Example: Configure Flow-Based Antivirus Policy and Machine Learning-Based Threat Detection
Overview
AI-Predictive Threat Prevention leverages flow-based antivirus policy and machine learning-based zero-day threat detection. In this example, you’ll learn how to configure flow-based antivirus policy and machine learning-based zero-day threat detection on your SRX Series Firewall using the CLI. It assumes you understand configuring security zones and security policies. See Example: Creating Security Zones.
Starting in Junos OS Release 24.2R1, you can configure and use the machine learning-based threat detection for zero-day threats at line rate. The machine learning-based threat detection scans files inline on your firewall and blocks the infected files before the files are downloaded. File scanning during threat detection happens without internet access and only small sections of file data is sufficient for the detection to return a verdict. Machine learning-based threat detection becomes available on your firewall when the latest antivirus signature pack is automatically downloaded from the Juniper Networks content delivery network (CDN) server to your firewall.
IMAPS, SMTPS, HTTPS and SMB protocols are supported for the machine learning-based zero-day threat detection.
Requirements
Before you begin
-
Verify that you have a Juniper antivirus license. For more information about how to verify licenses on your device, see Understanding Licenses for SRX Series Devices. A sample license information is given below:
License identifier: JUNOSXXXXXXXX License version: 4 Valid for device: XXXXXXXXXXXX Features: Juniper AV - Juniper Anti-virus Scan Engine date-based, 2022-10-23 17:00:00 PDT - 2022-11-23 16:00:00 PST
-
The Juniper content delivery network (CDN) server, https://signatures.juniper.net, must be reachable from the SRX Series Firewall.
-
SRX Series Firewall with Junos OS Release 24.2R1 or later.
Topology
Let’s take a look at a typical enterprise network. An end user unknowingly visits a compromised Website and downloads a malicious content. This action results in compromise of the endpoint. The harmful content on the endpoint also becomes a threat to other hosts within the network. It is important to prevent the download of the malicious content.
You can use an SRX Series Firewall with flow-based antivirus and machine learning-based threat detection to protect users from virus attacks and to prevent spreading of viruses in your system. The flow-based antivirus scans network traffic for viruses, trojans, rootkits, and other types of malicious code and blocks the malicious content immediately when detected.
This example creates a flow-based antivirus policy that has the following properties:
-
Policy name is av-policy
-
Block any file if its returned verdict is greater than or equal to 7 and create a log entry.
-
When there is an error condition, allow files to be downloaded and create a log entry.
Configuration
Step-by-step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
-
Create the antivirus policy and block any file if its returned verdict is greater than or equal to 7.
set services anti-virus policy av-policy action block set services anti-virus policy av-policy default-notification log set services anti-virus policy av-policy fallback-options notification logset services anti-virus policy av-policy http-client-notify message "test message for anti-virus flow"set services anti-virus policy av-policy notification log set services anti-virus policy av-policy verdict-threshold 7 set services anti-virus policy av-policy machine-learning-scan action block set services anti-virus policy av-policy machine-learning-scan notification log
-
By default, your firewall downloads the signatures from the CDN server every five minutes.
You can manually update the virus signature database by specifying the URL of the database server.
set services anti-virus update url https://signatures.juniper.net
-
Configure the firewall policy and apply the antivirus policy.
[edit]set security policies from-zone trust to-zone untrust av-policy match source-address any set security policies from-zone trust to-zone untrust av-policy match destination-address any set security policies from-zone trust to-zone untrust av-policy match application any set security policies from-zone trust to-zone untrust av-policy then permit application-services anti-virus-policy av-policy -
Commit the configuration.
commit
Here are the possible completions for the machine learning scan:
[edit]
user@host# set services anti-virus av-policy machine-learning-scan ?
Possible completions:
action Action when malware is found by machine learning scan
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> default-notification Notification action taken for action
> notification Notification when malware is found by machine learning scan[edit]
user@host# set services anti-virus machine-learning-scan ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
max-concurrent Max files concurrent scanned by machine learning scan (10..1000)Results
From configuration mode, confirm your configuration by entering the show
services anti-virus policy av-policy and show configuration
|display set commands. If the output does not display the intended
configuration, repeat the configuration instructions in this example to correct
it.
Check the results of the configuration:
user@host# show services anti-virus
update {
url https://signatures.juniper.net/phase;
automatic {
interval 5;
}
}
policy av-policy {
action block;
default-notification {
log;
}
fallback-options {
notification {
log;
}
}
http-client-notify {
message "test message for anti-virus flow";
}
notification {
log;
}
machine-learning-scan {
action permit;
notification {
log;
} verdict-threshold 7;
}
traceoptions {
file av.log;
level all;
flag all;
}
}Verification
To verify the configuration is working properly, use the following steps:
Obtaining Information About the Current Antivirus Statistics
Purpose
After some traffic has passed through your SRX Series Firewall, check the statistics to see how many sessions were permitted, blocked, and so on according to your profile and policy settings.
Action
From operational mode, enter the show services anti-virus
statistics command.
Sample Output
show services anti-virus statistics
user@host>show services anti-virus statistics
Anti-virus scan statistics:
Virus DB type: anti-virus
Total signatures: 11
Anti-virus DB version: 1654594666
Anti-virus DB update time: 2022-08-25 13:03:58 PDT
Total HTTP HTTPS SMTP SMTPS IMAP IMAPS SMB
File scanned: 419382 81947 177549 16067 31591 15994 31925 64309
Virus found: 290713 1613 161485 15940 31591 15994 31925 32165
Virus blocked: 290713 1613 161485 15940 31591 15994 31925 32165
Virus permitted: 0 0 0 0 0 0 0 0
From operational mode, enter the show services anti-virus
machine-learning-scan-statistics command.
Sample Output
show services anti-virus machine-learning-scan-statistics
user@host>show services anti-virus machine-learning-scan-statistics
Anti-virus machine learning scan statistics:
Machine learning scan engine version: 1696526121
Machine learning scan engine update time: 2023-10-05 22:48:50 UTC
Total HTTP HTTPS SMTP SMTPS IMAP IMAPS SMB
File scanned: 359382 68947 154549 14367 24591 12494 20025 52309
Virus found: 187713 1417 146795 13840 24591 12494 20025 25165
Virus blocked: 187713 1417 146795 13840 24591 12494 20025 25165
Virus permitted: 0 0 0 0 0 0 0 0
Meaning
Viruses were identified and blocked.