Getting Started Guide

(from www - test) The following high-level steps will get you started with Security Director. For detailed instructions, refer to the Security Director Help center.

Back to Start  

1Discover Devices

Device discovery is the process of finding a device and then synchronizing the device inventory and configuration with the Junos Space Network Management Platform database. You discover devices in Junos Space Security Director by creating and using a device discovery profile. A device discovery profile contains information about discovery targets, probes used to discover devices, credentials for authentication, and device SSH fingerprints, and it is used to discover, authenticate, and connect to the device.

To configure a device discovery profile:

  1. Select Devices > Device Discovery.

    The Device Discovery page appears.

  2. Click the + icon.

    The Create Discovery Profile page appears.

  3. Complete the configuration.

    Note: Fields marked with * are mandatory.

  4. Click OK.

    A new device discovery profile is created and you are returned to the Device Discovery page. A Job Details page pops up after a few seconds and displays the details of the scheduled job.

  5. Click OK to close the Job Details page.

2Configure Logging and Reporting

To enable Logging and Reporting module for log collection across multiple SRX Series devices:

  1. Deploy the log collector.

    You can deploy Log Collectors in both the VM and JA2500 appliance. You can deploy Log Collector as an All in One node for small-scale deployments. For easy scaling, begin with a single Log Receiver node and Log Storage node, and incrementally add Log Storage nodes as your needs expand. You can add a maximum of one Log Receiver node and three Log Storage nodes.

    For a VM environment, a single OVA image is used to deploy the All in One, Log Receiver, and Log Storage nodes. The image presents a configuration script after you log in. At deployment, you must select the appropriate memory and CPU configuration values for the role of the VM.

    For JA2500 deployments, a single ISO image is used to install the All in One, Log Receiver, and Log Storage nodes. The image presents a configuration script after you log in.

    For more details, see the Security Director Release Notes.

  2. Add the log collector to Security Director.
    1. Select Administration > Logging Management > Logging Nodes, and click the + icon.
    2. Provide the root credentials of the Log Collector node.
    3. Verify the corresponding job status.

      Log Collector node appears in the Logging Nodes page with the status UP.

  3. Configure Security Director and SRX Series devices to receive logs by selecting Network Management Platform > Devices > Device Management.

3Create Addresses

You can use the Addresses page to create source or destination addresses that can be used across all devices managed by Security Director. Addresses are used in firewall, NAT, IPS, and VPN services and apply to corresponding SRX Series devices.

To create an address:

  1. Select Configure > Shared Objects > Addresses.
  2. Click Create.
  3. Complete the configuration.
  4. Click OK.

    A new address with your configurations is created. You can use this object in policies. You can also assign it to a domain

4Configure Firewall Policies

To configure, publish, and update a firewall policy:

  1. Select Configure > Firewall Policy.
  2. Click the + icon.
  3. Complete the configuration.
  4. Click OK.

    A firewall policy is created. You can click the policy to assign rules inline or select the policy and click the + icon to configure policy rules.

  5. Publish the firewall policy to a device. See Publish Policies on Devices.
  6. Update the policy to a device. See Update Policies on Devices.

5Configure NAT Policies

To configure, publish, and update a NAT policy:

  1. Select Configure > NAT Policy > Policies.
  2. Click the plus sign (+) to create a new NAT policy.
  3. Complete the configuration.

    A new NAT policy is created. After you create an IPS policy, add rules in one or more rulebases to select that policy to be the active policy on your device. You can also assign a NAT policy to a domain.

  4. Publish the NAT policy to a device. See Publish Policies on Devices.
  5. Update the policy to a device. See Update Policies on Devices.

6Configure IPsec VPNs

To configure, publish, and update an IPsec VPN:

  1. Select Configure > IPsec VPN > IPsec VPNs.
  2. Click the plus sign (+) to create a new IPsec VPN.
  3. Complete the configuration.

    A new IPsec VPN is created.

  4. On the IPsec VPNs page, select the VPN policy that you want to publish or update, and click Publish or Update. The Publish Policy page appears.
  5. Select the check boxes next to the devices to which the policy changes will be published.

    Note:

    • You can search for a specific device on which the VPN is published by entering the search criteria in the search field in the top-right corner of the IPsec VPNs page. You can search the devices by their name, IP address, or the device OS version.
    • If the VPN is to be published on a large number of devices, the devices are displayed across multiple pages. You can use the pagination and display options available on the lower banner, just below the list of devices, to view all devices on which the VPN is published.
  6. Do one of the following:

    • Select Run now if you want to apply the VPN immediately.
    • Select Schedule at a later time if you want to schedule and publish the VPN later.
  7. Click Publish and Update. The Affected Devices page displays the devices on which the VPN will be published.

7Manage IPS Policies

Security Director enables you to manage IPS policies. You must download the IPS package and signature database, push them to the device, create an IPS policy, and then publish and update the policy to the device.

To manage an IPS policy:

  1. Select Administration > Signature Database.
  2. Click Download Configuration .

    The Download Configuration page appears.

  3. Enter the destination URL where you want to download the IPS and AppFw signature database in the Download URL field. For example, enter https://services.netscreen.com.
  4. Enable the Proxy Server field to send the download configuration traffic.
  5. Do one of the following:

    • Select Run now to download the signature database immediately.
    • Select Schedule at a later time to set the signature database to automatically download at the specified time.

      Select the Recurrence check box to enable the schedule to recur in a given time interval.

  6. Click OK.

    The IPS signature is downloaded. After downloading the IPS package and signature database, you must push these packages to a device. You do this by installing the signature database on a device.

    If you do not have an Internet connection to download the package, you can perform an offline update of the signature database files by downloading the latest signature version from the following location and storing it locally: https://services.netscreen.com/space/2/latest/latest-space-update.zip.

  7. Click Install Configuration.

    The Install Configuration page appears.

  8. You can view the summary of the active signature database version, which will be installed on your device.
  9. Click the check box next to the devices on which you want to install the signature database.

    You can select Full Probe or Delta Probe from Probe Devices or you can right-click the selected device to validate the intrusion prevention system (IPS) and application firewall licenses.

  10. Enable Incremental Update to perform an incremental update or a full update of the signature database for the selected device.
  11. Do one of the following:

    • Select Run now to set the signature database to install immediately.
    • Select Schedule at a later time to set the signature database to automatically install at the specified time.

      Select the Recurrence check box to enable the schedule to recur in a given time interval.

  12. Click OK.

    After installing the IPS package and signature database, create an IPS policy.

  13. Select Configure > IPS Policy > Policies.
  14. Click the + icon.
  15. Complete the configuration.
  16. Click OK.

    A new IPS policy with your configuration is created. After you create an IPS policy, add rules in one or more rulebases and publish the policy. To enable the IPS policy, apply it to a domain.

  17. Publish the policy. See Publish Policies on Devices.
  18. Upload the policy to a device. See Update Policies on Devices.

8Manage Application Firewall Policies

Security Director enables you to manage application firewall policies. You must download the application signature, install it to a device, create an application firewall policy, and then publish and update the application firewall policy to a device.

To manage an application firewall:

  1. Select Administration > Signature Database.
  2. Click Download Configuration .

    The Download Configuration page appears.

  3. Enter the destination URL where you want to download the IPS and AppFw signature database in the Download URL field. For example, enter: https://services.netscreen.com.
  4. Enable the Proxy Server field to send the download configuration traffic.
  5. Do one of the following:

    • Select Run now to download the signature database immediately.
    • Select Schedule at a later time to set the signature database to automatically download at the specified time.

      Select the Recurrence check box to enable the schedule to recur in a given time interval.

  6. Click OK.

    After downloading the signature database, install it to the device. If you do not have an Internet connection to download the package, you can perform an offline update of the signature database files by downloading the latest signature version from the following location and storing it locally: https://services.netscreen.com/space/2/latest/latest-space-update.zip.

  7. Select Administration > Signature Database.
  8. Click Install Configuration.

    The Install Configuration page appears.

    You see a summary of the active signature database version, which will be installed on your device.

  9. Click the check box next to the devices on which you want to install the signature database.

    You can select Full Probe or Delta Probe from Probe Devices or you can right-click the selected device to validate the intrusion prevention system (IPS) and application firewall licenses.

  10. Enable Incremental Update to perform an incremental update or a full update of the signature database for the selected device.
  11. Do one of the following:

    • Select Run now to set the signature database to install immediately.
    • Select Schedule at a later time to set the signature database to automatically install at the specified time.

      Select the Recurrence check box to enable the schedule to recur in a given time interval.

  12. Click OK.

    After installing the signature database, create an application firewall policy, publish it, and then update it to the device.

  13. Select Configure > Application Firewall Policy > Policies.
  14. Click the + icon.
  15. Complete the configuration.
  16. Click OK.

    After creating an application firewall policy, add rules to it.

  17. Click Add Rules for the policy you created.
  18. Click +.
  19. Complete the configuration.
  20. Click OK.
  21. Publish the application firewall policy. See Publish Policies on Devices.
  22. Upload the application firewall policy to a device. See Update Policies on Devices.

9Configure SSL Forward Proxy Profiles

SSL proxy is enabled as an application service within a security policy. You can specify the traffic that you want the SSL proxy enabled on as match criteria and then specify the SSL proxy profile to be applied to the traffic.

To create an SSL forward proxy profile:

  1. Select Configure > Application Firewall Policy > SSL Forward Proxy Profiles.
  2. Click Create.
  3. Complete the configuration.
  4. Click OK.

An SSL forward proxy profile is created that can be assigned to a firewall policy for advanced security options.

10Configure UTM

To configure, publish, and update the UTM policy:

  1. Select Configure > UTM Policy.
  2. Click the + icon to create a new UTM policy.
  3. Complete the configuration.
  4. Configure a filtering profile for your UTM policy:
    • Antispam— Examine transmitted e-mail messages to identify e-mail spam over SMTP.
    • Antivirus—Inspect files transmitted over several protocols (HTTP, FTP upload and download, IMAP, SMTP, and POP3) to determine if the files exchanged are known malicious files, similar to how desktop antivirus software scans files for the same purpose.
    • Content filtering—Block or permit certain types of traffic over several protocols (HTTP, FTP upload and download, IMAP, SMTP, and POP3) based on the MIME type, file extension, protocol command, and embedded object type.
    • Web Filtering—Manage Internet usage by preventing access to inappropriate Web content over HTTP.
    • Device—Configure UTM global options for a device. The device profile refers to the antispam, antivirus, and Web filtering profiles.
  5. Click Finish. A new UTM policy is created.
  6. Publish the policy to devices. See Publish Policies on Devices.
  7. Update the policy to a device. See Update Policies on Devices.

11Import Policies from a Device

Security Director enables you to import firewall, NAT, and IPS policies from a device. All objects supported by Security Director are imported during the policy import process.

To import a device configuration to Security Director:

  1. Select Devices > Security Devices.
  2. Select a device and then click More.
  3. Click Import.

    The Import Configuration page appears.

    You can also right-click the selected device and select Import.

  4. Select the policy to be imported to Security Director.
  5. Click Next.
  6. Resolve any conflicts after you verify the information, if needed.

    Note: Security Director creates a new policy each time you import one. If a policy with the same name but a different definition exists, then conflicts arise.

  7. Click Finish.

    Security Director displays a summary of the configuration changes.

  8. Click the Summary Report link.

    The summary report will be downloaded as a PDF file.

  9. Click OK to complete the import process.

    The Job Details page appears with the import success details.

    Note: You can download the summary report from Job Details page. Click Download Summary. The summary report is downloaded as a PDF file.

  10. Click OK.

12Publish Policies on Devices

After you create and verify security policies, you can publish these policies and keep them ready to be updated to the security devices. The Publish workflow provides the ability to save and publish different services to be updated at a later time to the appropriate firewalls (during the down time). This permits administrators to review their firewall, VPN, and NAT policies before updating the device. This saves administrators troubleshooting time, avoid errors, and saves costs associated with errors. Verify and tweak your security configurations before updating them to the device by viewing the CLI and XML version of the configuration in the Publish workflow. This approach helps you keep the configurations ready and update these configurations to the devices during the maintenance window.

To publish a policy:

  1. Select Configure > Policy-Name Policy > Policies.
  2. Select the policy that you want to publish and click Publish. The Publish Policy page appears.
  3. Select the check boxes next to the devices to which the policy changes must be published.

    Note: You can search for a specific device on which the policy is published by entering the search criteria in the search field. You can search the devices by their name and IP address.

  4. Do one of the following:

    • Select Run now if you want to publish the policy immediately.
    • Select Schedule at a later time if you want to schedule and publish the policy later.
  5. Click Publish. The Affected Devices page displays the devices on which the policies will be published.

13Update Policies on Devices

Security Director helps you update all the security policies to devices at once by providing a single interface that is intuitive. After you publish your policies, you can update these policies to devices during the maintenance window.

To update a policy:

  1. Select Configure >Policy-Name Policy > Policies.
  2. Select the policy that you want to update and click Update. The Update Policy page appears.
  3. Select the check boxes next to the devices to which the policy changes must be updated.

    Note: You can search for a specific device on which the policy is published by entering the search criteria in the search field. You can search the devices by their name and IP address.

  4. Do one of the following:

    • Select Run now if you want to update the policy immediately.
    • Select Schedule at a later time if you want to schedule and update the policy later.
  5. Click Update. The Affected Devices page displays the devices on which the policies will be updated.

14Sky ATP with Policy Enforcer

Policy Enforcer provides centralized, integrated management of all your security devices (both physical and virtual), allowing you to combine threat intelligence from different solutions and act on that intelligence from one management point. Using Policy Enforcer and the intelligence feeds it offers through Sky ATP, you can create threat prevention policies that provide monitoring and actionable intelligence for threat types such as known malware, command and control servers, infected hosts, and Geo IP-based server data.

To use Policy Enforcer, you must do the following:

  1. Download, deploy, and configure the policy enforcer virtual machine.

    Policy Enforcer is delivered as an OVA package to be deployed inside your VMware ESX network. As with other Juniper Networks virtual appliances, Policy Enforcer requires either a VMware ESX server version 4.0 or later or a VMware ESXi server version 4.0 or later.

    Note: Detailed instructions for downloading Policy Enforcer and creating your policy enforcer virtual machine are provided in the Policy Enforcer Administration Guide and in the Security Director Help Center.

  2. Once installed, you must enter the IP address and login credentials for the policy enforcer virtual machine. You must also select a threat prevention mode. In the Security Director UI, go to Administration > PE Settings. Once this information is entered, you can begin the setup process.

    Note: If you are using Sky ATP without Policy Enforcer or Cloud Feeds only, you must still download Policy Enforcer and create a policy enforcer virtual machine. A Sky ATP license and a Sky ATP account are also needed for all threat prevention types (Sky ATP with PE, Sky ATP, and Cloud feeds only). If you do not have a Sky ATP license, contact your local sales office or Juniper Networks partner to place an order for a Sky ATP premium license.

  3. The setup wizard is the most efficient way to complete your initial configuration of Policy Enforcer and Sky ATP. In the Security Director UI, navigate to Configure>Setup Wizards>Sky ATP with PE. Click Start Setup to begin. The following information is for configuring Sky ATP with PE.
  4. Configure Secure Fabric—Secure Fabric is a collection of network devices (switches, routers, firewalls, and other security devices), used by users or user groups, to which policies for aggregated threat prevention are applied. Once created, your secure fabric is located under Devices.
  5. Configure Policy Enforcement Group—A policy enforcement group is a grouping of endpoints ready to receive threat prevention policies. Create a policy enforcement group by adding endpoints (firewalls and switches) under one common group name and later applying a security policy to that group.
  6. Configure Sky ATP Realm—If you have not created a realm from within your Sky ATP account, you can create and register it here by clicking the + sign. Once you register a realm, you can enroll SRX Series devices into the realm. A security realm is a group identifier for an organization used to restrict access to Web applications. You can create one or multiple realms.
  7. Configure Threat Prevention Policy—A threat prevention policy requires you to create a name for the policy, choose one or more profile types depending on the type of threat prevention this policy provides (C&C Server, Infected Host, Malware), and select a log setting. Once configured, you assign policies to policy enforcement groups and click Finish.