionality and is included with the base software. To obtain and install an ATP Cloud basic or premium license, click Managing the Advanced Threat Prevention Cloud License.

    For more details on ATP Cloud service levels and license types, click Advanced Threat Prevention Cloud License Types.

  2. Create an ATP Cloud Web portal account by clicking https://sky.junipersecurity.net and filling in the required information.

Install Root CA on the ATP Cloud Supported SRX Series Devices

Note

This section is required only if you are enabling HTTPS inspection as part of a malware profile or threat prevention policy.

This section covers the following topics:

Generate Root CA Certificate using Junos OS CLI or OpenSSL on a UNIX Device

Note

Use only one of these options.

To generate a root CA certificate using the Junos OS CLI on the SRX device:

  1. Generate a PKI public key or private key pair for a local digital certificate.
  2. Using the key pair, define a self-signed certificate by providing FQDN and other details.

Or

To generate a root CA certificate using OpenSSL on a UNIX device:

  1. Generate a PKI public key or private key pair for a local digital certificate.
  2. Copy the key pair onto the SRX device or devices.
  3. On the SRX device(s), import the key pair.
  4. Apply the loaded certificate as root-ca in the SSL proxy profile.

Configure a Certificate Authority Profile Group

To configure a Certificate Authority (CA) profile group.

  1. Create the CA profile.
  2. Junos OS provides a default list of trusted CA certificates that you can load on your system using the default command option.
  3. Verify that the ssl-inspect-ca certificates are loaded.

Export and Import Root CA Certificate into a Web Browser

To export and import the Root CA Certificate into a web browser:

  1. On the SRX device, first export the root CA certificate to a .pem file.
  2. Transfer the .pem file to your Windows client.Note

    If you are using the UNIX device with OpenSSL, the certificate is already on the device and no action is required.

  3. Import the certificate into a browser.

    If you are using a Windows client, instruct the browser to trust the CA root certificate.

    • Internet Explorer (version 8.0):

      1. From the Tools menu, select Internet Options.

      2. On the Content tab, click Certificates.

      3. Select the Trusted Root Certification Authorities tab and click Import.

      4. In the Certificate Import Wizard, navigate to the required root CA certificate and select it.

    • Firefox (version 39.0):

      1. From the Tools menu, select Options.

      2. From the Advanced menu, select the Certificates tab and click View Certificate.

      3. In the Certificate Manager window, select the Authorities tab and click Import.

      4. Navigate to the required root CA certificate and select it.

    • Google Chrome (version 45.0):

      1. From the Settings menu, select Show Advanced Settings.

      2. From the Advanced menu, select the Certificates tab and click View Certificate.

      3. Under HTTPS/SSL, click Manage Certificates.

      4. In the Certificate window, select Trusted Root Certification Authorities and click Import.

      5. In the Certificate Import Wizard, navigate to the required root CA certificate and select it.

    For more details, click: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ssl-proxy-workflow-configuring.html

Or

If you are using a UNIX device, import the certificate into the browser:

Download, Deploy, and Configure the ForeScout CounterACT Virtual Machine

This section covers the following topics:

Prerequisite Tasks

Before you begin this procedure, complete the following tasks:

  1. Obtain an evaluation copy of CounterACT (version: 7.0.0-513-2.3.0-1605) to use with Policy Enforcer.
  2. Obtain a license key and the following plugin packages from the ForeScout representative:
    • ForeScout-dot1x-4.2.0.1010-42001010.fpi

    • ForeScout-eds-3.2.0-32000032.fpi

    • ForeScout-webapi-1.2.2-12020005.fpi

  3. Download and deploy the CounterACT (CA) OVF or the ISO file on an ESXi host.
    • If you download and deploy the ISO file, then:

      1. Create a new virtual machine (VM) and select other 2.6.x Linux (32bit) as the Guest OS.

      2. Upload your ISO file to Datastore.

      3. Configure your CD or DVD drive to boot from Datastore ISO file.

      Note

      Before you power on the VM, you must enable the Connected at power on option.

    For vSwitch and Network Adaptor configuration settings on the VM required for the Management, Monitor, and Response interfaces, click:

    For this use case, standard deployment mode was used with separate Management, Monitor, and Response interfaces. To gain greater network visibility, the EX4300 switch was configured to mirror traffic from ports where the Windows and Linux hosts were connected, to a destination port that was connected to the Monitor interface of the ForeScout CounterACT virtual appliance. This is also required for IP Address/MAC-ID binding in non-802.1X access switch deployments when no Layer 3 gateway (switch) exists to collect IP information.

    Only the Management interface is used for Auto Threat Remediation actions.

  4. Edit your VM settings based on your performance requirements.

    For more details, click https://www.forescout.com/products/specifications/.

Install and Configure CounterACT Software

To install and configure ForeScout CounterACT software:

  1. Power on the VM and follow the instructions on the console:
    1. Select Install CounterACT to begin the installation. Once the installation completes, the VM reboots.

    2. From the console, select Configure CounterACT to configure the network and system settings.

    3. Select CounterACT Appliance as the installation type.

  2. Ensure that the CounterACT Management interface can connect to the Internet to access your switches.
  3. Use a browser and enter https://pact.ly/S1lnt3 to access and install Juniper CounterACT product trial software. Enter your credentials to confirm and install the product trial software.
    Figure 2: Juniper CounterACT Trial Software Page
    Juniper CounterACT Trial Software Page

    Download and install either Windows or Linux for your operating system.

  4. From the Start menu, select ForeScout CounterACT > CounterACT Console. The CounterACT Login page appears:
    Figure 3: CounterACT Login Page
    CounterACT Login Page
    1. In the IP/Name field, enter the CounterACT device IP name.

    2. From the Login Method list, select Password to perform a standard user authentication.

    3. In the User Name and Password fields, enter your ForeScout username and password.

    4. Click Login.

  5. Download and install the CounterACT cumulative update.
    Figure 4: CounterACT Cumulative Update
    CounterACT Cumulative Update
    CounterACT Cumulative Update
  6. Log in to the console again and follow the initial setup wizard. The Welcome page displays the CounterACT component to which you logged in, and information you previously defined during the data center installation.
  7. From the License page, click Install License to install the CounterACT virtual system license.

    Click Next.

    Figure 5: License Installation Page
    License Installation Page
  8. From the Time page, define the time settings for your appliance.
    Figure 6: Time Settings Page
    Time Settings Page

    CounterACT devices require NTP connectivity (port 123 UDP) to an NTP server. Enter an NTP server for your organization’s connection, or use the default ForeScout NTP server (ntp.foreScout.net). Click Test to verify that NTP Server returns a successful connection.

    Click Next.

  9. CounterACT generates e-mail messages regarding policy and threat protection alert, scheduled reports, critical system operation alerts, and license alerts from the Mail page.Note

    For this use case, do not use the Email Notifications and Alerts option. However, you cannot skip this step, and must enter a dummy e-mail address. Click Next.

    Figure 7: Mail Settings Page
    Mail Settings Page
  10. To continue the Initial Setup Wizard, skip setting up the User Directory, Domains, and Authentication Servers plug-ins for now. You will define them later in the procedure. Click Skip >> from the wizard until the Internal Network page appears.
  11. From the Internal Network page, add the IP address range (10.10.10.0 to 10.10.30.255) for the internal network that you want CounterACT to manage. Click Next.
    Figure 8: Internal Network Settings
    Internal Network Settings
  12. From the Enforcement Mode page, enable NAT Detection, and accept the other default enforcement mode settings and click Next.
    Figure 9: Enforcement Mode Settings
    Enforcement Mode Settings
  13. From the Channels page:
    1. Define a new channel by selecting Add from the Channels list. This channel is used to match the appliance interface connections that detect and respond to traffic on the network interfaces.

    2. From the Monitor list, select eth1 as an interface.

    3. From the Response list, select eth2 as an interface.

    4. Assign both interfaces at the Data Center.

    5. Enable the All VLANs option and verify that the Monitor interface receives the mirrored traffic from the configured EX4300 switch.

    Figure 10: Channels Settings
    Channels Settings
  14. To continue the Initial Setup Wizard, skip setting up the Switch plug-in for now. You will define them later in the procedure. Click Skip >> from the wizard until the Policy page appears.
  15. From the Policy page, accept the default setting for Classify hosts (enabled) for Asset Classification. Click Next.
    Figure 11: Policy Settings
    Policy Settings
  16. From the Inventory page, accept the default setting for Enable Inventory Discovery (enabled). Click Next.
    Figure 12: Inventory Settings
    Inventory Settings
  17. From the Finish page, review the wizard configuration summary. Click Finish to complete the initial setup. Click Save to save the configuration file to the external file.
    Figure 13: Finish Initial Setup Page
    Finish Initial Setup Page
    Note

    (Optional) To disable the map functionality, select Tools > Options > Map.

  18. To download and install the updated packages, click Check for updates (or select Tools > Check for Updates).
    Figure 14: Check for Updates Screen
    Check for Updates Screen
  19. From the Software Updates page:
    1. Install the Infrastructure Update Pack.

    2. Install the second Service Pack. After the service package installation is complete, CounterACT will automatically restart. Click OK to restart the console.

      Figure 15: Service Package Installation Complete Screen
      Service Package Installation Complete Screen
    3. Log in with your credentials.

    4. Click Check for updates (or select Tools > Check for Updates) and install the other remaining software update packages.

    Note

    For this use case, de-select both HPS Inspection Engine and Macintosh/Linux Property Scanner packages. These are not required for this use case example.

Install and Configure CounterACT Plugins

CounterACT is delivered with several bundled plugins:

  • ForeScout-dot1x-4.2.0.1010-42001010.fpi

  • ForeScout-eds-3.2.0-32000032.fpi

  • ForeScout-webapi-1.2.2-12020005.fpi

These plugins link CounterACT to the network infrastructure (switches, domain servers, and user directories), and provide core endpoint detection and management functionality, including a comprehensive set of host properties and actions.

  1. Log in to the CounterACT console and select Tools > Options > Plugins to install the packages.
    Figure 16: CounterACT Plugins Screen
    CounterACT Plugins Screen
  2. Select each plugin and click Install. After the installation completes, click Close.
  3. Select Tools > Options > Plugins to verify that the following services are running:
    • User Directory

    • Switch

    • 802.1X

    • Data Exchange (DEX)

    • WebAPI

Configure User Directory Plugin

The User Directory Plugin resolves endpoint user details and performs endpoint authentication through authentication and directory servers.

To configure the User Directory servers:

  1. Select Tools > Options > User Directory. From the User Directory page, click Add.
  2. From the Edit Server page, on the General pane, define basic server parameters and functionality:
    1. Enter the hostname of the server in the Name field.

    2. From the Type list, select the server type. The server type can be any one of the following:

      Figure 17: Server Type Options
      Server Type Options
    3. Enable these configuration parameters for the server: Use as directory, Use for authentication, and Use for Console Login.

    4. Enter a comment about the server configuration in the Comment field.

    5. Click the Settings tab.

  3. From the Settings pane, define Microsoft Active Directory server parameters:
    1. In the Communication section, enter the IP address of the server in the Address field.

    2. Enter the port number in the Port field.

    3. Enable All for the Accessed By field. This ensures that all of the CounterACT devices can communicate and have access to the configured server.

    4. In the Directory section, enter the domain name in the Domain field.

    5. Enter the credentials to authenticate the directory for querying other user details in the Administrator field.

    6. Enter and verify the Administrator’s password in the Password fields.

    7. Select None for the Additional Domain Aliases field. The systems looks up a user in this directory only if its domain name matches the configured directory domain.

    8. Click the Test tab.

  4. From the Test pane, define parameters for testing the connection between the server and the User Directory Plugin.
    1. In the Directory section, enter the user name to query in the User field.

    2. In the Authentication section, enter Administrator in the User field and enter and verify the administrator’s password in the Password fields.

    3. Click OK, then click Apply to save and apply the configuration settings.

      Figure 18: User Directory Plugin Parameters
      User Directory Plugin Parameters
  5. Click Test to test your configuration.
    Figure 19: Configuration Test Screen
    Configuration Test Screen

Configure Switch Plugin

The Switch Plugin queries each switch for:

  • Switch port attributes and information about connected endpoints.

  • ARP table to discover new endpoints connected to the switch.

The information can be obtained via CLI and/or SNMP.

To configure the Switch Plugin for the EX4300 switch:

  1. Select Tools > Options > Switch. From the Switch page, click Add.
  2. From the Edit Switch page, on the General pane, define basic switch parameters and functionality.
    1. Enter the IP address or FQDN of the switch in the Address field. The Console uses the value you enter to identify the switch entry.

    2. From the Connecting Appliance list, specify the CounterACT device that will manage this switch.

    3. From the Vendor list, specify the vendor of the network device you want the plugin to manage. Since each Vendor CLI and SNMP are different, it is important to pick the right vendor. CounterACT will associate the right format for the switch then.

    4. Enter a comment about the switch configuration in the Comment field.

    5. Click the CLI tab.

  3. From the CLI pane, configure the use of CLI for communication from the Switch Plugin to the switch.
    1. Enable the Use CLI option to activate CLI access.

      Note

      SSH is the permanently selected connection type for Juniper Networks switches.

    2. Enter a user name and password in the User and Password fields. The Switch Plugin uses these credentials to log in to the switch.

      Note

      For plugin management of Juniper’s switches, the user that you configure must have superuser permission on Juniper’s switches.

      Do not use the root login for CLI access to EX Series switches.

    3. In the Privileged Access Parameters section, enable the Enable privileged access option to provide the plugin write privileges on the switch.

    4. Select the No password option to indicate that the switch set up does not require a password.

    5. Click the Permissions tab.

  4. From the Permissions pane, define read, write, and advanced permission settings for the switch.
    1. In the MAC Permissions section, enable the Read: MACs connected to switch port and port properties (MAC address table) option. Enabling MAC read permission allows CounterACT to read a switch’s MAC address table and discover connected endpoints and their network interface.

    2. Enable the Write: Enable Actions (Switch block, Assign to VLAN, ACL) option to enable the Switch Plugin permission to apply the Assign to VLAN action, the Switch Block action, and ACL actions on endpoints detected on the managed switch.

      Note

      ACL configuration is not required for this use case configuration.

    3. Click the 802.1X tab. (This pane shows up only if the 802.1X plugin is installed)

  5. From the 802.1X pane, configure RADIUS-based authentication and authorization for detected endpoints when attempting to connect to a Juniper Networks’ network through an EX4300 Series switch.
    1. In the RADIUS Secret as configured in switches fields, enter the necessary RADIUS secret to allow communication between the CounterACT RADIUS server and the managed switch.

    2. Click OK, then click Apply to save and apply the configuration settings.

      Figure 20: 802.1X RADIUS-based Authentication Secret Confirmation
      802.1X RADIUS-based Authentication Secret Confirmation
  6. Click Test to test your configuration.
    Figure 21: Switch Configuration Test Screen
     Switch Configuration Test Screen
    Note

    To configure the QFX switch, repeat the same configuration steps as for the EX4300 switch. However, you must configure ACL functionality for the QFX switch because QFX is deployed as a standard access switch (without 802.1X), and auto-threat remediation is performed by applying ACLs.

    From the User Directory page, enable and/or select the following fields from the ACL pane:

    • Enable ACL

    • Add ACL firewall filter to physical ports

    • Add CounterACT authentication servers permit rules

    • Use system-defined name (forescout_acl)

Configure 802.1X Plugin

The 802.1X Plugin enables CounterACT to authenticate 802.1X switch or wireless connections to the network. The plugin is compatible with the IEEE 802.1X specification and the RADIUS authentication protocol.

To configure the 802.1X Plugin:

  1. Select Tools > Options > 802.1x.
    Figure 22: 802.1X Options
    802.1X Options
  2. From the 802.1X page, on the Authentication Sources pane, select the user directory that validates the credentials provided during the endpoint authentication. You configure all of the authentication sources in the User Directory Plugin.
  3. Click the Pre-Admission Authorization tab and define a set of prioritized rules. The CounterACT RADIUS server uses these rules to evaluate the endpoints for authorization after they have been authenticated by the applicable RADIUS server (an Authentication Source selection).
    Figure 23: Pre-Admission Authorization Tab
    Pre-Admission Authorization Tab
  4. Click Add to add multiple conditions for the rule.
    Figure 24: Pre-Admission Authorization Conditions
    Pre-Admission Authorization Conditions
  5. Add your Authorization Attributes. Enter VLAN as the Tunnel-Type, and 31 as the Tunnel-Private-Group. Click OK.
    Figure 25: Adding Authorization Attributes
    Adding Authorization Attributes
  6. Click the Server Certificate tab. Enable the Use self-signed certificate option.
    Figure 26: Server Certificate Options
    Server Certificate Options
  7. Click the RADIUS Settings tab. Enable the CounterACT RADIUS Logging option, and accept all of the other default settings.
    Figure 27: RADIUS Settings
    RADIUS Settings
  8. Click Apply to save and apply the configuration settings.
    Figure 28: Applying 802.1X Configuration Settings
    Applying 802.1X Configuration Settings

Configure Windows 7 Supplicant

You should have already installed the Microsoft Windows Server and Active Directory. Click Install and Configure Microsoft Windows Server and Active Directory to review the instructions.

To configure the Windows 7 Supplicant:

  1. Ensure that the Windows 7 Supplicant is configured with the Active Directory domain that you previously created.
    Figure 29: Windows Supplicant Configuration Verification
    Windows Supplicant Configuration Verification
  2. Ensure that the Wired AutoConfig service is running.
    Figure 30: Wired AutoConfig Service Configuration Confirmation
    Wired AutoConfig Service Configuration Confirmation
  3. Enable 802.1X PEAP authentication for the Local Area Connection.
    Figure 31: 802.1X PEAP Authentication Confirmation
    802.1X PEAP Authentication Confirmation
  4. Click Settings and ensure that the Validate server certificate option is not selected.
    Figure 32: Protected EAP Properties
    Protected EAP Properties
  5. Configure the user credential settings. Select the Automatically use my Windows login name and password option to use the user credentials you previously configured in Active Directory.
    Figure 33: Windows Login and Password Confirmation
    Windows Login and Password Confirmation
  6. Click Authentication > Additional Settings > Replace credentials and enter the credentials of the user you created in Active Directory.
    Figure 34: Replacing Credentials
    Replacing Credentials
  7. To confirm that the 802.1X authentication works on Windows 7 Supplicant and verify that the user is placed correctly in the User VLAN (vlan31), enter the show dot1x interface and show vlans vlan31 commands.
    Figure 35: show dot1X interface and show vlans Output
    show dot1X interface and show vlans Output
  8. To review the session information (username, IP address, and MAC-ID) on the CounterACT Console, right-click on your host, and select Information > Details.
    Figure 36: Session Information Verification
    Session Information Verification

Test and Troubleshoot 802.1X Authentication

To test the 802.1X authentication against ForeScout CounterACT:

  1. Log in using the credentials of the domain account (user) you created in the User Directory.
    Figure 37: Troubleshoot Rejected Authentications
    Troubleshoot Rejected Authentications
  2. Ensure that the EX4300 switch is configured properly for 802.1X authentication. Click CLI Configuration for EX4300 Switch to review the configuration file.

To troubleshoot 802.1X authentication issues:

  1. From the ForeScout CounterACT Console, click the Policy tab and create a policy using the Troubleshoot Rejected Authentications template (listed under 802.1X Enforcement).
  2. Start your policy to troubleshoot the issue.

To view logs from the ForeScout CounterACT Console:

  1. Select Log > Policy Log. From the Policy Log page, enter your Windows 7 supplicant’s MAC or IP address.
    Figure 38: Policy Log Settings
    Policy Log Settings
  2. Click OK. The policy log files appear.
    Figure 39: Policy Log Files
    Policy Log Files
  3. If 802.1X authentication works and your Windows 7 supplicant obtains an IP address from the DHCP server running on SRX, you can then generate some traffic to verify that your Windows 7 supplicant (for example, 10.10.30.69) appears on the Host list under the Home tab.
    Figure 40: Policy Log 802.1X Authentication Confirmation
    Policy Log 802.1X Authentication Confirmation
    Note

    Additionally, if you already configured the other host (Windows or Linux system) that is connected to the QFX switch and obtained an IP address from the DHCP server running on SRX, you can then generate some traffic for it, and the host address (for example, 10.10.30.99) will also appear on the Host list.

Configure Data Exchange Plugin

The Data Exchange (DEX) Plugin enables CounterACT to use web services to communicate with external entities. CounterACT queries external services and receives updates through the CounterACT web service hosted by the plugin. In this case DEX in conjunction with the ForeScout Connector will monitor PE for any communication.

To configure the Data Exchange (DEX) Plugin:

  1. Select Tools > Options > Data Exchange (DEX).
  2. From the Data Exchange (DEX) page, select CounterACT Web Service > Accounts tab.
    Figure 41: Data Exchange Accounts
    Data Exchange Accounts
  3. Click Add and enter the following information:
    1. In the Name field, enter the name of the CounterACT web service account.

    2. In the Description field, enter a brief description of the purpose of the web service account.

    3. In the Username field, enter the username used to authorize CounterACT to access the web service account.

    4. In the Password field, enter the password used to authorize CounterACT to access the web service account.

    5. Click OK and the account appears in the Account tab.

  4. Click the Properties tab. From the Properties page, click Add to add the following properties:
    • block

    • quarantine

    • Test

    Note

    You must include the Test property; otherwise, you cannot add CounterACT as a third-party connector to Policy Enforcer successfully.

    Figure 42: Data Exchange Properties
    Data Exchange Properties
  5. Click the Security Settings tab. A white list of IP addresses is used to permit access to the CounterACT web service. From the Security Settings page, click Add and add the IP address range for the Policy Enforcer. Click OK. The IP address appears in the IP Address Range list.
    Figure 43: Data Exchange Security Settings
    Data Exchange Security Settings
  6. From the Data Exchange (DEX) page, click Apply to save and apply the configuration settings.
    Figure 44: Data Exchange Applying Configuration Settings
    Data Exchange Applying Configuration Settings

Configure Web API Plugin

The Web API Plugin enables external entities to communicate with CounterACT using simple, yet powerful web service requests based on HTTP interaction. Configure the Web API Plugin to create an account for Policy Enforcer integration.

To configure the Web API Plugin:

  1. Select Tools > Options > Web API.
  2. From the Web API page, in the User Credentials section, click Add.
    Figure 45: Web API User Credentials
    Web API User Credentials
  3. Enter the same username and password that you previously created for the Data Exchange (DEX) configuration and click OK.
  4. Click the Client IPs tab and click Add. Add the Policy Enforcer IP address into the access list.

    Click OK.

    Figure 46: Web API Client IP Tab
    Web API Client IP Tab
  5. From the Web API page, click Apply to save and apply the configuration settings.
    Figure 47: Web API Applying Configuration Settings
    Web API Applying Configuration Settings

Verify Plugins

To verify that all of the required plugins are running, select Tools > Options > Plugins. The Plugins page appears showing the status of each plugin.

Figure 48: Verifying Plugins
Verifying Plugins

Configure Automated Threat Remediation Policies

Using Policy Manager, create these automated threat remediation policies:

  • NETCONF policies–used to connect hosts to the QFX switch.

  • 802.1X policies–used to connect hosts to the EX4300 switch and used for 802.1X authentication.

To create an automated threat remediation NETCONF policy or 802.1X policy:

  1. Select Policy > Policy Manager.
  2. From the Policy Manager page, click Add.
    Figure 49: Policy Manager Page
    Policy Manager Page
  3. Click Custom and click Next.
    1. a. Based on your requirements, create the following sets of SDSN block and quarantine policies to secure host-to-switch and switch-to-802.1X server traffic. In the Name field, enter these policy names:

      • SDSN BLOCK—dot1x

      • SDSN QUARANTINE—dot1x

      • SDSN BLOCK—NETCONF

      • SDSN QUARANTINE—NETCONF

      Figure 50: Block and Quarantine Policies
      Block and Quarantine Policies
    2. In the Description field, enter a description for each policy. Click Next.

  4. From the Scope page, select the IP Range option. Enter the IP address range for the LAN segment as endpoints to be inspected for this policy. Click OK.
    Figure 51: IP Address Range in Block and Quarantine Policies
    IP Address Range in Block and Quarantine Policies
  5. Click Next to skip the Advanced section and open the Main Rule page. A rule contains a set of conditions and actions:
    • A condition is a set of properties that is queried when evaluating endpoints.

    • An action is the measure that CounterACT takes at endpoints.

  6. From the Main Rule page, click Add from the Condition section of the page to add a condition.
    Figure 52: Adding Conditions to Block and Quarantine Policies
    Adding Conditions to Block and Quarantine Policies
  7. Define the condition for block or quarantine.
    Figure 53: Defining Conditions for Block and Quarantine Policies
    Defining Conditions for Block and Quarantine Policies
  8. From the Main Rule page, click Add from the Actions section of the page. From the Action page, define these actions:
    1. SDSN BLOCK - dot1x─select 802.1x Authorize in the left pane and enable the Deny Access option as an action.

      Figure 54: 802.1X Blocking Access
      802.1X Blocking Access
    2. SDSN QUARANTINE - dot1x─select 802.1x Authorize in the left pane and enter vlan32 in the VLAN field as an action.

      Figure 55: 802.1X Quarantine Traffic to a VLAN
      802.1X Quarantine Traffic to a VLAN
    3. SDSN BLOCK - NETCONF─select Endpoint Address ACL in the left pane and enter an ACL as an action in the Parameters tab.

      Figure 56: Endpoint Access ACL
      Endpoint Access ACL
    4. SDSN QUARANTINE - NETCONF─select Assign to VLAN in the left pane and enter vlan32 in the VLAN name field under the Parameters tab to add as an action.

      Figure 57: SDSN Quarantine Assign to VLAN
      SDSN Quarantine Assign to VLAN
  9. Click OK and then click Next. Skip configuring sub-rules on the Sub-Rules page.
  10. From the Policy Manager page, click Apply to save and apply the configuration settings. Review the Status of your policy and verify that it is active indicated with an arrow and green box:

Configure the Policy Enforcer Connector for Third-Party Switches

  1. Log in to Security Director and navigate to Administration > Policy Enforcer > Connectors and create a new connector. A blue loading/wait circle indicates that creation of the connector is in progress.
    Figure 58: Connectors
    Connectors
  2. Enter the following General page details:
    • Name─Enter a unique string.

    • Description─Enter a description.

    • ConnectorType─Select the required third-party network of devices to connect to your secure fabric and create policies for this network. Select ForeScout CounterACT. Click Next.

  3. Enter the following General page details:
    • IP Address─Enter the IP (IPv4 or IPv6) address of the product management server.

    • Port─Select the port to use from the list. If you leave this blank, port 443 is the default.

    • Username─Enter the username of the server for the selected ForeScout CounterACT connector type. For example, Admin.

    • Password─Enter the password of the server for the selected ForeScout CounterACT connector type.

    • DEX User Role─Enter the password of the server for the selected ForeScout CounterACT connector type. For example, Administrator. This has to match the Name field configured on page 58 under the DEX plugin. Click Next.

  4. On the Network Details page, add subnet information to the connector configuration so you can include those subnets in groups and then apply policies to those groups. Click Next.
  5. On the Configuration page, enter the values for the Web API username and password. Click Finish.

Configure ATP Cloud with Threat Prevention Policies

To configure ATP Cloud and set up threat prevention policies:

  • Configure a secure fabric. A secure fabric is a collection of sites which contain network devices (switches, routers, firewalls, and other security devices) used in policy enforcement groups.

  • Define a site and add endpoints to it (switches and firewalls).

  • Configure policy enforcement groups. A policy enforcement group is a grouping of endpoints to which threat prevention policies are applied.

  • Create a threat prevention policy.

  • Apply threat prevention policies to policy enforcement groups

Note

If you are using Policy Enforcer for threat prevention with ATP Cloud, Guided Setup is the most efficient way to complete the initial configuration.

To perform the configuration using Guided Setup:

  1. In Security Director, navigate to Configure > Guided Setup > Threat Prevention.
    Figure 59: Threat Prevention Policy Setup
    Threat Prevention Policy Setup
  2. Click Start Setup and follow the wizard.
    Figure 60: Sky ATP with SDSN Setup
    Sky ATP with SDSN Setup
  3. Create a secure fabric site that includes enforcement points for only the SRX Series device and the ForeScout CounterACT connector. Click Next.
    Figure 61: Secure Fabric Threat Prevention Policy Setup
    Secure Fabric Threat Prevention Policy Setup
  4. Create a policy enforcement group and select the site. As per your requirements, determine the type of endpoints you are including in your policy enforcement group: IP address, subnet, or location. Endpoints cannot belong to multiple policy enforcement groups. Click Next.
    Figure 62: Policy Enforcement Groups
    Policy Enforcement Groups
  5. Add the ATP Cloud realm by providing the relevant details from your ATP Cloud account.

    Before you configure the ATP Cloud realm, ensure that you:

    • Have an ATP Cloud account with an associated license.

    • Understand which type of ATP Cloud license you have: free, basic, or premium. The license controls which ATP Cloud features are available. Click Obtain an ATP Cloud license and Create an ATP Cloud Web Portal Account for more details.

    • Know which region is covered by the realm you are creating. You must a select a region when you configure a realm.

      Figure 63: Sky ATP Realm
      Sky ATP Realm

    Enter Location, Username (Your username for ATP Cloud is your e-mail address), Password, and a name for the Realm. Click OK.

  6. Verify that the ATP Cloud realm has been added.
    Figure 64: ATP Cloud Realm Creation Verification
    ATP Cloud Realm Creation Verification

    The value 1 should appear in the Perimeter Firewall in Sites column, indicating that ATP Cloud has detected the SRX Series device.

    Note

    If the realm addition is not successful, it indicates that there is a network issue and Security Director or Policy Enforcer cannot connect to the Internet. Ensure all devices/components can connect to the Internet and each other.

  7. Create a threat prevention policy, as per your requirements. Threat prevention policies provide protection and monitoring for selected threat profiles, including command & control (C&C) servers, infected hosts, and malware.
    • Determine the type of profile to use for this policy: C&C server, infected hosts, or malware. You can select one or more threat profiles in a policy.

    • Determine which action to take if a threat is found.

    • Know which policy enforcement group to add to this policy.

    Figure 65: Create Threat Prevention Policy
    Create Threat Prevention Policy

    Click OK.

  8. Threat Prevention Policy needs a profile for HTTP downloads; this profile indicates what type of files need to be scanned for threats. To add a profile for HTTP file downloads, in the Device Profile area, expand the Realm and select the required profile. Click OK.
    Figure 66: Threat Prevention Device Profile
    Threat Prevention Device Profile
  9. Assign the threat prevention policy to the desired policy enforcement group by clicking Assign to Groups.
    Figure 67: Assigning a Threat Prevention Policy to a Policy Enforcement Group
    Assigning a Threat Prevention Policy to a Policy Enforcement
Group
  10. Select the policy enforcement group and click OK.
    Figure 68: Policy Enforcement Group Selection
    Policy Enforcement Group Selection
  11. The system performs a rule analysis, and prepares device configurations that include the threat prevention policies.
    Figure 69: Rule Analysis
    Rule Analysis
  12. Once the analysis is complete, instruct the system to push the updated policy and configuration changes to the SRX Series device by clicking Update.
    Figure 70: Updating Policy and Configuration Changes
    Updating Policy and Configuration Changes
  13. When the push is complete, the system returns to the Policies page. Click OK.
    Figure 71: Policy Update Confirmation
    Policy Update Confirmation
    Note

    If the update fails, complete the Threat Prevention Policy Guided Setup. Navigate to Devices > Security Devices and resynchronize your SRX with the network. Then, navigate to Configure > Threat Prevention -> Policies, click Update Required and push the update once again If additional troubleshooting is required, you can view the configuration changes pushed onto an SRX Series device by selecting Monitor > Job Management.

    Configuration changes pushed to the SRX device:

    Figure 72: SRX Configuration
    SRX Configuration
  14. Click Finish to finalize the Threat Prevention Policy Guided Setup.
    Figure 73: Threat Prevent Policy Setup
    Threat Prevent Policy Setup

    The system displays the summary of the configuration. Click OK.

    Figure 74: Threat Prevention Policy Configuration Summary
    Threat Prevention Policy Configuration Summary

Use Case Verification

To verify the use case configuration, perform the following actions:

Verify the Enrollment of Devices in ATP Cloud on an SRX Series Device

Purpose

Verify that the SRX Series device is connected to the ATP Cloud server.

Action

On the SRX device, use the show services advanced-anti-malware status CLI command.

Meaning

The CLI output displays the Connection status as Connected. The Server hostname field displays the ATP Cloud server hostname.

Verify the Enrollment of Policy Enforcer and SRX Series Devices in ATP Cloud

Purpose

Verify that Policy Enforcer and the SRX Series device are enrolled with ATP Cloud.

Action

In ATP Cloud, navigate to the Enrolled Devices page and review the connection information for enrolled devices, including the serial number, model number, tier level (free, basic, premium) enrollment status in ATP Cloud, last telemetry activity, and last activity seen.

Figure 75: Verifying Enrolled Devices in ATP Cloud
 Verifying Enrolled Devices in ATP Cloud

Meaning

The Host field displays details for the enrolled firewall (vSRX_L3_QFX) and for the Policy Enforcer device. You can click the serial numbers for more details.

Verify the Enrollment of Devices with ATP Cloud in Security Director

Purpose

Verify that the SRX Series device enrolled with ATP Cloud in Security Director.

Action

In Security Directory, navigate to Devices > Secure Fabric.

Figure 76: Verifying Device Enrollment in Security Director
Verifying Device Enrollment in Security Director

Meaning

A green dot with checkmark displays in the SkyATP Enroll Status field and confirms the enrollment of the SRX Series device with the ATP Cloud realm.

Verify ForeScout CounterACT Functionality to Block Infected Endpoint (with 802.1X Authentication)

Purpose

Test the ForeScout CounterACT integration and functionality when an endpoint is infected. In this example, you verify when the enforcement policy is configured to block the infected host with 802.1X authentication.

Action

Note

A client VM or physical PC is required to trigger an attack.

Before the attack, confirm the following:

  • Confirm that Windows Supplicant is authenticated and in User VLAN (vlan31).

  • Confirm that the endpoint 10.10.30.69 can ping to Internet (IP address 8.8.8.8) and Layer 2 connected default gateway (10.10.30.254). Before the attack, the endpoint starts continuous pings to other endpoints on the LAN and Internet.

    The endpoint pings the C&C server on the Internet from Windows Supplicant (in this example from the IP address 184.75.221.43).

    Figure 77: Confirming Ping from Windows Supplicant
    Confirming Ping from Windows Supplicant

After the attack, the 802.1X session is terminated with RADIUS CoA on the EX4300 switch initiated by ForeScout CounterACT.

Confirm the following:

  • Confirm that Windows Supplicant cannot connect to the Internet or the LAN anymore.

    Figure 78: Confirming Ping from Windows Supplicant is Blocked After the Attack
    Confirming Ping from Windows Supplicant is Blocked
After the Attack
  • After the RADIUS CoA disconnect message, confirm that the Windows Supplicant is not in User VLAN (vlan31) anymore but in the default VLAN.

  • Confirm that further authentication requests are rejected by ForeScout CounterACT.

  • Confirm the SDSN BLOCK (dot1x) policy match and automated threat remediation action details by navigating to ForeScout CounterACT > Home.

    Figure 79: 802.1X SDSN Block Policy Match Verification
    802.1X SDSN Block Policy Match Verification
  • Navigate to Log > Host Log. Review the details for the SDSN BLOCK (dot1x) policy.

    Figure 80: 802.1X Host Log
    802.1X Host Log
  • Confirm that the Windows Supplicant’s IP address was also added to the Infected-Hosts Feed on the SRX Series device to block Internet access.

  • In the ATP Cloud portal, navigate to Monitor > Hosts. Confirm the host IP address (10.10.30.69), MAC-ID, and switch port of the Windows Supplicant.

    Figure 81: ATP Cloud Host Monitoring
    ATP Cloud Host Monitoring

Meaning

All ping sessions show that the traffic is blocked after the threat was detected, confirming that the automated threat remediation use case is working properly.

The Hosts page lists compromised hosts and their associated threat levels. The output confirms that ATP Cloud and Security Director have detected the infected host. You can monitor and mitigate malware detections on a per host basis.

Verify ForeScout CounterACT Functionality to Quarantine Infected Endpoint (with 802.1X Authentication)

Purpose

Test the ForeScout CounterACT integration and functionality when an endpoint is infected. In this example, you verify when the enforcement policy is configured to quarantine the infected host with 802.1X authentication.

Action

Note

A client VM or physical PC is required to trigger an attack.

Before the attack, confirm the following:

  • Release the infected host on the ATP Cloud portal or in Security Director (Monitor > Threat Prevention > Hosts).

  • Ensure that Internet or LAN access is restored for the Windows Supplicant.

  • On the Policy Enforcer > Threat Prevention Policy page, change infected host profile actions to Quarantine and add the VLAN ID as vlan32. Click OK.

    Figure 82: Threat Prevention Policy Pre-Attack Configuration
    Threat Prevention Policy Pre-Attack Configuration
  • Confirm that Windows Supplicant is authenticated and in User VLAN (vlan31).

  • Confirm that the endpoint 10.10.30.69 can ping to Internet (IP address 8.8.8.8) and Layer 2 connected default gateway (10.10.30.254). Before the attack, the endpoint starts continuous pings to other endpoints on the LAN and Internet.

    Figure 83: Confirming Ping from Windows Supplication Before the Attack
    Confirming Ping from Windows Supplication Before the
Attack

    The endpoint pings the C&C server on the Internet from Windows Supplicant (in this example from the IP address 184.75.221.43).

After the attack, the 802.1X session is terminated with RADIUS CoA on the EX4300 switch initiated by ForeScout CounterACT.

Confirm the following:

  • Confirm that Windows Supplicant re-authenticates and is automatically moved into Quarantine VLAN (vlan32). As a result, the Windows Supplicant cannot connect to the Internet or the LAN anymore.

    Figure 84: Confirm Traffic is Moved to Quarantine VLAN After Attack
    Confirm Traffic is Moved to Quarantine VLAN After Attack
  • After the RADIUS CoA disconnect message and re-authentication, confirm that the Windows Supplicant is now in Quarantine VLAN (vlan32).

  • Confirm that further authentication requests are rejected by ForeScout CounterACT.

  • Confirm the SDSN QUARANTINE (dot1x) policy match and automated threat remediation action details by navigating to ForeScout CounterACT > Home.

    Figure 85: 802.1X SDSN Quarantine Policy Match
    802.1X SDSN Quarantine Policy Match
  • Navigate to Log > Host Log. Review the details for the SDSN QUARANTINE (dot1x) policy.

    Figure 86: 802.1X SDSN Quarantine Host Log
    802.1X SDSN Quarantine Host Log
  • Confirm that the Windows Supplicant’s IP address was also added to the Infected-Hosts Feed on the SRX Series device to block Internet access.

  • In the ATP Cloud portal, navigate to Monitor > Hosts. Confirm the host IP address (10.10.30.69), MAC-ID, and switch port of the Windows Supplicant.

    Figure 87: Confirming Host Details in ATP Cloud
    Confirming Host Details in ATP Cloud

Meaning

The output shows that the ATP Cloud infected host feed containing the Windows Supplicant’s IP address 10.10.30.69 has been successfully downloaded, resulting in the SRX device taking an action to quarantine the IP address.

The Hosts page lists compromised hosts and their associated threat levels. The output confirms that ATP Cloud and Security Director have detected and quarantined the infected host. You can monitor and mitigate malware detections on a per host basis. You can also drill down and verify why the host is marked as infected (for this use case, the C&C server IP address). For malware, details of the downloaded file display.

Verify ForeScout CounterACT Functionality to Block Infected Endpoint (with NETCONF)

Purpose

Test the ForeScout CounterACT integration and functionality when an endpoint is infected. In this example, you verify when the enforcement policy is NETCONF, and it is configured block the infected host.

Action

Note

A client VM or physical PC is required to trigger an attack.

Before the attack, confirm the following:

  • On the Policy Enforcer > Threat Prevention Policy page, change infected host profile actions to Drop connection silently. Click OK.

    Figure 88: Drop Connection Silently Option
    Drop Connection Silently Option
  • Navigate to the Policies tab. From the Console, stop both SDSN BLOCK–dot1x and SDSN QUARANTINE–dot1x polices, and start both SDSN BLOCK–NETCONF and SDSN QUARANTINE–NETCONF policies.

    Figure 89: Policies Tab in Policy Manager
    Policies Tab in Policy Manager
  • Confirm that the Linux host is in User VLAN (vlan31) with IP address 10.10.30.99.

    Figure 90: Linux Host Confirmation
    Linux Host Confirmation
  • Confirm that the endpoint 10.10.30.99 can ping to Internet (IP address 8.8.8.8) and Layer 2 connected default gateway (10.10.30.254). Before the attack, the endpoint starts continuous pings to other endpoints on the LAN and Internet.

    Figure 91: Internet Ping
    Internet Ping

    The endpoint pings the C&C server on the Internet from the Linux host (in this example from the IP address 184.75.221.43).

    Figure 92: C&C Server Ping
    C&C Server Ping

After the attack, ForeScout CounterACT applies ACL on the QFX switch using NETCONF. Confirm the following:

  • Confirm that the Linux host cannot connect to the Internet or the LAN anymore.

    Figure 93: Confirming Disconnected Linux Host
    Confirming Disconnected Linux Host
  • Confirm the SDSN BLOCK (NETCONF) policy match and automated threat remediation action details by navigating to ForeScout CounterACT > Home.

    Figure 94: Confirming Policy Match and Automated Threat Remediation Details
    Confirming Policy Match and Automated Threat Remediation
Details
  • Navigate to Log > Host Log. Review the details for the SDSN BLOCK (NETCONF) policy.

    Figure 95: SDSN Block Host Log
    SDSN Block Host Log
  • Confirm that the Linux host’s IP address was also added to the Infected-Hosts Feed on the SRX Series device to block Internet access.

  • In the ATP Cloud portal, navigate to Monitor > Hosts. Confirm the host IP address (10.10.30.99), MAC-ID, and switch port of the Linux host.

    Figure 96: Confirming Host Information in ATP Cloud Portal
    Confirming Host Information in ATP Cloud Portal

Meaning

All ping sessions show that the traffic is blocked after the threat was detected, confirming that the automated threat remediation use case is working properly.

The Hosts page lists compromised hosts and their associated threat levels. The output confirms that ATP Cloud and Security Director have detected the infected host. You can monitor and mitigate malware detections on a per host basis.

Verify ForeScout CounterACT Functionality to Quarantine Infected Endpoint (with NETCONF)

Purpose

Test the ForeScout CounterACT integration and functionality when an endpoint is infected. In this example, you verify when the enforcement policy NETCONF, and it is configured to quarantine the infected host.

Action

Note

A client VM or physical PC is required to trigger an attack.

Before the attack, confirm the following:

  • Release the infected host on the ATP Cloud portal or in Security Director (Monitor > Threat Prevention > Hosts).

  • Ensure that Internet or LAN access is restored for the Linux host.

  • On the Policy Enforcer > Threat Prevention Policy page, change infected host profile actions to Quarantine and add the VLAN ID as vlan32. Click OK.

    Figure 97: Changing Threat Prevention Policy to Quarantine
    Changing Threat Prevention Policy to Quarantine
  • Confirm that the Linux host is in User VLAN (vlan31) with IP address 10.10.30.99.

    Figure 98: Confirming Linux Host Details
    Confirming Linux Host Details
    Confirming Linux Host Details
  • Confirm that the endpoint 10.10.30.99 can ping to Internet (IP address 8.8.8.8) and Layer 2 connected default gateway (10.10.30.254). Before the attack, the endpoint starts continuous pings to other endpoints on the LAN and Internet.

    Figure 99: Confirming Internet Connectivity
    Confirming Internet Connectivity

    The endpoint pings the C&C server on the Internet from the Linux host (in this example from the IP address 184.75.221.43).

    Figure 100: Confirming Connection to C&C Server
    Confirming Connection to C&C Server

After the attack, ForeScout CounterACT changes the VLAN configuration of the interface connecting the Linux host from User VLAN (vlan31) to Quarantine VLAN (vlan32) on the QFX switch using NETCONF.

Confirm the following:

  • Confirm that the Linux host cannot connect to the Internet or the LAN anymore.

    Figure 101: Confirming Linux Host Cannot Connect to Internet or LAN
    Confirming Linux Host Cannot Connect to Internet or
LAN
  • Confirm the SDSN QUARANTINE (NETCONF) policy match and automated threat remediation action details by navigating to ForeScout CounterACT > Home.

    Figure 102: Confirming Policy Match and Automated Threat Remediation Details
    Confirming Policy Match and Automated Threat Remediation
Details
  • Navigate to Log > Host Log. Review the details for the SDSN BLOCK (NETCONF) policy.

    Figure 103: SDSN Block Policy Host Log
    SDSN Block Policy Host Log
  • Confirm that the Linux host’s IP address was also added to the Infected-Hosts Feed on the SRX Series device to block Internet access.

  • In the ATP Cloud portal, navigate to Monitor > Hosts. Confirm the host IP address (10.10.30.99), MAC-ID, and switch port of the Linux host.

    Figure 104: Confirming Host Details in ATP Cloud Portal
    Confirming Host Details in ATP Cloud Portal

Meaning

The output shows that the ATP Cloud infected host feed containing the Linux host’s IP address 10.10.30.99 has been successfully downloaded, resulting in the SRX device taking an action to quarantine the IP address.

The Hosts page lists compromised hosts and their associated threat levels. The output confirms that ATP Cloud and Security Director have detected and quarantined the infected host. You can monitor and mitigate malware detections on a per host basis.

Appendix A: Device Configurations

This section provides the following device configurations:

CLI Configuration for SRX Series Device

CLI Configuration for EX4300 Switch

CLI Configuration for QFX Switch

Appendix B: Troubleshooting Adding Third-Party Connector

If you encounter problems while adding the third-party connector, review the following log files for troubleshooting information.

This section covers the following third-party connector issues:

Troubleshooting Policy Enforcer

To troubleshoot Policy Enforcer, review these logs:

  • /srv/feeder/connectors/forescout/logs/forescout_connector.log

  • /srv/feeder/log/controller.log

  • If the following log message displays in the forescout_connector.log file:

    Then navigate to the ForeScout CounterACT CLI and enter this command:

Troubleshooting ForeScout CounterACT

To enable debugging on the CLI for the DEX (eds) and Web API plugins, enter the following commands:

  • fstool eds debug 10

  • fstool webapi debug 10

Review the following log files:

  • /usr/local/forescout/log/plugin/eds

  • /usr/local/forescout/log/plugin/webapi