Configure Logical System in SRX Series Firewall Security-Intelligence and Anti-Malware Policies
Tenant systems allow you to allocate virtual system resources, such as memory and CPU, into logical groupings to create multiple virtual firewalls. Each virtual firewall can then identify itself as a stand-alone system within one computing system. Starting in Junos OS 18.4, SRX Series Firewalls support tenant systems for anti-malware and security-intelligence policies. When you associate a tenant system with ATP Appliance, that tenant system receives the threat management features configured for the realm. The SRX Series Firewall will then perform policy enforcement based on the tenant system and the ATP Appliance.
For information on using tenant systems with SRX Series Firewalls, please refer to the Logical Systems and Tenant Systems User Guide for Security Devices. To enroll the SRX Series Firewall with the ATP Appliance, see Juniper Advanced Threat Prevention Appliance Integration with the SRX Series Firewall.
Tenant System Support for SecIntel Feeds
Starting in Junos OS 18.4, you can configure security-intelligence profiles for tenant systems.
Tenant systems enroll to ATP Appliance when the associated SRX Series Firewall is enrolled. All tenant systems with enabled anti-malware or security-intelligence policies appear in the ATP Appliance “Enrolled Devices” page with other SRX Series Firewalls.
root-logical-system is automatically associated with the realm to which
the SRX Series Firewall is enrolled. Only root-logical-system can make
submissions by default. Therefore you do not need to make an association for
root-logical-system.
Here is an example of the CLI commands for a tenant system security-intelligence policy configuration. The tenant system used in this example (LSYS1) must be associated with the ATP Appliance for the policy to get applied to the intended device:
set logical-systems LSYS1 services security-intelligence profile secintel_profile category CC set logical-systems LSYS1 services security-intelligence profile secintel_profile rule secintel_rule match threat-level 10 set logical-systems LSYS1 services security-intelligence profile secintel_profile rule secintel_rule match threat-level 9 set logical-systems LSYS1 services security-intelligence profile secintel_profile rule secintel_rule then action block close set logical-systems LSYS1 services security-intelligence profile secintel_profile rule secintel_rule then log set logical-systems LSYS1 services security-intelligence profile secintel_profile default-rule then action permit set logical-systems LSYS1 services security-intelligence profile secintel_profile default-rule then log set logical-systems LSYS1 services security-intelligence policy p1 CC secintel_profile set logical-systems LSYS1 services security-intelligence profile pf1 category Infected-Hosts set logical-systems LSYS1 services security-intelligence profile pf1 default-rule then action block drop set logical-systems LSYS1 services security-intelligence profile pf1 default-rule then log set logical-systems LSYS1 services security-intelligence policy p1 Infected-Hosts pf1
Use the following commands to create a security policy on the SRX Series Firewall for the inspection profiles.
set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 match source-address any set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 match destination-address any set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 match application any set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 then permit application-services ssl-proxy profile-name ssl-inspect-profile-dut set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 then permit application-services security-intelligence-policy p1
Use the following example commands to view the infected hosts feed for a tenant system:
root@SRX> show security dynamic-address category-name Infected-Hosts logical-system LSYS1 No. IP-start IP-end Feed Address 1 10.1.32.131 10.1.32.131 Infected-Hosts/1 ID-2150001a 2 10.1.32.148 10.1.32.148 Infected-Hosts/1 ID-2150001a 3 10.1.32.183 10.1.32.183 Infected-Hosts/1 ID-2150001a 4 10.1.32.201 10.1.32.201 Infected-Hosts/1 ID-2150001a
Or use the following:
User1@SRX:TSYS1> show security dynamic-address category-name Infected-Hosts No. IP-start IP-end Feed Address 1 10.1.32.131 10.1.32.131 Infected-Hosts/1 ID-2150001a 2 10.1.32.148 10.1.32.148 Infected-Hosts/1 ID-2150001a 3 10.1.32.183 10.1.32.183 Infected-Hosts/1 ID-2150001a 4 10.1.32.201 10.1.32.201 Infected-Hosts/1 ID-2150001a
Tenant System Support for AAMW
Starting in Junos OS 18.4, you can also configure anti-malware policies on a per tenant system basis. Here is an example of a tenant system anti-malware policy configuration:
As stated previously, the tenant system used in this example (LSYS1) must be associated with the ATP Appliance for the policy to get applied to the intended device.
set logical-systems LSYS1 services advanced-anti-malware policy LP1 http inspection-profile ldom_profile set logical-systems LSYS1 services advanced-anti-malware policy LP1 http action block set logical-systems LSYS1 services advanced-anti-malware policy LP1 http notification log set logical-systems LSYS1 services advanced-anti-malware policy LP1 smtp inspection-profile default_profile set logical-systems LSYS1 services advanced-anti-malware policy LP1 smtp notification log set logical-systems LSYS1 services advanced-anti-malware policy LP1 imap inspection-profile default_profile set logical-systems LSYS1 services advanced-anti-malware policy LP1 imap notification log set logical-systems LSYS1 services advanced-anti-malware policy LP1 verdict-threshold 3
Use the following command to view anti-malware policies for a tenant system.
root@SRX> show services advanced-anti-malware policy logical-systems
LSYS1
Advanced-anti-malware configuration:
Policy Name: LP11
Default-notification : Log
Whitelist-notification: Log
Blacklist-notification: Log
Fallback options:
Action: block
Notification: No Log
Inspection-profile: ldom_profile
Applications: HTTP
Verdict-threshold: 3
Action: block
Notification: Log
Or use the following:
User1@SRX:LSYS1> show services advanced-anti-malware policy
Advanced-anti-malware configuration:
Policy Name: LP1
Default-notification : Log
Whitelist-notification: Log
Blacklist-notification: Log
Fallback options:
Action: block
Notification: No Log
Inspection-profile: ldom_profile
Applications: HTTP
Verdict-threshold: 3
Action: block
Notification: Log
Security Profile CLI
Administrators can configure a single security profile to assign resources to a specific tenant system, use the same security profile for more than one tenant system, or use a mix of both methods. You can configure up to 32 security profiles on an SRX Series Firewall running logical systems.
Security profiles allow you to dedicate various amounts of a resource to the tenant systems and allow them to compete for use of the free resources. They also protect against one logical system exhausting a resource that is required at the same time by other tenant systems.
The following commands are added to the security-profile CLI.
-
aamw-policy
For example:
set system security-profile <name> aamw-policy maximum 32 -
secintel-policy
For example:
set system security-profile <name> secintel-policy maximum 32
Use the following command to view the security profiles:
show system security-profile all-resource
Refer to the Junos documentation for more information on the set
system security-profile command for logical systems.