Configuring Distributed Defense

1. Navigate to the Config > Notifications page and select Alert Settings from the left panel menu.

2. Click Create New Notification to set up a new Events or System Audit or System Health alert.

3. Select from the available options (see descriptions further below) and click Add to complete the configuration and add the new alert configuration to the Current Notifications list.

1. To display, delete or edit an existing alert notification configuration, click Display, Delete or Edit in the Current Notification table for a selected alert.

2. Edit, modify or delete the current settings and fields as desired, then click Save.

• A sample of an Alert report Display is provided below:

Descriptions of Events, System Audit and System Health alert settings are provided in the following tables..

• To Test Email Notification Settings, refer to

Configure SIEM Settings in order to have Events or System Audit notifications sent to designated hosts as logs in either CEF, LEEF or Syslog format.

Figure 2: Setting SIEM Notification

Note that if selecting Syslog as the SIEM setting when configuring System Health alerts, you can choose to include the Hostname or Process name in the Syslog messages that are sent from the Juniper ATP Appliance: Show Hostname and Show Process Name:

1. Navigate to the Config>Notifications page and select SIEM Settings from the left panel menu.

2. Click Add New SIEM Connector to set up a new Events, System Audit or System Health log notification in CEF or Syslog format.

3. Select from the available options (see descriptions further below) and click Add to complete the configuration and add the new SIEM connector configuration to the Active SIEMS list.

Given an incident_id or event_id, you can use the following URLs to display relative details in the Juniper ATP Appliance Web UI.

Replace “JUNIPERATPAPPLIANCE_HOSTNAME_HERE” with your Juniper ATP Appliance host name, and replace “0000000” with the event_id or incident_id.

• https://JATPAPPLIANCE_HOSTNAME_HERE/admin/index.html?incident_id=0000000

• https://JATPAPPLIANCE_HOSTNAME_HERE/admin/index.html?event_id=0000000

1. To display a recent report, or delete or edit an existing SIEM configuration, click Display, Delete or Edit, respectively, in the Active SIEM table for a selected configuration row.

2. Edit, modify or delete the current settings and fields as desired, then click Save.

Alert notifications for SIEM events or system audits are available only if Outgoing Mail Settings are configured from the Config>System Settings menu.

Descriptions of Events alert settings are provided in the following tables.

Use the Password Reset configuration window to reset the administrator password used to access the Juniper ATP Appliance Central Manager Web UI.

Figure 3: Password Reset Configuration

To reset the Central Manager password:

1. Navigate to the Config>System Profiles>Password Reset page.

2. Enter the current password in the Old Password field.

3. Enter a new password in the New Password field, and re-enter that password in the Repeat Password field.

4. Click Submit

To recover the administrator password, you must have physical access to the appliance. The password recovery command cannot be executed remotely. A user named “recovery” can login without a password and enter a limited amount of commands.

To recover the administrator password, do the following:

1. When prompted to login, enter the user name recovery directly on the appliance.

2. Enter the reset-admin-password to reset the password.

   The only other commands available to the recovery user are: exit, help, and history.

Under Reports in the Web UI, in addition to viewing UI users in the audit logs, you can now also see Admin and Recovery-admin CLI users in audit logs.

Juniper ATP Appliance provides the option for an enterprise to restrict Juniper ATP Appliance product users to roles and privileges specific to the data they need to perform their jobs. In addition, remote authentication as well as RADIUS / SAML configurations support Juniper ATP Appliance’s role based access control (RBAC) options.

With roles configuration, all new users in a system must be associated with a role, and access to various functions in a Juniper ATP Appliance product are controlled by defined user privileges. Although several default roles are available, more roles can be created as required. Existing users are migrated automatically to the new RBAC system.

Following role configuration, when a user successfully logs in to a Juniper ATP Appliance product, user access to features is controlled according to the mapped privileges assigned to that user (via the role associated with the user during user configuration).

To configure new roles for an established user:

1. Navigate to the Config>System Profiles>Roles page.

   Note:

   Navigate to the Config>System Profiles>Users page to create a new user before defining that user’s access roles.

   Figure 4: Roles Page for Configuring User Role-Based Access Controls

2. Click Add New Roles to define a new role.

3. In the Add New Roles window, enter a “Role” name.

   Note:

   Two default roles are available: Default Admin Role and Default Non-Admin Role

4. Enter a Remote Group Name (optional).

   Note:

   Remote Group Name is specific to the name defined for remote authentication via your SAML or RADIUS configuration.

5. Click “Yes” or “No” to assign Administrator status to the new role.

   Note:

   If Administrator status is “No”, the Privileges options are displayed; an administrator is assigned all privileges by default so this list is not displayed when Administrator status is set to “Yes.”

6. If Administrator status is “No”, click to select the set of Privileges to be assigned to the new role.

7. Click Add to complete the role configuration. The new role is added to the Current Roles Configured table.

   Note:

   Navigate to to add the configured role to a user account.

8. Click the Delete button to remove a role configuration from the Current Roles Configured table.

   Note:

   You cannot delete a role to which users are actively mapped.

9. Click the Edit button to modify the configuration.

The following default roles are available for local and remotely authenticated Juniper ATP Appliance users:

Juniper ATP Appliance’s Remote Authentication features support role-based access controls (RBAC).

• To enable SAML configuration for remote authentication, refer to . The Remote Group Name must be mapped to a valid Role you’ve configured for the Juniper ATP Appliance system.

• To configure RADIUS for remote authentication and RBAC, refer to .

  Note:

  Only one type of remote authentication (SAML or RADIUS) can be used at a time on a Juniper ATP Appliance. Remember also that rhe Remote Group Name must be mapped to valid roles you’ve configured for the Juniper ATP Appliance. Remote Group Name is specific to the name defined for remote authentication via your SAML or RADIUS configuration.

• See also Configuring Active Directory.

To create user accounts for Juniper ATP Appliance access, open the Config>Users page. The role assigned to each account determines whether the user can administer the appliance or simply perform debugging tasks.

The following default roles are defined:

• Default Administrator—Allows full access to all monitoring and administrative functions. The predefined Admin account has this role.

• Debugging—Allows access only to debugging functions. Users with the Debugging role cannot view or access the CLI or the Config options. A user with the Debugging role is included in the system, but is disabled by default.

• Default Non-Administrator—Allows a set of selectable privileges defined by the Config>System Profiles>Roles settings page for user access to all or some of the following:

  • Access to Juniper ATP Appliance’s Web UI Dashboard and Incidents

  • Access to malware analysis File Uploads

  • Access to Mitigation options

Use the Juniper ATP Appliance Users configuration window to add, identify, edit, re-configure and/or view settings and status for Juniper ATP Appliance and software administrators and users.

To add user accounts:

1. Click Users under the Config>System Profiles me nu to open the Users page.

   Figure 6: Configuring New User Accounts and Assigning Configured or Default Roles

2. Click the Add New User button to configure a new user.

To configure a new Juniper ATP Appliance user, enter settings in the fields [described below] and click Add New User to apply or Cancel to terminate the configuration.

Click the Delete button to remove a user configuration.

User accounts are modified by clicking on an existing account on the Config>System Profiles>Users page list. Each username in the Users pager table is a link to that user account’s details. When you click on a username link, the Update User window displays.

On the Update Users page, you can edit a user’s name, password and role, and also create or re-create an API Key (API Authorization Key) for that user.

Generate a new API key to provide authorized programmatic access to the Juniper ATP Appliance REST API. The configured Authorization Key for that user is then applied each time an API request is made by that user.

To edit user settings and generate an API Key for a given user, use this two-step procedure.

1. On the Config>System Profiles>Users page, click on an existing user account.

2. If using SAML or RADIUS authentication for this user, click to check Authenticate using [SAML ID] [RADIUS], if configured.

   When this option is checked, there is no need to define passwords in this dialog. User authentication will take place via the “Authenticate using <IdP Name>” option on the Login screen. Refer to Configuring SAML Settings or Configuring RADIUS Server Settings for information about configuring remote authentication and RBAC.

3. In the Update User window, make any needed modifications to the user role or password, and click to check the “Generate New API Key” option. A new API Key will be displayed the next time you open this Update User window.

   [To disable a user’s API Key, click the Disable API Key option.]

4. Click the Update User button.

5. Open the User Update window one more time to view and copy the new API Key.

6. Access the Juniper ATP Appliance API, and as part of each API call, enter the Authorization Key, as shown in the example below.

Example

Be sure to review the Juniper ATP Appliance HTTP API Guide for more information.

Juniper ATP Appliance supports Security Assertion Markup Language (SAML) authentication for web browser single sign-on (SSO) operations in environments where users are allowed to log in with a username and password.

More information about SAML can be found at https://en.wikipedia.org/wiki/SAML_2.0.

As part of SAML authentication, before delivering an identity assertion to a Service Provider (SP), an SSO Identity Provider (IdP) requests information from a user (principal) – such as a user name and password – in order to authenticate that principal, SAML configuration specifies the assertions between the interacting parties: the message that asserts identity is then passed from the IdP to the SP.

In SAML, one identity provider may provide SAML assertions to many service providers. Similarly, one SP may rely on and trust assertions from many independent SSO identity providers (IdPs). LDAP, RADIUS, or Active Directory allow users to log in with a user name and password; they act as typical sources of authentication tokens for an identity provider.

To configure SAML settings at the Juniper ATP Appliance Central Manager Web UI, enter setting information for the SP and IdP:

1. Navigate to the Config>System Profiles>SAML Settings page.

   

2. For SP settings, enter definitions per field, or click the link to Download SP Metadata.

   SP Entity ID	An entity ID is a globally unique name for a SAML entity; the name of the appliance entity id as registered with the IdP. Typically, an SP entity ID is an absolute URL but as a name, not a location (it need not resolve to an actual Web location). Note: the host part of the URL must be a name rooted in the organization's Primary DNS Domain, and the URL must not contain a port number, a query string, or a fragment identifier. Example: "https://sp_name.JATPappliance.net/sp">
   Download Metadata File	Link from which to download the SP’s XML (Juniper ATP Appliance) that will be uploaded to the IdP.
   Username Attribute	The attribute in the SAML Assertion that contains the Juniper ATP Appliance username. By default, Juniper ATP Appliance uses the NameID field of the SAML response if this field is left undefined.
   Group Attribute	The attribute in the SAML Assertion that contains the group name.
   Admin User Group	The group (as specified by the attribute) that receives admin privileges. Example: jatp_admin
   Sign Authentication Requests	Check if you want Juniper ATP Appliance to sign SAML authentication requests.
   Want IdP to sign messages	Check if you want the IdP to sign messages.

3. Next, define the IdP settings:

   IdP Entity ID	A globally unique name for the IdP (same general naming criteria as SP entity ID) Example: “https://webauthentication.JATP.net/idp”
   Login URL	The SSO URL (this field is required to allow the SP to initiate SSO). Example: “https://app.onelogin.com/trust/saml2/http-post/ sso/local_login/440761”
   IdP Cert	The IdP certificate details. See example in screen shot above.

   Note:

   When SAML-authenticated users log out of the Juniper ATP Appliance using the “log out” link, they are signing out of the Juniper ATP Appliance but not the IdP.

There are three types of Juniper ATP Appliance users and authentication methods:

After the SAML SP and IdP details are configured from the Config>System Profiles>SAML Settings page, users for which SAML authentication is checkmarked (from the Config>System Profiles>Users page) are automatically redirected to the IdP’s login page when they try to access the Juniper ATP Appliance. To perform a local login, ensure the parameter “local_login” is present in the IdP URL; for example: https://10.2.20.100/admin/ ?local_login

Some enterprises configure SML using PingFederate (PF) servers for AD authentication. In addition to Juniper ATP Appliance’s enhanced RBAC for allowing deterministic access to Juniper ATP Appliance devices, administrators can configure precedence-based authorization to control access behavior. A few additional settings, in addition to the SAML configuration provided in the previous section, must be configured for initial deployment.

1. Administrators must add authorization control for non-admin role users in the Juniper ATP Appliance Central manager Config>System Profiles>Users>Add New User window. This control involves using the group name for the SAML assertion (which removes any precedence-specific issues).

   When Authorize using is enabled, Juniper ATP Appliance will use the remote group from the Role configured. If the Role is not set for a Radius or SAML response, the authorization will fail.

   If Authorize using is disabled (unchecked), the Role selected is applied.

2. Navigate to the Central Manager Config>System Profiles>SAML Settings>SP Settings window to allow authorization only for locally configured users; check “Authorize only locally configured users.”

   When “Authorize only locally configured users” is selected, authorization is allowed only if the local user is present.

   When “Authorize only locally configured users” is selected and the user is present, the authorization checkbox in the user account window is used for authorizing privileges.

   Note:

   The default value for “Authorize only locally configured users” is unchecked (or disabled) in SP settings. The default value of “Authorize using SAML/Radius” is True (checked).

Options for “Authorize only locally configured users”

• For Simple Local User (Radius and SAML not configured), “Authorize only locally configured users” is not relevant. Access to the Juniper ATP Appliance device is granted per matching Role Name. If a “remote group” in the Role is configured, it is ignored.

• For a user that is present in Juniper ATP Appliance configured with Authentication to SAML or Radius ON, the “Authorize only locally configured users” option in SAML SP Settings should be set.

• For remote authentication and authorization when “Authorize only locally configured users” is unselected, type 3 users are allowed. A temporary user is created based on the successful authentication of the type-3 user if the SAML group assertion matches with the remote group settings in one of the Roles configured.

• Navigate to the Config>System Profiles>SAML Settings>RADIUS Server Settings window and select “Authorize only locally configured users” for these configured users.

With RADIUS configurations, authentication and authorization are coupled. If the Active Directory username is found and the password is correct, the RADIUS server returns an Access-Accept response, including a list of attribute-value pairs that describe the parameters to be used for the session. Since the Group Name specified by AD is not included as part of the Access-Accept response attributes, Juniper ATP Appliance uses the Filter-Id attribute by default, but the choice of attribute is configurable. This attribute must be configured on the RADIUS server with its string value as Group Name for users configured on the Active Directory. For example, RADIUS could be configured to send the same Filter-Id value string (preferably matching the group name from AD) for multiple users.

For local users authenticated through RADIUS, the authenticated user's AD group name will be checked against the user role for applying privileges. Such users can use a set of allowed Juniper ATP Appliance features (as configured on the Juniper ATP Appliance Central Manager Web UI Config>System Profiles>Roles page).

For users not configured on a Juniper ATP Appliance but authenticated through RADIUS, Juniper ATP Appliance accommodates hidden user specifications similar to SAML configurations (Type 3 user). This user will not have access to admin-level features on a Juniper ATP Appliance product. User role is determined decided based on Group Name received via the Filter-Id value.

For example, if you configure the Filter-Id on the RADIUS server as TestGroup1for a Juniper ATP Appliance Admin Role, and Filter-Id as TestGroup2for a Juniper ATP Appliance Non-Admin Role, then the Remote Group Name for the Admin Role on the Juniper ATP Appliance side is AccessGroup1, and the Group Name for the Non-Admin Role on the Juniper ATP Appliance side is AccessGroup2. Refer also to , and for more information about RBAC.

A sample Windows Server 2012 Network Policy Server integration configuration example is provided below.

Next, configure the Filter-Id and be sure to enable PAP and MS-CHAP authentication methods.

Configure a secondary RADIUS server, as required. A Secondary Server configuration for failover purposes is optional.

For the Juniper ATP Appliance configuration, set the following:

• Hostname/IP:port

• RADIUS secret

• User group attribute

• Time-out value

  Note:

  Refer to the Juniper ATP Appliance HTTP API Guide for information about configuring the Juniper ATP Appliance-side RADIUS settings using the “set_radius_config” API.

Use the following procedure to configure RADIUS server settings from the Juniper ATP Appliance Central Manager Web UI.

1. Navigate to the Central Manager Config>System Profiles> RADIUS Settings page:

   Figure 7: Juniper ATP Appliance Central Manager RADIUS Server Settings Page

2. To enable RADIUS authentication, click the checkbox Enable RADIUS Authentication. Remove the checkbox to disable a RADIUS configuration.

3. Select the RADIUS Authentication Method configured for the server from the dropdown: PAP or MS-CHAP; the default method is PAP.

4. Enter the User Group Attribute; Filter-Id is the default unless a different attribute was configured on the server side. (See for information about mapping the Filter-Id to the Group Name.)

   Note:

   The User Group Attribute is mapped to the Remote Group Name configured on the Juniper ATP Appliance-side for RBAC using the Juniper ATP Appliance Config>System Profiles>Roles page. The Remote Group Name is case sensitive.

5. Enter the Wait Timeout; the default is 3 seconds. Timeout can be configured for 1-30 seconds.

   Note:

   Three login attempts by AD/RADIUS users are allowed by default; the timeout between attempts is configurable, as indicated in the step above. If the timeout value is configured to a high value of 30 seconds, and if the RADIUS server is not reachable, the user’s browser may display a timeout message while waiting for a response from the Juniper ATP Appliance.

6. Enter the Primary Server Settings:

   • Enter the Hostname or IP Address of the primary RADIUS server in the RADIUS Server Host field.

   • Enter the RADIUS Port; 1812 is the default. This is the UDP port used to send the RADIUS access request.

   • Enter the RADIUS Secret as configured on the server side.

7. (Optional) Enter the configured Secondary Server Settings:

   • Enter the Hostname or IP Address of the secondary RADIUS server in the RADIUS Server Host field.

   • Enter the RADIUS Port; 1812 is the default. Again, this is the UDP port used to send the RADIUS access request.

   • Enter the RADIUS Secret as configured on the server side.

   • When RADIUS login is configured, the behavior of local login is unchanged although a separate URL is used to perform the local login:

     https://<JATPDeviceIP>/admin/?local_login

To configure system settings:

1. Navigate to the Config>System Profiles>System Settings page.

2. In the System Settings area at the top of the page, enter the settings in the fields provided (each options is described below), then click Submit to save the configuration settings.

Juniper ATP Appliance’s Infection Verification Pack (IVP) verifies whether malware that was downloaded to any endpoint in the enterprise has been executed at that given endpoint. For each download that Juniper ATP Appliance detects, an IVP can be created that searches for Indicators of Compromise (IOCs) on the endpoint device. By verifying infection at the endpoints, remediation teams are able to focus their efforts on specific machines identified and verified as compromised machines, saving time and money on desktop mitigation.

Administrators configure IVP settings from the Juniper ATP Appliance Central Manager Web UI Config>System Settings>System Settings page, as described on the previous page in this guide. Setting options include:

• Self-Extracting Zip File

  An IVP Self-Extracting zip file is an executable format that includes two files: the IVP program itself and an input file containing the detected indicators of compromise packaged into a single .exe file.

• MSI

  An IVP MSI is a Windows Installer package file format.

When an IVP Self-Extracting Zip .exe file is executed, a command window displays information about whether the malware was installed, and prompts if and where a log file is to be saved locally. Results of the IVP are also sent to the Juniper ATP Appliance Central Manager.

MSI File IVP Process

To use IVP in MSI mode, the administrator must first download and install Juniper ATP Appliance-ivp-setup.msi on the endpoint. The Juniper ATP Appliance-ivp-setup.msi file is downloaded by the administrator from the Juniper ATP Appliance Central Manager using the Download MSI hyperlink next to the IVP format selection buttons in Config>System Setting>System Settings. After installing the Juniper ATP Appliance-ivp-setup.msi, the IVP program is installed under “C:\Program Files\JATP\IVP\JATP-ivp.exe” on the target end system. When IVP mode is set to MSI in the Juniper ATP Appliance Central Manager, a text file with the IOCs are downloaded when an IVP is generated.

The format of the file is *.ivp. When JATP-ivp-setup.msi is properly installed, executing the .ivp file launches the juniprtatp-ivp.exe and the search begins for the IOCs that were detected during malware analysis and delineated in the downloaded .ivp file now executing on the end system. By default, a command prompt displays the results, verifying whether or not an infection has taken place at the endpoint. The user must press any key to exit the command prompt window. Log files in MSI mode are stored in “C:\Program Files\JATP\IVP” and the Juniper ATP Appliance Central Manager is notified of the infection results.

...where <ivp-input.ivp> is the .ivp downloaded from the Juniper ATP Appliance Central Manager. The arguments for IVP are provided below:

Many customers still rely on proxies and gateways to provide rudimentary security for their endpoints. In such environments, the CM/Core management network must be able to function and communicate with external services similarly to an unproxied environment. This communication includes uploads and downloads for GSS, as well as software, security content and signature updates, and all other necessary communications. Configure Juniper ATP Appliance Cores deployed in HTTP and/or HTTPS proxy environments to function and communicate with Juniper ATP Appliance GSS and other Internet services.

Use the Proxy Settings area of the System Settings configuration window to define and configure proxy integration and detailed settings for the Juniper ATP Appliance deployment.

Refer to the Juniper ATP Appliance CLI Command Reference for more information.

1. Select a Proxy type: No Proxy or Manual Proxy.

   Proxy configuration provides integration with Juniper ATP Appliance’s detection of all links in the kill chain, including exploit, download and infection.

2. When you select Manual Proxy as your proxy type, the display area fields on the Proxy Settings page will change to accommodate configuration, as shown below:

   

3. Enter the Proxy FQDN / IP Address in the Proxy FQDN / IP Address field.

   Proxy settings for the management network must utilize embedded host name and URL -- the IP address will always reference the proxy server

4. Enter the Proxy Port number in the Proxy Port field.

5. Enter into the No Proxy for field all IP Addresses for which no proxy is required; separate each address with a comma.

6. Check to indicate whether authentication is required for this proxy by clicking Authentication Required checkbox.

7. Enter a Username and Username if authentication is required.

8. Click Submit.

   Note:

   Refer to the Juniper ATP Appliance CLI Command Reference for information about configuring proxies from the Juniper ATP Appliance CLI server mode. See Setting proxy IP addresses.

Local servers situated inside the proxy must be added to the No Proxy rules. The No Proxy rules ensure that outgoing connections targeted for specified network addresses included in the No Proxy rules do not go through the proxy.

The configuration will include the proxy settings for the CM/Core appliance or All-in-one appliances only. The proxy settings for the connected Collectors and Secondary Core(s) will be displayed in the Juniper ATP Appliance Central Manager Web UI Config pages for Web Collectors and Secondary Cores.

Auto-mitigation enables users to configure whether they want Juniper ATP Appliance’s mitigation intelligence pushed automatically to the enterprise’s integrated security infrastructure without user interaction, or manually push a specified mitigation rule to integrated devices.

When auto-mitigation is enabled, the Juniper ATP Appliance administrator is not required to take any action to mitigate a newly discovered threat.

Figure 9: Auto-mitigation Settings page

To configure auto-mitigation:

1. Navigate to the Config>System Profiles> System Settings page in the Central Manager Web UI and scroll down to the Auto Mitigation Settings area as shown above.

2. Click to Enable Auto-Mitigation to enable auto-mitigation blocking to configured security devices. See also Configuring Firewall Auto-Mitigation.

   Note:

   When auto-mitigation is enabled, Juniper ATP Appliance’s Advanced Threat Analytics (ATA) is also enabled and ATA results can be viewed on the Mitigation tab as “Juniper ATP Appliance ATA” (as opposed to Local security content) under the Threat Source column of the Mitigation table (meaning the threat was detected locally rather than through the Juniper ATP Appliance GSS).

   When not enabled, automatic blocking is disabled and mitigating rule is not sent to integrated firewalls without the Juniper ATP Appliance administrator manually pushing the threat from the Mitigation tab.

3. Select a Mitigation Aggressiveness Level: Moderate or Aggressive.

   Aggressive means all threats reported in the Mitigation tab are automatically pushed. Moderate means only Max and High severity threats listed in the Mitigation tab are automatically pushed.

4. At Max IP Address Threats, enter the maximum number of IP Addresses to send to a firewall. If left unspecified, the Juniper ATP Appliance will not limit the number of threats pushed to devices.

   This number is threat confidence-based, not risk-based. Confidence state is determined by the rule complex state.

5. At Max IP URL Threats, enter the maximum number of URLs to send to a firewall. If left unspecified, an infinite number is allowed.

6. View threats and auto-blocking results from the Mitigation tab.

Use the Display Settings area of the System Settings configuration window to configure and/or revise Central Manager Web UI login and display settings.

Figure 10: Display Settings

To configure display settings:

1. Navigate to the Config>System Profiles page, select System Settings from the left panel menu, and scroll down to locate the Display Settings configuration area in the System Settings page.

2. Enter or select optional display settings [options are described below].

3. Click Submit to apply the configuration.

Use the Outgoing Mail Settings configuration window to configure and/or revise outgoing email notification settings for the Juniper ATP Appliance or software deployment.

To configure Outgoing Mail Settings:

1. Navigate to the Config>System Profiles page, select System Settings from the left panel menu, and scroll down to locate the Outgoing Mail Settings configuration area on the System Settings page.

2. Enter or select email settings [options are described below].then click Submit to apply the configuration.

   Table 11: Outgoing Mail Setting Options

   SMTP Host	Enter the IP of the enterprise mail host
   SMTP Port	Enter the SMTP port number [default is 587].
   Use SSL	Enabled by default; uncheck to disable use of SSL.
   SMTP Login	Enter an SMTP email login for the appliance or service.
   SMTP Password	Enter an SMTP password the login account.
   From Address	Enter a ""From"" field email address; the default is mailto:noreply@JATP.net.

At the bottom of the Config>System Profiles>System Settings page, in the Test Outgoing Mail Settings area, you can perform a test of the current outgoing mail configuration.

To test outgoing mail settings:

1. Navigate to the Config>System Profiles>System Settings page and scroll down to locate the Test Outgoing Mail Settings area.

2. Enter an email address (or series of email addresses, separated by commas) to which the test email will be sent by the Juniper ATP Appliance .

3. Click the Test button to test your email notification configuration. An email will be sent by the Juniper ATP Appliance to the email address(es) entered, based on the configuration settings.

   Note:

   This test verifies the ability to send email, not whether the email addresses are valid.

Users may create certificates using two available options:

• Create a new self-signed certificate

• Create a certificate signing request (CRS)

The first option - Create a new private key and self-signed certificate- creates a new private key, and then generates a new self-signed certificate, as is done today whenever the appliance hostname is changed.

The second option - Create a certificate signing request using an existing private key - prompts the user for the certificate details and uses those details with the current private key to generate a CSR, which the user can then download to be signed by a trusted certificate authority (CA).

Alternatively, it is possible to create a certificate signing request using a new private key - this option invalidates any outstanding CSRs because a new private key is created. This allows the user to change the private key if the previous private key was compromised. If the user chooses to proceed, the system then prompts the user for certificate details and uses those details, and the new private key, to generate a CSR, which the user can then download to be signed by a trusted CA.

To create a self-signed certificate:

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>System Profiles>Certificate Management page.

2. Click Create Self Signed Certificate.

   

3. In the Create Self Signed Certificate window, enter the details for each field prompt

   Note:

   Some fields are optional but used during certificate signing request creation if provided.

   Common Name (Server FQDN)	Fully qualified domain name of the Server.
   Organization (Optional)	Organization for which the certificate is to be created.
   Organization Unit (Optional)	Organization Unit or department, network, etc.
   Email Address (Optional)	Email address of the administrator creating the certificate.
   Locality (Optional)	Locality of the enterprise.
   State or Province (Optional)	State or province in which the Server using the certificate is located.
   Country Code (Optional)	Country in which the Server using the certificate is located.
   Key Length	Choose either 2048-bit keys or 4096-bit keys. Typically, 2048 bits are used for extremely valuable keys like root key pairs used by a certifying authority. Note that a longer key length is harder to brute force, but using a longer key length also requires more computational resources on the server and client.

4. After entering the self signed certificate details, click Create and the certificate will be created and applied to the running configuration.

To create a Certificate Signing Request CSR:

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>System Profiles>Certificate Management page.

2. Click Create CSR.

3. In the Create CSR window, enter the details for each field prompt:

   Note:

   By clicking the Create New Private Key option will invalidate any previously created CSR.

   Common Name (Server FQDN)	Fully qualified domain name of the Server.
   Organization (Optional)	Organization for which the certificate is to be created.
   Organization Unit (Optional)	Organization Unit or department, network, etc.
   Email Address (Optional)	Email address of the administrator creating the certificate.
   Locality (Optional)	Locality of the enterprise.
   State or Province (Optional)	State or province in which the Server using the certificate is located.
   Country Code (Optional)	Country in which the Server using the certificate is located.
   Create New Private Key	Click to create a new private key as part of the certificate signing request. Note that by clicking this option, previously created CSRs will be invalidated. Do not select this option if you prefer to use an existing private key.

4. Download the CSR file and send it to the trusted CA. The trusted CA will send the user a certificate file and CA bundle. Navigate to Config> System Profiles > Certificate Management and click Upload and Install Certificate to upload the certificate and CA bundle PEM files.

   The appliance validates and installs the certificates provided.

To install a user-provided certificate from a trusted Certificate Authority (CA), the following is to be provided by the administrator:

• Private key (optional) - uploaded

• Client certificate - uploaded

• CA bundle (optional) - uploaded

This information may be provided in one of two ways:

• Import the private key, client certificate, and CA bundle as separate PEM files. PEM encoding is a private key format that stores an RSA private key for use with cryptographic systems such as SSL.

• Import the data as a PKCS#12 bundle with an optional passphrase for decrypting the contents. PKCS#12 is a archive file format for storing multiple cryptography objects as a single file; it is used to bundle a private key with its X.509 certificate or to bundle all members of a chain of trust.

  Select the Certificate Format. Let’s start with PEM. Click PEM.

1. Click Choose File to upload a Private Key (this step is optional).

2. Click Choose File to upload a Certificate File.

3. Click Choose File to upload a CA Bundle File (this step is optional).

4. Click Upload and Install Certificate.

Alternatively, you can choose the PKCS#12 format.

1. Click to select PKCS#12 as your preferred Certificate Format.

   Enter a PKCS#12 Passphrase (this is an optional step).

   Note:

   The PKCS#12 passphrase should match the passphrase defined when the user created the PKCS#12 file. Otherwise, the file cannot be decrypted.

2. Or click Choose File to upload a PKCS#12 Bundle File.

3. Click Upload and Install Certificate. This action will replace existing SSL certificates.

Download a PKCS#12 bundle in order to backup a current certificate.

1. Navigate to Config>System Profiles >Certificate Management and scroll down to the Download Certificate area of the page.

2. Enter the certificate PKCS#12 Passphrase (optionally) and click Download Certificate to download and save the PKCS#12 bundle. The download will contain the server's private key. Although the PKCS#12 passphrase is optional when the user downloads the file, it is recommended to set the passphrase so that if the file is lost, the private key is not exposed.

   Note:

   To load certificates from backup, click the Upload & Install Certificate button from the Upload and Install Certificate area of the Config>System Profiles>Certificate Management page. Certificate”, and uploads the PKCS#12 bundle.

   Tip:

   An SSL certificate browser message may display after uploading an SSL certificate and applying an auto refresh of the page. The browser's certificate information states "Connection to the website is not fully secured because it contains unencrypted elements (such has images).....” This is not a Juniper ATP Appliance Web UI issue and the message represents standard cautionary browser behavior.

Note that the Web Collector page displays the status of the Collector and whether it is operational and online. Use this page to check Web Collector status and Proxy status.

To add a new Email Collector Server to the distributed defense system:

1. Navigate to the Config>System Profiles>Email Collectors page.

2. Click the Add New Email Collector button.

   Note:

   Advanced Juniper ATP Appliance-MTA Email Collector features require an enabled Juniper ATP Appliance Advanced license. Refer to Setting the Juniper ATP Appliance License Key for more information.

3. Enter required information and make configuration selections (descriptions are provided below), then click Save to apply new configuration settings.

   Table 14: Email Server Settings

   Capture Method	BCC, Juniper ATP Appliance MTA Receiver or Collect from Juniper ATP Appliance Cloud.
   Email Server	Enter the IP Address or hostname of the Email server from which the Juniper ATP Appliance Core Email Collector will receive journaled or BCC email traffic.
   Protocol	Select an email protocol: Auto | IMAP | POP3 | POP2
   SSL	Select either Enable or Disable.
   MTA Receiver IP	IP address of the Message Transfer Agent (MTA) Receiver Option: “Receive from my Email Servers Only” [Yes | No] If your response is ‘Yes’, provide the email gateways you are using: Gmail | Office365 | Local Email Gateway In each case, enter an additional On-Premise Email Gateway Subnet (Comma Separated); providing the subnet is optional for Gmail or Office 36.’ Note: If you are using both Cloud (i.e Office 365 or Gmail) and on-premise email servers in a hybrid email deployment, then please enter an on-premise email server subnet.
   Collector IP	IP address of the Juniper ATP Appliance Collector that is collecting from the Juniper ATP Appliance Cloud. This IP address can be th Core-CM IP address, or a separate standalone MTA Receiver Server IP address.
   Recipient Email Address	Enter the Recipient Email Address.
   Password	Enter the Email Server mailbox password.
   Poll Interval	Enter the polling interval (in minutes); this is the frequency by which the Email Collector polls for email traffic; the default is 5 minutes.
   Keep Mail on Server	Select an email retention setting: Keep | Delete
   Enabled	Choose setting to Enable or Disable the Email Server.

To edit or delete Email Server settings:

• Navigate to the Config>System Profiles>Email Collectors page.

• Click the Edit or Delete button in the Current Email Collectors list.

• To edit, modify settings and configuration selections (descriptions are provided above), then click Save to apply new configuration settings.

To view, edit disable/enable, or delete Secondary Core configurations:

1. Navigate to the Config>System Profiles>SecondaryCores page.

2. Click the arrow icon for the Mac OSX or Windows (Core+CM) Secondary Core to be modified in order to expand the row and display configuration details.

   Rows must be expanded to edit configuration information.

3. Click the Delete button to remove a Secondary Core configuration from the distributed defense system.

4. Click the Edit button to modify the configuration.

5. In the edit window, modify the settings (descriptions are provided below, then click Save to apply the revised configuration settings.

The editable Secondary Core fields are defined as follows:

Note that the Secondary Core page displays the status of the Collector and whether it is operational and online. Use this page to check Mac OS X or Core+CM (Windows) Secondary Core status.

Figure 14: A Mac OS X Secondary Core Status Display

To configure, create a Windows 7 custom image and then interact with that “golden image” using VNC during configuration. Once configured, Juniper ATP Appliance automatically instruments and deploys the custom image for malware analysis and detection.

The Custom Golden Image VM configuration process steps are as follows:

1. Step 1: Mount the Custom OS ISO location and Boot the VM.

2. Step 2: Connect to the Custom Golden Image VM via VNC and Install Windows OS.

   Note:

   During the Windows 7installation process, Windows performs a required reboot and the VNC connection is dropped. This is expected. Manually restart the VM and reconnect to VNC immediately after losing the VNC during Windows installation.

3. Step 3: Reboot the VM*

4. Step 4: Finalize and Enable the custom Golden Image VM.

5. Step 5: Reconnect to VNC and install Adobe Acrobat, if necessary.

6. Step 6: Install Preferred AV Software to Golden Image

1. Navigate to the Config>System Profiles>Golden Image VM page in the Central Manager Web UI.

2. Click the New VM Image button.

3. Enter the settings for the new Windows 7 custom Golden Image VM.

   The input fields are described below.

   Custom VM Image Configuration Fields	Description
   Image Name	Enter the name of the custom VM image you care creating.
   Descriptions	Enter a description for the new golden image.
   VNC ID	Enter your VNC ID; the ID must be a unique integer.
   Architecture	Select 32-bit or 64-bit Disk Size (GB) Enter the size of the disk to
   Disk Size (GB)	Enter the size of the disk to be used for the custom image.The default is 20 GB.
   Risk Reduction	Select a risk reduction setting: yes or no, where “yes” represents a value of 0.3 and “no” indicates a risk reduction value of 0, respectively. The default is No (0). Risk Reduction is factored into the threat relevance metric. If the Golden Image determines that a potential malware object is benign, then the risk reduction is applied as a reduced relevance value
   Network Segment	Enter the network segment that is running the OS for which this custom VM Image is being created. Relevance is not calculated if the analyzed malware does not match the network segment configured here.’

4. After entering the custom Golden Image VM settings, click Add to create the image.

5. When the image is displayed in the Current Golden Images VM table, click the Controls link to prepare to install and mount the new custom image.

6. [Optional: To edit the original settings for this new VM Image, click Edit and re-enter the custom image settings information.]

7. Mounting

   When mounting the install media for the OS from a file share:

   • Enter the mount path in the ISO NFS/SMB Mount Path field in the Controls window (be sure you are mounting from an open file share):

     SMB Syntax: //<IP Address>/<dir>/<file>

     NFS Syntax: i<IP Address>:<dir>/<file>

     Note:

     Be sure your permission settings allow access to the open file share.

   • Click to checkmark Mount CD ISO at Boot

Click the Boot VM: boot button.

1. Using your VNC client, connect to the Golden Image VM and perform a typical installation of your enterprise’s Windows OS to be used by Juniper ATP Appliance for malware analysis.

   Note:

   During the Windows installation process, Windows performs a required reboot and the VNC connection is dropped. This is expected. Manually restart the VM and reconnect to VNC immediately after losing the VNC during Windows installation.

1. Return to the Central Manager Web UI Config>System Profiles>Golden Image VM page, select the Controls link for the relevant VM from the Current VM Images table, and then click on Boot VM: boot button again.

With this next step, Juniper ATP Appliance adapts the configured custom image to the Juniper ATP Appliance analysis and detection architecture, then automatically adjusts the new OS to established firewall settings and installs required drivers, and so on. As part of this process, Juniper ATP Appliance shuts down the VM, so in order to complete the VM image configuration, you must enable the VM in step 12.

1. From the Controls window, and click Finalize Image: finalize. After you click Finalize, you will be asked to login to the Custom Image VM via VNC and carefully follow the prompts as the Juniper ATP Appliance finalize script runs on the Golden VM Image. The final step of the script will be that the Golden Image VM will be shut down.

2. To complete the configuration of the custom VM image, click Enable Image: enable.

1. Connect once more to the VNC port and install Adobe Acrobat to the custom OS environment, if necessary.

   Note:

   The PDF Reader and Adobe Acrobat exe must be mountable.

A new row in the Incidents tab Summary table displays Custom VM Image results as “Golden Image.”

If three Golden Image VMs have been configured, then three golden image results will show in the Operations Dashboard as well as the Incidents page, as shown below.

Configuring an ESXi Server in order to enable Virtualized HV is only suggested for VMWare ESXi version 5.1 and later.

To configure an ESXi Server to enable Virtualized HV:

1. SSH to the ESXi host.

2. In /etc/vmware, edit the 'config' file and add the following setting

3. Use the vSphere Web Client to configure the guest VM by editing the VM settings via VM settings > Options > CPU/MMU Virtualization.

4. Select the Intel EPT option to complete the configuration.

To backup the current system configuration:

1. Navigate to the Config>System Profiles>Backup/Restore page.

2. Click the Backup button to backup the appliance or software service database.

To restore a saved configuration file as the current running config:

1. Navigate to the Config>System Profiles>Backup/Restore page.

2. Click the Choose File button to select and upload a previously saved configuration file, then click Restore to apply the configuration settings to the appliance or service.

   Note:

   The backup and restore feature cannot be performed on a CM/Core installation for different major releases. For example, do not restore a previously backup file (generated from a Release 3.2.0 appliance) to a appliance running Release 3.2.0.

1. Navigate to Central Manager Web UI Config>Environmental Settings>Email Mitigation Settings page and select the Gmail as the Email Type.

2. Enter the established Quarantine Label name.

3. Enter an Email Address (for testing the configuration).

4. Enter your full Gmail JSON Key.

5. Click Add to complete the configuration.

6. To edit the quarantine settings, click Edit in the Current Email Mitigations Configured table.

7. To delete a quarantine setting, click Delete in the desired row of the Current Email Mitigations Configured table.

Figure 17: Gmail Quarantine Settings Page

1. Navigate to Central Manager Web UI Config>Environmental Settings>Email Mitigation Settings page and select Exchange Online as the Email Type.

2. Enter the established Authority Host URL.

3. Enter the Office Resource URI.

4. Enter the Tenant ID.

5. Enter the Client ID.

6. Enter the name of the Quarantine Folder.

7. To Generate New Azure Key Credentials, click the Check box.

8. Enter Key Bits; default is 4096.

9. Enter Certificate Lifetime number of days.

10. Enter Azure Manifest Key Credentials.

11. Click Add to complete the configuration.

12. To edit the quarantine settings, click Edit in the Current Email Mitigations Configured table.

13. To delete a quarantine setting, click Delete in the desired row of the Current Email Mitigations Configured table.

The Juniper ATP Appliance provides comprehensive automatic mitigation at integrated enterprise blocking devices. In previous releases, mitigation intelligence was manually pushed to integrated partner devices to perform threat blocking (except for those partner devices that polled Juniper ATP Appliance, such as Bluecoat, for example). In this release, users configure whether they want mitigation intelligence pushed automatically to blocking devices without user interaction, or whether they prefer to use the manual push option for each mitigation rule distributed to the blocking infrastructure.

Refer to Configuring Auto-Mitigation for information about setting and enabling auto-mitigation. When enabling Auto-Mitigation, Juniper ATP Appliance ATA is enabled at the same time.

Configuration of Juniper ATP Appliance-PAN Firewall integration for auto-mitigation is a two-step process:

1. Configure the Dynamic Address Group and Juniper ATP Appliance-Tag using the PAN Firewall Web UI.

2. Complete the configuration at this Config>Environmental Settings>Firewall Mitigation Settings page.

1. From the PAN OS 6.0 Web UI, navigate to the Objects tab and select the Tags page from the left panel menu. Enter a Juniper ATP Appliance-Tag and click OK; example: JATP-tag

2. From the Objects tab, select Address Group from the left panel menu, then click Add to create a new Dynamic Address Group. In the fields provided, enter criteria shown below and click OK.

   • Name (example: JATP-dag)

   • Description (example: Juniper ATP Appliance Dynamic Address Group)

   • Type (example: Dynamic)

   • Match (example: ‘JATP-tag’)

3. Navigate to the Policies tab and select the Security from the left panel menu options, then click Add to add a Security Policy Rule.

4. From the Source sub-tab, under Source Address, add the previously created Dynamic Address Group (checkmark JATP-dag, per our example); click OK, then click Commit in the upper right corner of the window.

1. Navigate to the Config>Environmental Settings>Firewall Mitigation Settings page.

2. Click Add New Auto-Mitigation Rule.

   Note:

   Definitions for each FW Mitigation Setting field are provided further below.

3. Enter a Hostname/IP, a Host Protocol and a Port Number for the PAN FW device integration.

4. Select PAN from the Mitigation Type category and PAN-OS Firewall from the Device Type options.

5. Enter a Username and Password.

6. Enter the Mitigation URL Category and TAG.

   Tip:

   If a user wants to change the URL and DAG category, the revised rules does not get triggered into automatic rule pushing. To push into a new category, delete the existing configuration and add a new one.

7. Enter the Expire Days and click Add.

   Table 17: Auto-Mitigation Settings Defined

   Mitigate Type	Select PAN-OS to configure an individual PAN FW.
   Host IP/URL	IP address or the or FQDN/hostname of the PAN Firewall.
   Host Protocol	Select HTTPS or HTTP.
   Port Number	Enter the port number of the PAN OS administrative console.
   User Name	Enter the admin account username.
   Password	The admin account password.
   TAG	The Tag that is associated with the configured DAG (“JATP-tag” in our example above).
   Mitigation URL Category	Enter URL. This option provides blocking based on URLs to Palo Alto Networks firewalls. URL-based blocking allows more precise blocking control.

Apply the configured Auto-Mitigation Rule from the Juniper ATP Appliance Central Manager Mitigation page.

1. Select a threat row (or multiple rows) in the Mitigation table and click Apply.

2. After clicking Apply, all rules are pushed to the PAN Firewall and will be visible in the PAN Firewall CLI within 10-20 seconds. Multiple rules can be pushed at the same time and all will be reflected in the PAN CLI at the same time.

   This is an asynchronous operation so you may continue to push other rules and use other CM Web UI pages as necessary.

   Refresh the page after 60 seconds to see a push SUCCESSFUL message for the rows selected.

3. A Remove button is available per row pushed for auto-mitigation in the event you need to remove the automitigation rule.

To enable or disable an auto-mitigation blocking rule:

1. From the Config>Environmental Settings>Firewall Mitigation Settings page.

2. Click Enable or Disable from the Current Auto Mitigation Rules table to enable or (disable) stop forwarding of auto-blocking.

To delete a PAN FW rule(s) and/or configuration:

1. From the Config>Environmental Settings>Firewall Mitigation Settings page.

2. If there are no rules currently being pushed to the Pan FW, click the Delete option.

3. If rules are currently being pushed, then the Delete option is disabled; click Remove all IP Addresses.

• From the PAN-OS CLI, enter:

The Juniper ATP Appliance platform monitors and detects malicious IP addresses and the URLs that link to malware. In previous releases, Juniper ATP Appliance’s integration with Palo Alto Networks (PAN) firewalls allowed Juniper ATP Appliance to block malicious URLs and IPs by pushing those IP addresses and URLs to individual PAN FW devices. But some enterprises utilize an array of PAN firewalls deployed in various locations. For this reason, Juniper ATP Appliance offers integration with Palo Alto Network’s Panorama, a network security management device that controls the distributed network of PAN firewalls from a central location. The Juniper ATP Appliance provides the flexibility to either configure integration with individual PAN-OS FWs as usual, or configure integration with a centralized Panorama device as part of Juniper ATP Appliance’s Firewall and Secure Gateway auto mitigation options. See for individual FW integrations.

The Juniper ATP Appliance/Panorama integration pushes IP address(es) to a firewall Address Group, and it pushes URL(s) to a custom URL category for each configured firewall Device Group. Multiple Device Groups can also be configured.

1. Navigate to the Config>Environmental Settings>Firewall Mitigation Settings page.

2. Click Add New Auto-Mitigation Rule.

   Note:

   Definitions for each FW Mitigation Setting field are provided further below.

3. Select PAN from the Mitigation Type category and Panorama from the Device Type options.

4. Enter a Hostname/IP.

5. Enter a configured Device Group. If there are multiple Device Groups, enter each device group name separated by a space.

6. Enter a Host Protocol and a Port Number for the centralized PANORAMA FW device.

7. Enter a Username and Password.

8. Enter the Mitigation URL Category.

9. Enter an Address Group.

10. Enter the Expire Days and click Add.

    Table 18: PANORAMA Auto-Mitigation Settings Defined

    Mitigate Type	Select Panorama to configure a centralized Panorama management server device.
    Host IP/URL	IP address or the or FQDN/hostname of the Panorama device. Device Group Enter the Device Group name(s). Multiple device groups can be
    Device Group	Enter the Device Group name(s). Multiple device groups can be specified (separated by a character space). Setup Device Group(s) at the Panorama Console from the Manage Devive Groups page; this is where all firewalls in a Panorama firewall network are grouped.
    Host Protocol	Select HTTPS or HTTP.
    Port Number	Enter the port number of the PAN OS administrative console.
    User Name	Enter the admin account username.
    Password	The admin account password.
    Mitigation URL Category	Enter the URL. This option provides blocking based on URLs to Palo Alto Networks firewalls. URL-based blocking allows more precise blocking control. Juniper ATP Appliance/Panorama pushes URL(s) to a custom URL category for each configured firewall Device Group. Pushes are via the mitigation secure web gateway from Juniper ATP Appliance to the distributed PAN FWs.
    Address Group	The group location to which Juniper ATP Appliance pushes IP addresses for PAN blocking. Enter an existing Address group you’ve created at the Panorama console that is specific to Juniper ATP Appliance. If an Address Group is not specified, PAN will create a new Address Group when the push is executed.
    Expire Days	Enter the number of days before the rule expires. Expiry days default to 0, which means the rule will not expire.

Apply the configured Auto-Mitigation Rule from the Juniper ATP Appliance Central Manager Mitigation page.

1. Select a threat row (or multiple rows) in the Mitigation table and click Apply.

   Note:

   The Apply action pushes the Auto-Mitigation Rule to the Panorama device from which policies are executed on distributed PAN-OS firewalls in a given Device Group.

2. After clicking Apply, all rules are pushed to the PAN Firewalls via Panorama and will be visible in the PAN Firewall CLI within 10-20 seconds. Multiple rules can be pushed at the same time and all will be reflected in the PAN CLI at the same time.

   This is an asynchronous operation so you may continue to push other rules and use other CM Web UI pages as necessary.

   Refresh the page after 60 seconds to see a push SUCCESSFUL message for the rows selected.

3. A Remove button is available per row pushed for auto-mitigation in the event you need to remove the automitigation rule.

To delete a Panorama rule(s) and/or configuration:

1. From the Config>Environmental Settings>Firewall Mitigation Settings page.

2. If there are no rules currently being pushed to the Panorama device, click the Delete option.

3. If rules are currently being pushed, then the Delete option is disabled; click Remove all IP/URL Addresses.

1. From the CLI of each individual PAN-OS firewall in the Panorama Device Group, enter the following command to verify operations:

With integrated Cisco ASA Firewall support, enterprises with deployed ASA Firewalls are able to push IP addresses from Juniper ATP Appliance products to the Cisco ASA Firewall platform for malware blocking. Juniper ATP Appliance uses a REST interface to communicate with the ASA Firewall.

A Cisco ASA administrator must configure a “network object group” on the ASA. Note that multiple network object groups are a “hidden” feature on the ASA Firewall.

Here is a sample ASA configuration:

Navigate to the Config>Environmental Settings>Firewall Mitigation Settings page to configure auto-mitigation of Juniper ATP Appliance-detected malware at a Cisco ASA Firewall.

To configure the ASA Firewall, use the following procedure:

1. Select ASA from the Mitigation Type column.

2. Enter the firewall hostname or IP address in the Hostname/IP field.

3. Enter the firewall Port Number if different than the default 443.

4. Enter the administrator User Name and Password.

5. Enter the Network Object Group as configured on the ASA firewall.

6. Enter the Expiry number of days for the connection; the default is 60 days.

Begin by applying this required configuration on FortiManager before configuring the Juniper ATP Appliance device:

At the FortiManager console, create the following:

• An ADOM (Administrative Domain) that also needs to be enabled. Once an ADOM is created the ADOM name is needed for JSON RPC requests

• An Address Group must be created with at least one IP address (dummy) even before the Juniper ATP Appliance adds any additional IP addresses.

• Webfilter Profile (optional) needs to be created, and URL filtering needs to be enabled as shown in the sections immediately below.

  Note:

  An Address Group name (if specified) is used to push blocking information for IP addresses. The Webfilter Profile name (if specified) is used to push blocking information for URLs. While these two parameters are optional, at least one --an Address Group or Webfilter name-- must be specified. An error message is displayed if neither is specified.

• Create a Policy package (optional). If specified, policies are installed (pushed) to all the FortiGates listed as Installation Targets in the policy package. If the policy package name is not configured on the Juniper ATP Appliance, it will not push or install these policies to FortiGates and such an install would then need to be done manually or via other means (for instance, by running custom scripts according to a schedule).

FortiManager requires that IP addresses be added to a common pool of ‘Addresses’ and these addresses can be added to an address group. When creating an address group at the FortiManager console, be sure you specify at least one IP address in that group. See menu below.

Figure 22: FortiManager Address Group Setup

You also need to create a Web/Filter Profile at the FortiManager console, under which its possible to add URLs for blocking.

Figure 23: FortiManager Web Filter Configuration

In the FortiManager webfilter profile, the URL filter must be enabled. All URLs to be blocked will be pushed to this URL filter from the Juniper ATP Appliance.

Figure 24: Enabling the URL filter at the FortiManager

Also required for Fortinet FW and FortiManager integration is a Policy Package with policies that reference the address group and webfilter name created for integration. Specify the installation targets (fortigate devices) to which this policy package is to be installed.

Figure 25: Setting a FortiManager Policy Package

To configure the Fortinet Firewall and management platform, use the following procedure:

1. Select Fortinet from the Mitigation Type column.

2. Enter the firewall hostname or IP address in the Hostname/IP field.

3. Enter the administrator User Name and Password.

4. Enter the Address Group as configured on the Fortinet firewall.

5. Enter the Web/Filter Profile name as configured on the Fortinet firewall.

   Note:

   An Address Group name (if specified) is used to push blocking information for IP addresses. The Webfilter Profile name (if specified) is used to push blocking information for URLs. While these two parameters are optional, at least one --an Address Group or Webfilter name-- must be specified. An error message is displayed if neither is specified.

6. If configuring the FortiManager platform, click FortiManager and additional fields are displayed.

   Note:

   Juniper ATP Appliance Fortinet integration supports FortiManager version 5.4 or later.

7. Enter the Administrative Domain name (ADOM) configured for the FortiManager.

8. Enter the Policy package name, also configured at the FortiManager.

9. Click Add to finalize the configuration.

FortiManager is the manager of FortiGate devices and offers JSON-RPC API based access for configuration. The Juniper ATP Appliance uses these APIs.

Configured Check Point Firewall integration allows Juniper ATP Appliance products to communicate and perform threat mitigation in concert with Check Point firewalls. A Juniper ATP Appliance administrator can choose to block a particular threat or remove a previously propagated mitigation via Check Point Firewall integration.

Communication takes place via the SSH interface through which Check Point users may also access the CLI of the Check Point device.

Blocking information is submitted using Check Point APIs. By pushing malicious IP addresses to integrated Check Point appliances, similar to Juniper ATP Appliance’s established PAN and Juniper integration support, an administrator identifies threats at the Firewall or Secure Web Gateway, and submits the selected objects to the configured Check Point Firewall from the Central Manager Web UI.

A Juniper ATP Appliance product propagates malicious IP addresses to Check Point appliances using the Check Point Suspicious Activity Monitor (SAM) feature. SAM status and commands are available under the “SmartView Monitor” app in the Check Point “Smart Console” family of Web UI applications.

Deploying Check Point GAiA appliances involves configuration of Security Management Servers and Security Gateways. In standalone configurations, the Security Management Server and the Security Gateway are installed on the same machine. In distributed configurations, a single Security Management Server can manage a number of subordinate Security Gateways.

Juniper ATP Appliance supports both standalone and distributed Check Point deployments. In either case, the Juniper ATP Appliance must be configured with the IP address of the Check Point Security Management Server.

Unlike other integrations, no address group or similar object need be configured. With Check Point, an administrator can choose to drop or reject connections to the mitigated IP, and either close or maintain existing connections. These choices are selected during Juniper ATP Appliance configuration of Check Point integration.

Juniper ATP Appliance firewall blocking corresponds to Check Point CLI SAM commands, as follows:

The Check Point “FW SAM CLI Reference” guide is available online.

To configure Check Point Firewall integration:

Navigate to the Config>Environmental Settings>Firewall Mitigation Settings page to configure auto-mitigation of Juniper ATP Appliance-detected malware at a Check Point Firewall.

1. Select Check Point from the Mitigation Type column.

2. Enter the firewall hostname or IP address in the Hostname/IP field.

3. Enter the administrator User Name and Password.

   Note:

   Check Point login credentials configured on Juniper ATP Appliance must correspond to a Check Point account with /bin/bash as its shell - this corresponds to “expert” mode in the Check Point CLI. Note that this is not the default shell; the default is clish.

4. Enter the Expiry number of days for the connection; the default is 60 days.

5. Select an Inhibit Mode option:

   • Drop and Close - drop the packet and close the connection when blocking request is received at the firewall

   • Reject and Close - reject the packet and close the connection

   • Drop - drop the packet. With drop (block), the packet is dropped and nothing is sent back to the sending program/system. So an attacker cannot know if they ever reached their destination or a firewall. It looks to the attacker as if the IP address has nothing there at all.

   • Reject - reject the packet. With reject, a TCP RST or ICMP port unreachable for UDP is returned to the sender.

6. Enter the Secure Internal Communications SIC Name of the security management server for the Check Point firewall.

7. Select an Enforcement Host option:

   • All - all enforcement hosts and groups or object

   • Gateways - secure gateways as preferred enforcement hosts

   • Group or Object - a configured security policy group or object

Objects represent the hosts, gateways, networks, and hosts managed by the Check Point firewall. A Group might show each Network Object group as a branch. The Security Gateways enforce an enterprise’s security policies and act as a security enforcement point.

Forcepoint NGFW Security Management Center (SMC) offers centralized management of Forcepoint Next Generation Firewalls across distributed network enterprises. With monitoring, logging, alerts, and reports, Forcepoint SMC provides a complete view of network security events to administrators.

The Juniper ATP Appliance platform monitors and detects malicious IP addresses and the URLs that link to malware. Integration with Forcepoint SMC prevents users behind the Forcepoint firewall from accessing these IPs or URLs.

This integration includes configuration tasks on the Forcepoint SMC as follows:

Enable the Forcepoint SMC API to allow other applications to connect using the SMC API.

1. In the Forcepoint SMC, select Home.

2. Navigate to Others > Management Server.

3. Right-click on Management Server and select Properties.

4. Click the SMC API tab and select Enable.

5. Optionally, in the Host Name field, enter the name that the SMC API service uses. If you do not enter a name, API requests are allowed to any host name.

6. Make sure that the listening port is set to the default of 8082 on the Management Server.

7. If the Management Server has several IP addresses and you want to restrict access to one, enter the IP address in the Listen Only on Address field.

8. If you want to use encrypted connections, click Select, then choose the TLS Credentials element. For instructions on creating TLS credentials, refer to the procedure below.

9. Click OK.

Create TLS credentials for SMC API Clients. (Note that you can import the existing private key and certificate if they are available.)

1. In the Management Client, select Configuration.

2. Navigate to Administration > Certificates > TLS Credentials.

3. Right-click TLS Credentials and select New TLS Credentials.

4. Complete the certificate request details:

   • In the Name field, enter the IP address or domain name of SMC.

   • Complete the remaining fields as needed. See the Forcepoint Documentation for details.

   • Click Next.

5. Select Self Sign.

6. Click Finish.

   The TLS Credentials element is added to Administration > Certificates > TLS Credentials. The State column shows that the certificate has been signed.

Create an API Client element. (External applications use API clients to connect to Forcepoint SMC.) Before you begin, the SMC API must be enabled for the Management Server. Those instructions were provided above.

1. Select Configuration and navigate to Administration.

2. Navigate to Access Rights.

3. Right-click Access Rights and select New > API Client.

4. In the Name field, enter a unique name for the API Client.

5. Use the initial authentication key or click Generate Authentication Key to generate a new one. A random authentication key is automatically generated. (Note that this key appears only once, and you should make a note of it because the ATP Appliance auto-mitigation rule will require you to enter it in a later step. The API Client uses the authentication key to log on to SMC API.)

6. Click the Permissions tab.

7. Select the permissions for actions in the SMC API. See the Forcepoint documentation for details.

8. Click OK.

To send IP address and URL lists to Forcepoint SMC, you must create a mitigation rule on ATP Appliance.

1. Navigate to the Config > Environmental Settings > Firewall Mitigation Settings page.

2. Click Add New Auto-Mitigation Rule.

3. Select Forcepoint SMC from the Mitigation Type category.

4. Enter a Hostname/IP, a Host Protocol and a Port Number for the device integration. Details provided in table below.

5. Enter the API Key for the Forcepoint SMC.

6. Enter the IP List Name. This IP List name can refer to an existing or new IP List. If the specified IP List does not exist, it will be created when there is a malicious IP address to be sent to the Forcepoint SMC.

7. Enter the URL List Application Name. As with the IP List, this can refer to an existing or new URL List. If the specified URL List does not exist, it will be created when there is a malicious URL to be sent to the Forcepoint SMC.

   Note:

   Forcepoint SMC does not support wildcards in the URL List. Therefore wildcard URL entries cannot be sent to the Forcepoint SMC. If ATP Appliance URL mitigation has URLs with wildcards, then upon applying the rule, the ATP Appliance UI status reads as “Unsupported.”

8. ClickSave.

   Figure 26: Firewall Mitigation Settings - Forcepoint SMC
   Note:

   When you add or remove configurations in ATP Appliance, the status (success/fail) of the rule is not immediately reflected in ATP Appliance Mitigation > IP Filtering and ATP Appliance Mitigation > URL Filtering Page. You must click Refresh Data to view the status.

Apply the configured mitigation rule from the Juniper ATP Appliance Mitigation page.

1. Select a threat row (or multiple rows) in the Mitigation table and click Apply.

2. After clicking Apply, all rules are pushed to the Forcepoint SMC.

3. After adding or removing rules, Refresh the page to view the status.

4. Once the mitigation rule is configured, it is enabled by default. Using the available buttons, you can Disable and then Enable the rule as needed. A Test button is available for the auto-mitigation rule to test the accuracy of the configuration. A Remove button is also available per row in the event you need to remove the auto-mitigation rule.

   Note:

   Test the Forcepoint SMC configuration using the Test link in the Firewall Mitigation Settings > ForcePoint SMC page. This link tests whether the ForcePoint SMC server is reachable and the API key is working.

   If the test fails, try the following:

   • Check that the Forcepoint SMC server is reachable. The default API port for Forcepoint SMC is 8082.

   • Make sure the API key configured in SMC and ATP Appliance are the same.

   • If it is a HTTPS configuration, make sure the TLS credentials are configured in ForcePoint SMC according to the instructions in this section.

To view and edit IP address and URL lists pushed from ATP Appliance to Forcepoint SMC, on the Forcepoint SMC, do the following:

• For the IP List, navigate to Configuration > Network Elements > IP Address List. You should see the named list you created on ATP Appliance.

  

• For the URL List, under Other Elements, navigate to Network Applications (by type) > URL List. You should see the named list you created on ATP Appliance.

  

Carbon Black Response is providing one source of information in calculating the risk score of a malware - Is the malware run on the end-point? The question is asked to a Carbon Black Response server based on three criteria: the malware md5, the end-point IP address, and the malware download timestamp.

Configuration of Carbon Black Response for endpoint monitoring and mitigation is a two-step process:

1. Obtain the Carbon Black Response Account API key from the Carbon Black Response Web UI. See Also: Obtaining the Carbon Black Response API Key.

2. Enter the Key and other device configuration information to the Juniper ATP Appliance Web UI Carbon Black page shown below.

Figure 29: Central Manager Carbon Black Response Configuration Page

1. From the Carbon Black Response Web UI, click the top right admin user dropdown and select Profile info.

2. From the left panel Profile info menu, select API Token.

3. Copy the API Token from Your API Token box.

4. Obtain the hostname of the Carbon Black Response server (example: https://JATP.cloud.carbonblack.com)

1. Navigate to the Config>Environmental Settings>Endpoint Integration Settings page.

2. Select CarbonBlack as the Endpoint Type.

3. Enter the device Hostname or IP address.

4. Enter the Host Protocol: HTTPS or HTTP.

5. Enter the device Port Number.

6. Enter the Carbon Black Response API Key and click Submit.

Before configuring CrowdStrike Endpoint Integration, obtain the following data:

• CrowdStrike Falcon API server hostname

• CrowdStrike Falcon API user

• CrowdStrike Falcon API key

1. Navigate to the Config>Environmental Settings>Endpoint Integration Settings page.

2. Select Crowdstrike as the Endpoint Type.

3. Enter the device Hostname or IP address.

4. Enter the Crowdstrike API User.

5. Enter the Crowdstrike API Key.

6. Click Add.

7. Click Test in the Current Endpoint Integration table row to verify the Crowdstrike integration. This link tests whether the CrowdStrike server is reachable and the API user and key is working.

At the Central Manager Web UI Incidents, if an endpoint has executed malware, an EX flag is displayed.

On the Incident tab, when an Incident includes the option to Add to Whitelist, as shown below, these same criteria can be again edited and applied as part of the incident allowlisting process.

1. To edit Allowlist Filter criteria while adding the incident to the allowlist, click the Add to Whitelist link.

2. In the Update Whitelist Rule window, you may add additional allowlist rule criteria, deselect (uncheck) currently established criteria, or update the rule set as is.

3. Click Submit and the incident is added to the allowlist according to the criteria defined and checked in the Update Whitelist Rule window.

Figure 32: Update Whitelist Rule Window

Write a text file that contains one or more YARA rules that specify a pattern, condition or string to match. A few examples follow:

Navigate to Config>Environmental Settings>YARA Rule Upload.

1. Select a File Type: exe | dll | pdf | doc | xls | ppt | java | apk

2. Click Choose File to browse and upload the YARA file.

3. Enter a Description.

4. Click the radio button to Enable or Disable.

5. If enabling, the Add button will display; click Add to initiate the YARA rule compiling and syntax validation. If there are no syntax errors, the YARA rule is added to the detection system.

Once a YARA rule is compiled and added to the system, network objects are scanned for any rule matches. Rule matches contribute to threat detection and are recognized as malware on the Web UI Incidents page.

There are several locations on the Incidents page where YARA rule matching is displayed as malware.

Figure 33: Yara Rule Match Reporting also Displays in Incidents Downloads Details

To configure ATP Appliance Splunk Ingestion, perform the following steps.

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>Environmental Settings>Splunk Configuration page; click Add New Identity Source.

   Figure 34: Identity Configuration Page

2. Select Splunk as the Source Type.

3. Select an Identity Source: Audit Logs or LDAP Add-on.

4. Select an Event Log Collection Method: WMI or Universal Forwarder.

5. Enter an Optional Splunk Index.

6. Select Enable or Disable for the Use Reverse DNS setting.

7. Enter Exclude Hostnames, separated by commas. Identity mappings for these hosts are ignored and not included in event handling and displays.

8. Click Submit to complete the configuration.

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>Environmental Settings>Splunk Configuration page; click Add New Identity Source.

2. Select Active Directory as the Source Type.

3. Enter a Hostname/IP Address.

4. Enter a Username and Password.

5. Enter a Search Type: Global Catalog Search or Local Search.

6. Select Enable or Disable for the Use Reverse DNS setting.

7. Enter a Domain Component Name.

8. Select an SSL setting: Enabled or Disabled.

9. Enter an LDAP Port Number.

   Note:

   Typically used port numbers: Global Catalog Search [SSL Enabled - 3289; SSL Disabled - 3268]; Local Search [SSL Enabled - 636; SSL Disabled - 389]

10. Choose to Enable or Disable the Use Reverse DNS setting.

11. Enter Exclude Hostnames, separated by commas. Identity mappings for these hosts are ignored and not included in event handling and displays.

12. Click Submit to complete the configuration.

The Juniper ATP Appliance supports AD log ingestionas via Splunk using either its Universal Forwarder on DC or the VMI method.

• Splunk Universal Forwarder of Active Directory Logs

• Splunk WMI Forwarding of Active Directory Logs

IMPORTANT: A few notices before you begin:

• Active Directory, Splunk and Juniper ATP Appliance all need to be NTP-synced.

• AD log ingestion can only be either Direct or via Splunk at a time.

• In AD logs via Splunk, the “Exclude hostname” configuration in the UI should be set to indeed exclude the hostname.

• If your enterprise environment has not previously employed AD-Splunk integration, and this is a first-time deployment, Juniper ATP Appliance supports both the WMI method and the Universal Forwarder method, and does not recommend one over the other. However, Splunk documentation recommends the Universal Forwarder for Domain Controllers because there have been performance issues reported for the WMI method.

To configure Splunk for AD using the Splunk App on DC, use the following procedure:

1. Install an Add-On for receiving security audit logs;

   Review this link to determine which infrastructure Add-On to install:

   http://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/ HowtodeploytheSplunkAppforWindowsInfrastructure

   Review this link to learn more about Splunk deployment options:

   http://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/ WhataSplunkAppforWindowsInfrastructuredeploymentlookslike

   Deployment Options:

   • Splunk App for Windows Infrastructure (for receiving Security Audit logs) on Search Head

   • Splunk Add On for Active Directory (for ldap search) on Search Head

   • Splunk Add On for Windows on Search Head, Indexer and Universal Forwarder

2. Configure Active Directory Add On from the Splunk Web Console, as shown below:

   Figure 35: Splunk Add-on Configuration for Receiving & Forwarding AD Security Audit Logs

3. Configure the Splunk Indexer to receive Windows Data by navigating to Settings>Forward And Receiving (Data)->Configure Receiving->New

   Figure 36: Splunk Add New Forwarding & Receiving Data Configuration Window

4. Deploy Splunk App for Windows Infrastructure; use the following linked instructions:

   http://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/ WhataSplunkAppforWindowsInfrastructuredeploymentlookslike

   http://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/InstallaSplunkIndexer

   Note:

   Download and install the Universal Forwarder on the Domain Controller with information from the following links.

   The Universal Forwarder is one method for sending event logs to Splunk Indexer; the other method is Agentless forwarding using the WMI method, shown in the next section ).

   • Download the Universal Forwarder: https://www.splunk.com/en_us/download/universal-forwarder.html

   • Download the MSI and start the installation. Configure the Universal Forwarder with instructions from this link:

     http://docs.splunk.com/Documentation/Forwarder/6.5.3/Forwarder/ InstallaWindowsuniversalforwarderfromaninstaller#Install_the_universal_forwarder_for_use_with_onpremises_ Splunk_instances

   • Click on the Customize option after selecting the appropriate checkboxes as shown in the image below:

     

   • Click Next and then choose Local Account unless you want to poll other domain controllers using WMI. Click Next again.

     

   • In the next configuration window, shown below, select the Security Log forwarding option. Click Next.

     

   • Enter the Deployment Server Hostname and Port (default is 8089), then click Next.

     

   • Enter the Receiver Index and Port (default is 9997), as in the example shown below, and then click Next.

     

5. Follow instructions to Get Active Directory Data from this link: http://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/DownloadandconfiguretheSplunkAddonsforActiveDirectory

   • Configure GPO’s for AD and Powershell.

   • Download Splunk Add On For Microsoft Active Directory.

   • Download Splunk Add On for Microsoft Powershell.

   • Un-TAR both downloaded TAR files using 7zip or another archive utility.

   • Copy the resulting SA-ModularInput-PowerShell and Splunk_TA_microsoft_ad to the Universal Forwarder installed path:

   • Restart Universal Forwarder components:

     • services.msc

     • Find SplunkForwarder Service and restart it.

   • Verify Splunk Search Head is receiving data by performing one of the following procedures:

     • Search the UI at App & Reporting > Data Summary to verify that the Domain Controller Host is configured.

     • Or search using “source="wineventlog:security" AND EventCode=4769 AND Service_Name != krbtgt | table _time Account_Name Client_Address Service_Name | rename _time as Logon_Time Account_Name as UserName Client_Address as IPAddress Service_Name as HostName”

6. Configure Splunk App for Windows Infrastructure on the Splunk Web Indexer; note the prerequisites:

   

   • Give winfra-admin role to admin user by modifying the roles for admin user as shown below:

     

Use the following procedure to setup AD Integration with Splunk using the WMI method.

1. Both Splunk Enterprise and your Windows network must be correctly configured for WMI data access. Review the following prerequisites before attempting to use Splunk Enterprise to get WMI data.

   Before Splunk Enterprise can get WMI-based data:

   • Splunk Enterprise must be installed with a user that has permissions to perform remote network connections. While installing Splunk it would ask for local account or domain account. Choose domain account.

   • The user Splunk Enterprise runs as must be a member of an Active Directory (AD) domain or forest and must have appropriate privileges to query WMI providers.

   • The Splunk user must also be a member of the local Administrators group on the computer that runs Splunk Enterprise.

   • The computer that runs Splunk Enterprise must be able to connect to the remote machine(AD) and must have permissions to get the desired data from the remote machine once it has connected.

2. After installing Splunk, logon to Splunk and navigate to Settings -> Data Inputs:

3. Click on the second option - Remote Event Log Collection, then click on New.

   

4. Choose a name for the log collection and enter the AD server IP address.

5. If Splunk can perform a WMI query to the AD server, then the Select Event Logs option is displayed, as shown below; Choose Security and click Next.

   

6. Enter the host details on the next page. If you want to choose an indexer, choose it or leave the default.

   Review configurations and Submit.

7. From the Splunk Server, navigate to C:\Program Files\Splunk\etc\system\local and add the following configuration:

Restart Splunk and verify that all Active Directory Security Logs are available in Splunk.

Adhere to the following requirements before configuring AD integration:

• A configured user for AD must have Administrator privileges because both Windows Management Instrumentation (WMI) and LDAP searches require Admin credentials. The AD user can be a “read only” Admin user, but does need to have following permissions:

  • The user account must belong to the “Distributed COM Users” Active Directory group.

  • The user account must have permission to access WMI namespaces (CIMV2 namespace) on the Domain Controller machine.

  • The user account must have permission to read the security event log on the domain controller machine.

• Active Directory Domain Controller and the Juniper ATP Appliance Core/CM must be synced to an NTP server, because Juniper ATP Appliance queries the AD based within a specified time period (ranging from the current time to 5 minutes).

• If the AD Domain Controller is behind a firewall then be sure to open up the firewall to allow the Juniper ATP Appliance Core/CM device to reach the AD.

  • Open the firewall for the port numbers required for LDAP Search and WMI query.

  • LDAP Search default port number

    • For Local Search:Port 389 (non SSL), Port 636 (SSL).

    • For Global Catalog Search:Port 3268 (non SSL), Port 3269 (SSL).

      Note:

      For SSL mode Customer should install Active Directory Certificate Services and install a certificate. Domain Controller Server should be restarted after this as LDAPS doesn't work without restart.

  • WMI uses TCP port 135 for initial connection. If the core is behind a firewall then customer needs to open up the firewall for port 135 and must also:

    • Either tie WMI to a fixed port and open up the firewall for the fixed port as well. This fixed port will be used for WMI data exchange.

      Note:

      You can find instructions for tying WMI to a fixed port at this URL: https://msdn.microsoft.com/en-us/library/bb219447(VS.85).aspx

      Also check if windows firewall is opened up for fixed port.

    • Or On the firewall, open up the port range 49152 - 65535 because DCOM might use any of the ports within this range.

• Ensure that the Audit policy on AD allows successful logons to generate the necessary events, specifically a Kerberos event type with the event code 4769.

• Be sure to configure the Windows Security Log Property "Overwrite events as needed (oldest event first)" option, for the maximum log file size, because Juniper ATP Appliance scrapes these logs for Identity (security logs must be running logs in order for Juniper ATP Appliance to obtain Identity information).

Also setup a non-Admin user in order to query the Domain Controller Event Log for Windows 2008 and Windows 2012.

The Juniper ATP Appliance Core queries the Domain Controller event log to obtain the host-to-IP mapping. Be sure to configure the Juniper ATP Appliance Core/CM to query the Domain Controller with a user who is part of the Domain Administrator group. This may be restrictive and potentially risky to administrators.

An AD Agent running on the Juniper ATP Appliance Core does not need an Admin user because it uses WMI to query the Active Directory Domain Controllers for the Security Event logs. Juniper ATP Appliance also uses Distributed COM (DCOM) technology to handle its remote calls to the domain controller. For a non-admin user, be sure to set the following permissions in order to allow to querying the DC:

• DCOM permission (this should belong to the Distributed COM Users AD group).

• WMI permission to access WMI namespaces (CIMV2 namespace) on the domain controller device.

• Permission to read the security event log on the domain controller device.

To create a Domain User or Group, add the new user/group to a domain Builtin Group: “Distributed COM Users” and “Event Log Readers” using the Active Directory Users and Computers window options, as shown below.

Figure 37: Active Directory Users and Computers Window “Member Of” Settings

Next, set the User/Group WMI permissions.

1. Run the Windows Management Instrumentation (WMI) console.

2. Select Start, click Run, and then type: wmimgmt.msc

3. Click OK and press Enter.

4. Right-click "WMI Control" and select "Properties".

5. Select the Security tab, and then expand "Root".

6. Select "CIMV2" and then click "Security".

   Figure 38: Windows Management Instrumentation (WMI) Console Settings

7. Add the domain user that you've created to work with the AD Domain Controller. Set the "Enable Account" and "Remote Enable" permissions to the user.

   Figure 39: WMI Console Settings for Security for ROOT\CIMV2

8. Click "Advanced". Select the domain user and check that “Apply to” is set to "this namespace and subnamespaces".

   Figure 40: WMI Console Advanced Security Settings for CIMV2

9. Select OK to save changes.

   Figure 41: Finalizing the WMI Console Advanced Security Settings

Next, obtain the Domain Component Name for the Domain Controller.

1. Navigate to the AD Server.

2. Run “Administrative Tools.”

3. Run "Active Directory Users and Computers"

4. Click on "Active Directory Users and Computers" and on the right side locate the Name (for example:pod001.eng.JATP.com is displayed as the Domain Component Name in the sample screenshot below).

5. You will use this exact same domain component name from Step 4; take note so that you can add it to the Domain Component field on Juniper ATP Appliance’s Active Directory Configuration Page (described in Part 2 below Part 2 - Configuring an Active Directory Domain Controller from the Web UI).

Figure 42: Domain Component Name in the Name Column of the AD Users and Computers Window

Next, test the Local WMI services.

1. Click Start, click Run, type wmimgmt.msc, and then click OK.

2. Right-click WMI Control (Local), and then click Properties.

3. If the WMI service is configured correctly, the WMI Control will connect to WMI and display the Properties dialog box. On the General tab, you should see information about the operating system and the version of WMI.

Figure 43: WMI Control (Local) Properties Page

Now, verify WMI permissions:

1. On the AD computer, click Start, click Run, type wmimgmt.msc, and then click OK.

2. Right-click WMI Control, and then click Properties.

3. On the Security tab, expand Root, and then click WMI.

4. Click Security in the results pane to see the permissions. If the user does not have permission, then set permissions.

Figure 44: WMI Console Security Settings

Next, verify the LDAP SSL connection. After a certificate is installed, follow these steps to verify that LDAP is enabled:

1. Start the Active Directory Administration Tool (Ldp.exe).

   Note:

   The Active Directory Administration Tool program is installed in the Windows 2000 Support Tools area.

2. On the Connection menu, click Connect.

3. Type the name of the domain controller to which you want to connect.

4. Type 636 as the port number.

5. Click OK.

6. Proceed to Part 2 - Configuring an Active Directory Domain Controller from the Web UI.

Juniper ATP Appliance polls the AD Domain Controller every 5 minutes to get the Identity data from AD. Identity data is retrieved from AD’s Security event logs using WMI by querying logs for the event code 4769 and AD Datastore using LDAP search. Identity data includes mapping each authentication event, endpoint host name, endpoint IP address, username used to login into the endpoint and user's email address. Multiple AD domain controllers can be configured and polled in 5 minute intervals.

Review the following list of AD Domain Controller requirements and suggested configuration settings:

• A configured AD user must have administrator privileges. The AD account admin must (1) belong to the Distributed COM Users AD group, (2) the account must have permission to access WMI namespaces (CIMV2 namespace) on the domain controller device, (3) the account must have permission to read the security event log on the domain controller device.

• The Active Directory Domain Controller and the Juniper ATP Appliance Core+CM must both be synced to an NTP server in order to optimize AD polling in 5 minute intervals.

• If the Active Directory Domain Controller is behind a firewall, then the administrator must open up the firewall to allow the Juniper ATP Appliance Core+CM to reach the AD controller. Open the firewall for port numbers that are required for LDAP searches and WMI queries.

  LDAP Search default port numbers:

  • For local search (of a specified domain component), use port numbers 389 for non-SSL and 636 for SSL.

  • For a global search (of a specified domain component), use port numbers 3268 for non-SSL and 3269 for SSL.

    Note:

    For SSL mode, be sure to install “Active Directory Certificate Services” and install a certificate. The AD Domain Controller Server should be restarted after installing the certificate because LDAP will not work without the restart.

• WMI uses TCP port 135 for the initial connection. If the Core+CM is behind a firewall, then the administrator must open up the firewall for port 135 and then also:

  • EITHER, tie the WMI to a fixed port and open up the firewall to the fixed port as well. Port 135 is used for the initial connection handshake. The fixed port is used for WMI data exchange.

    • Instructions to tie WMI to a fixed port are available at: https://msdn.microsoft.com/en-us/library/bb219447(VS.85).aspx

    • Also check to be sure the windows firewall is opened up for the fixed port.

  • OR, On the firewall, open up the port range 49152 - 65535 (because DCOM might use any of the port from this range).

• Ensure that the Audit Policy on the AD domain controller allows successful logons, particularly Kerberos event types with the event code 4769.

• Configure the Windows Security Log Property setting: “Overwrite events as Needed (oldest event first)”; select the maximize file size for full identity polling coverage.

Refer also to Prerequisites for Active Directory Integration for information about setting up a nonadmin user to query the Domain Controller Event Log for Windows 2008 and Windows 2012.

This section provides information about determining whether the Active Directory Domain Controller integration is working.

• Run the “setupcheck all” command from the Juniper ATP Appliance CLI or click Test button option in the Current AD Domain Controller window located in the Config>Environmental Settings>Active Directory Configuration page to check if Active Directory integration is working.

• If the Active Directory Domain Controller integration is not working:

  • The AD Agent will still send a Health Alert every 1 hour.

  • The AD Agent will also send GSS an Alert if the AD is unreachable for some reason.

An AD Agent may not be able to get Identity information for the following reasons:

• Active Directory Domain Controller not reachable (connectivity issue or it’s down)

• A Query on the Active Domain Controller takes a longer time to finish (the controller may be slow due to memory or CPU issues).

• Network Latency may be too high.

To upload a SNORT Rule file:

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>Environmental Settings>Snort Rule Upload page.

   Figure 45: Juniper ATP Appliance Central Manager SNORT Rules Upload Page

2. Click the Add SNORT Rules button.

3. Click Choose File and browse to select your custom SNORT file for upload to the Juniper ATP Appliance system.

4. Enter a description for the SNORT rule in the Description field, then click Add.

5. To edit or delete a custom SNORT Rule, click the Delete or Edit link in the Current SNORT Rules table Actions column:

To configure ATP Appliance Splunk Ingestion, perform the following steps.

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>Environmental Settings>Splunk Configuration page; click Add New Identity Source.

2. Select Splunk as the Source Type.

3. Select an Identity Source: Audit Logs or LDAP Add-on.

4. Select an Event Log Collection Method: WMI or Universal Forwarder.

5. Enter an Optional Splunk Index.

6. Select Enable or Disable for the Use Reverse DNS setting.

7. Enter Exclude Hostnames, separated by commas. Identity mappings for these hosts are ignored and not included in event handling and displays.

8. Click Submit to complete the configuration.

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>Environmental Settings>Splunk Configuration page; click Add New Identity Source.

2. Select Active Directory as the Source Type.

3. Enter a Hostname/IP Address.

4. Enter a Username and Password.

5. Enter a Search Type: Global Catalog Search or Local Search.

6. Select Enable or Disable for the Use Reverse DNS setting.

7. Enter a Domain Component Name.

8. Select an SSL setting: Enabled or Disabled.

9. Enter an LDAP Port Number.

   Note:

   Typically used port numbers: Global Catalog Search [SSL Enabled - 3289; SSL Disabled - 3268]; Local Search [SSL Enabled - 636; SSL Disabled - 389]

10. Choose to Enable or Disable the Use Reverse DNS setting.

11. Enter Exclude Hostnames, separated by commas. Identity mappings for these hosts are ignored and not included in event handling and displays.

12. Click Submit to complete the configuration.

Juniper ATP Appliance’s support of Direct Ingestion of Active Directory (AD) Logs is not a new feature and has been available for many Juniper ATP Appliance product release versions. The Juniper ATP Appliance also supports AD log ingestionas via Splunk using either its Universal Forwarder on DC or the WMI method.

• Splunk Universal Forwarder of Active Directory Logs

• Splunk WMI Forwarding of Active Directory Logs

IMPORTANT: A few notices before you begin:

• Active Directory, Splunk and Juniper ATP Appliance all need to be NTP-synced.

• AD log ingestion can only be either Direct or via Splunk at a time.

• In AD logs via Splunk, the “Exclude hostname” configuration in the UI should be set to exclude the hostname of AD.

• If your enterprise environment has not previously employed AD-Splunk integration, and this is a first-time deployment, Juniper ATP Appliance supports both the WMI method and the Universal Forwarder method, and does not recommend one over the other. However, Splunk documentation recommends the Universal Forwarder for Domain Controllers because there have been performance issues reported for the WMI method.

To configure Splunk for AD using the Splunk App on DC, use the following procedure:

1. Install an Add-On for receiving security audit logs;

   Review this link to determine which infrastructure Add-On to install:

   http://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/ HowtodeploytheSplunkAppforWindowsInfrastructure

   Review this link to learn more about Splunk deployment options:

   http://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/ WhataSplunkAppforWindowsInfrastructuredeploymentlookslike

   Deployment Options:

   • Splunk App for Windows Infrastructure (for receiving Security Audit logs) on Search Head

   • Splunk Add On for Active Directory (for ldap search) on Search Head

   • Splunk Add On for Windows on Search Head, Indexer and Universal Forwarder

2. Configure Active Directory Add On from the Splunk Web Console, as shown below:

   Figure 46: Splunk Add-on Configuration for Receiving & Forwarding AD Security Audit Logs

3. Configure the Splunk Indexer to receive Windows Data by navigating to Settings>Forward And Receiving (Data)->Configure Receiving->New

   Figure 47: Splunk Add New Forwarding & Receiving Data Configuration Window

4. Deploy Splunk App for Windows Infrastructure; use the following linked instructions:

   http://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/ WhataSplunkAppforWindowsInfrastructuredeploymentlookslike

   http://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/InstallaSplunkIndexer

   Note:

   Download and install the Universal Forwarder on the Domain Controller with information from the following links.

   The Universal Forwarder is one method for sending event logs to Splunk Indexer; the other method is Agentless forwarding using the WMI method, shown in the next section Splunk WMI Forwarding of Active Directory Logs).

   • Download the Universal Forwarder: https://www.splunk.com/en_us/download/universal-forwarder.html

   • Download the MSI and start the installation. Configure the Universal Forwarder with instructions from this link:

     http://docs.splunk.com/Documentation/Forwarder/6.5.3/Forwarder/ InstallaWindowsuniversalforwarderfromaninstaller#Install_the_universal_forwarder_for_use_with_onpremises_ Splunk_instances

   • Click on the Customize option after selecting the appropriate checkboxes as shown in the image below:

     

   • Click Next and then choose Local Account unless you want to poll other domain controllers using WMI. Click Next again.

     

   • In the next configuration window, shown below, select the Security Log forwarding option. Click Next.

     

   • Enter the Deployment Server Hostname and Port (default is 8089), then click Next.

     

   • Enter the Receiver Index and Port (default is 9997), as in the example shown below, and then click Next..

     

5. Follow instructions to Get Active Directory Data from this link:

   http://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/DownloadandconfiguretheSplunkAddonsforActiveDirectory

   • Configure GPO’s for AD and Powershell.

   • Download Splunk Add On For Microsoft Active Directory.

   • Download Splunk Add On for Microsoft Powershell.

   • Un-TAR both downloaded TAR files using 7zip or another archive utility.

   • Copy the resulting SA-ModularInput-PowerShell and Splunk_TA_microsoft_ad to the Universal Forwarder installed path:

   • Restart Universal Forwarder components:

     • services.msc

     • Find SplunkForwarder Service and restart it.

   • Verify Splunk Search Head is receiving data by performing one of the following procedures:

     • Search the UI at App & Reporting > Data Summary to verify that the Domain Controller Host is configured.

     • Or search using “source="wineventlog:security" AND EventCode=4769 AND Service_Name != krbtgt | table _time Account_Name Client_Address Service_Name | rename _time as Logon_Time Account_Name as UserName Client_Address as IPAddress Service_Name as HostName”

6. Configure Splunk App for Windows Infrastructure on the Splunk Web Indexer; note the prerequisites:

   • Give winfra-admin role to admin user by modifying the roles for admin user as shown below:

Use the following procedure to setup AD Integration with Splunk using the WMI method.

1. Both Splunk Enterprise and your Windows network must be correctly configured for WMI data access. Review the following prerequisites before attempting to use Splunk Enterprise to get WMI data.

   Before Splunk Enterprise can get WMI-based data:

   • Splunk Enterprise must be installed with a user that has permissions to perform remote network connections. While installing Splunk it would ask for local account or domain account. Choose domain account.

   • The user Splunk Enterprise runs as must be a member of an Active Directory (AD) domain or forest and must have appropriate privileges to query WMI providers.

   • The Splunk user must also be a member of the local Administrators group on the computer that runs Splunk Enterprise.

   • The computer that runs Splunk Enterprise must be able to connect to the remote machine(AD) and must have permissions to get the desired data from the remote machine once it has connected.

2. After installing Splunk, logon to Splunk and navigate to Settings -> Data Inputs:

3. Click on the second option - Remote Event Log Collection, then click on New.

4. Choose a name for the log collection and enter the AD server IP address.

5. If Splunk can perform a WMI query to the AD server, then the Select Event Logs option is displayed, as shown below; Choose Security and click Next.

6. Enter the host details on the next page. If you want to choose an indexer, choose it or leave the default.

   Review configurations and Submit.

7. From the Splunk Server, navigate to C:\Program Files\Splunk\etc\system\local and add the following configuration:

8. Restart Splunk and verify that all Active Directory Security Logs are available in Splunk.

• Install the Carbon Black Response Event Forwarder : https://developer.carbonblack.com/reference/enterprise-response/event-forwarder/

• To send the Carbon Black Response event logs to any server via TCP or UDP, edit the Event Forwarder CONF file as in the example shown below:

  In /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf

Take the username & password for the above from /etc/cb/cb.conf, search for RabbitMQUser & RabbitMQPassword and copy the value from the above file.

In /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf

Search for and enter the values shown below:

If the TCP option is selected, configure the tap server and the listening port. Currently, you can select any random port to listen to.

If udp option is selected above, then configure the tap server & the listening port. Currently you can select any random port to listen to:

Next, run the below command to receive output indicating which server the event forwarder has connected to.

Start the event-forwarder:

1. From the Carbon Black Response Server, install the Carbon Black Response Event Forwarder:

   https://developer.carbonblack.com/reference/enterprise-response/event-forwarder/

2. Download the relevant binaries from this link:

   https://www.splunk.com/en_us/download/universal-forwarder.html

3. Install Splunk Add on for Bit9 Carbon Black to your Splunk instance. Set the Splunk Common Information Model.

   https://splunkbase.splunk.com/app/2790/

4. Configure the Carbon Black Response Event Forwarder; this is required to save the Carbon Black Response event logs to a file using the contents to forward data to Splunk.

   In /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf

   Apply the username and password shown above from /etc/cb/cb.conf, search for RabbitMQUser and RabbitMQPassword, and copy the value to the above CONF file.

   In /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf

   Search & enter the values below:

   The above outfile can be anything; in this example, the link stores the event logs.

   Run the command below to get the output shown below.

   Start the event-forwarder:

5. Configure the Splunk Add on for Bit 9 Carbon Black Response.

6. Set the Splunk Common Information Model as shown below:

   

7. Configure the Receiver for your Splunk Instance to set the Splunk Forwarder to forward data; Navigate to Splunk > Settings > Forwarding & Receiving.

   

8. Click on Configure Receiving.

   

9. Configure a port to listen on. In this example: port 6666.

   

10. Set up the Splunk Universal Forwarder to forward Carbon Black Response data to Splunk by downloading and installing the Universal Forwarder RPM on the Carbon Black Response server:

    https://www.splunk.com/en_us/download/universal-forwarder.html

    In the above command 10.2.14.219 is the splunk server & 6666 is the port we have configured in Step 3 on which Splunk is receiving.

11. Add an input host file. In this example, cbtest is used, which can be searched for in Splunk.

    The monitor is the directory of data.json, which is configured in Step 1.

    The sourcetype shows which data needs to be sent, which is from Carbon Black Response.

12. Start Splunk.

13. Check the forward-server.

Carbon Black Response log ingestion can be viewed from the Juniper ATP Appliance Central Manager Web UI Incidents page and Events Timeline Dashboard:

To configure ATP Appliance Splunk Ingestion, perform the following steps.

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>Environmental Settings>Splunk Configuration page.

   Figure 48: Splunk Ingestion Configuration Page

2. Enter the Splunk Host IP address and Splunk Management Port number.

   Note:

   Be sure to enter the Splunk port number 8089, not 8080.

3. Enter your Splunk Login and Password.

4. Click Enable to make the configuration active; deselect to disable the configuration.

5. Click Submit to activate an enabled Splunk configuration.

6. Test the Splunk Configuration Ingestion Settings by clicking the Test button.

   Note:

   Splunk environments allow for implementation of multiple ports that are all user-configurable; be sure to configure the Splunk management port on this page if you are having trouble connecting to Splunk. Check your Splunk site for your settings if your admin is not using the defaults.

At the Splunk console, include the following settings for integration with Juniper ATP Appliance; in this example, the PAN Add-on is configured:

Figure 49: Palo Alto Networks Add-on for Splunk

Figure 50: Splunk Common Information Model Settings

To configure ATP Appliance External Event Collector settings for PAN Next Gen Firewalls, perform the following configurations for direct Log Collection or Splunk ingestion options:

Use the following procedure to configure direct ingestion of event data from PAN, where Juniper ATP Appliance essentially acts as a syslog server but one that identifies only relevant malware events.

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>Environmental Settings>External Event Collectors configuration page.

2. Select Firewall as the Source Type, and PAN Next Gen Firewall as the Vendor Name.

3. For Transport, select the Log Collector option.

4. Enter the Log Source Identifier; for example: PA-200. This is the host name portion of the syslog message that Juniper ATP Appliance uses to identify which vendor is incoming, and how Juniper ATP Appliance will parse its logged events. [On the PAN UI in the following screenshot, notice that the configured Device Name is the same as the Juniper ATP Appliance Log Source Identifier.]

5. Choose SSL Enabled | Disabled.

6. Select a Default Severity setting: Max | High | Med | Low | Benign

7. Configure Create Incident by selecting the Enable or Disable option. All incidents created by Juniper ATP Appliance from PAN direct ingestion will be created according to the severity setting selected in step 6. The Create Incident setting, when enabled, creates incidents for third party events directly and sends email alert notifications, even if there are no correlates with Juniper ATP Appliance-detected events.

8. Click Add to perform the Log Collector configuration.

At the PAN UI, configure your Juniper ATP Appliance Core as a syslog server. If your PAN device is exporting to your own syslog server, just add Juniper ATP Appliance as another syslog server because PAN can export to multiple syslog destinations simultaneously.

1. Navigate to the PAN console Device>Syslog>+Add configuration page:

   Figure 51: Firewall [PAN: Direct Ingestion Configuration]

2. Select the same syslog server for log forwarding on the Objects>Log Forwarding>+Add page from the syslog dropdown:

   Figure 52: Sample Direct Ingestion Configuration from PAN Side

   During forwarding of syslogs from PAN, when events exceed the 1500 supported limit, Juniper ATP Appliance recommends limiting export from PAN to critical events only by adjusting settings on the PAN console Log Forwarding Profile page.

   Figure 53: Sample Direct Ingestion Configuration from PAN Side

   Be sure to navigate to the Syslog Log forwarding Profile, select where to send the logs (either to the Juniper ATP Appliance Core via direct ingestion, or to Splunk, or to both, and then Commit.

   Figure 54: Commit the Log Forwarding Profile to Complete PAN-Side Direct Ingestion Configuration

The number generated syslogs/sec during direct ingestion is 1500; the number of syslogs/day (average of 10 hours) is 54 million. For this reason, Juniper ATP Appliance uses event filtering for efficient ingestion, handling and reporting of events and does not store any events that are informational or benign.

PAN events created via direct ingestion for display in the Juniper ATP Appliance Events Timeline Dashboard use the following filters:

• Ignore informational events

• Ignore events with the action “wildfire-upload-success”, “wildfire-upload-skip” and “forward” because these logs are not indicative of malware events.

Figure 55: Sample Direct Ingestion Log

Use the following procedure to configure Splunk integration for the PAN Next Gen Firewall on the Juniper ATP Appliance side. Refer to for information about configuring integration from the Splunk side.

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>Environmental Settings>External Event Collectors configuration page:

   Figure 56: Firewall [PAN: Splunk Ingestion Configuration]

2. Select Firewall as the Source Type, and PAN Next Gen Firewall as the Vendor Name.

3. For Transport, select the Splunk option.

4. Enter the Optional Splunk Index; enter the index used for PAN logging into Splunk.

   For example: pan

5. Select a Default Severity setting: Max | High | Med | Low | Benign

6. Configure Create Incident by selecting the Enable or Disable option. All incidents created by Juniper ATP Appliance from Splunk ingestion will be created according to the severity setting selected in step 5. The Create Incident setting, when enabled, creates incidents for third party events directly and sends email alert notifications, even if there are no correlates with Juniper ATP Appliance-detected events.

7. Click Add to perform the Splunk integration.

This section does not cover Splunk configuration. However, when configuring Splunk from the Splunk console for integration with Juniper ATP Appliance, there are a few items you’ll need to be sure are set for PAN:

1. Navigate to Splunk>Apps>Manage Apps, then confirm configuration is established for Palo Alto Add-on for Splunk., and that Status shows as Enabled.

   

2. At Splunk>Apps>Manage Apps, check for and confirm setup is complete and Enabled for Common Information Model.

   

3. At Settings>Data>Data Inputs>UDP/TCP, click the link to review the Index. You can click this link to check the Index configured for PAN. Be sure to do the same on the Juniper ATP Appliance Configuration page for ATP Appliance Firewall [PAN: Log Collector | Splunk Ingestion] for the Splunk configuration.

   

4. From the Splunk>Settings>Data Inputs>Port>PortNumber page, under “More Settings” (check the checkbox to expand), confirm that the Source type is “pan:log,” and check the index that is currently configured so you could use it in the Juniper ATP Appliance Configuration for ATP Appliance Firewall [PAN: Log Collector | Splunk Ingestion] for the Splunk configuration.

   
   Note:

   The Source type must be configured as “pan:log” and Index as “pan” for integration with Juniper ATP Appliance.

   Figure 57: Sample Splunk Configuration from PAN Side

   Be sure to navigate to the Syslog Log forwarding Profile, select where to send the logs (either to the Juniper ATP Appliance Core via direct ingestion, or to Splunk, or to both and then Commit.

Figure 58: Commit the Log Forwarding Profile to Complete PAN-Side Splunk Configuration

PAN events created via Splunk integration classify events according to the following Splunk “Common Information Models” (CIM) via the Splunk PAN Add-on:

• Web

• Intrusion Detection

• Malware Attacks

Figure 59: Splunk Ingestion Log

Figure 60: Sample Splunk Log via PAN

Refer to the following sample Incident display to view Juniper ATP Appliance detection and reporting of PAN syslog ingestion.

In this example, PAN allowed a download to pass through, and Juniper ATP Appliance detected the event.

Note that Juniper ATP Appliance detected the Download and external source log collection also marked it as a malicious event:

This same incident is reported on the Juniper ATP Appliance Events Timeline host view as follows; note that both the PAN Download Event and the Juniper ATP Appliance Malware Detection Event are reported:

In another, different example, we can see in the Events Timeline Dashboard that Juniper ATP Appliance detected a malicious event, and PAN performed a DENY:

Juniper ATP Appliance integrates with Bluecoat Proxy Secure Gateway to facilitate mitigation. Bluecoat periodically retrieves bad Web URLs from Juniper ATP Appliance and blocks them. (The list of bad URLs are the same as those delineated on the Juniper ATP Appliance’s Mitigation tab > Secure Web Gateways, which lists the URLs to be mitigated. Essentially, Bluecoat has the capability of pulling the malicious URLs list from Juniper ATP Appliance through HTTP/HTTPS. Hence, Juniper ATP Appliance provides the malicious URLs list for Bluecoat to poll.

Juniper ATP Appliance leverages existing third party security devices such as Bluecoat to automatically block malicious Web URLs. This is extremely significant because other vendors do not block malicious Web downloads; they only block infections.

Use the following procedures to configure Bluecoat Secure Web Gateway Log Collector Ingestion or Splunk Ingestion.

• Configuring a Bluecoat Secure Web Gateway Log Collector

• Configuring Splunk to Bluecoat Integration

• Configuring Bluecoat to Juniper ATP Appliance Integration

• Configuring Bluecoat Secure Web Gateway Splunk Ingestion

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>Environmental Settings>External Event Collectors configuration page:

   Figure 61: Web Gateway [Bluecoat: Log Collector Configuration]

2. Select Web Gateway as the Source Type.

3. Select Bluecoat Secure Web Gateway as the Vendor Name.

4. For Transport, select the Log Collector option.

5. Enter the Input Port.

6. Select a Default Severity setting: Max | High | Med | Low | Benign

7. Configure Create Incident by selecting the Enable or Disable option. All incidents created by Juniper ATP Appliance from Splunk ingestion will be created according to the severity setting selected in step 6. The Create Incident setting, when enabled, creates incidents for third party events directly and sends email alert notifications, even if there are no correlates with Juniper ATP Appliance-detected events.

8. Click Add to perform the Bluecoat Secure Web Gateway Log Collector configuration.

Before cofiguring Splunk for Bluecoat integration with Juniper ATP Appliance, consider the following prerequisites:

• Have the Splunk enterprsie version installed and running

• Have the Splunk for Bluecoat app installed and running

• Have the Splunk Add-on for Blue Coat ProxySG running

• Have Bluecoat CLI access, with access to Enable Mode and Configure Mode

• Note that Juniper ATP Appliance only supports the bcreportermain_v1 log type currently, so no other log type will work

• Be sure to use NTP service on the Splunk server so that Splunk and Bluecoat time are in sync

• After integration, observe the Splunk logs under “bcoat_logs” and confirm the time matches Splunk’s time. For example, if Splunk is in PST, the data coming from Bluecoat under “bcoat_logs” index should also be set for PST. If there is no time match, integration might not work properly

1. Navigate to Config > Environmental Settings > Splunk Configuration at the Juniper ATP Appliance Central Manager console.

2. Add the Splunk configuration Username, Password and Port, then set as Enabled and click Test Configuration to verify. If the connection is established successfully, a success message is displayed.

3. Add Bluecoat as an External Event Collector; refer to ATP Appliance Web Gateway [Bluecoat: Log Collector | Splunk Ingestion].

   Be sure to select transport “log collector / Splunk. Provide a port number if selecting log collector and an optional index if selecting the splunk option, then add the settings.

1. Login to the Bluecoat CLI and enter Enable mode, then enter Configure mode.

2. Enter access-log settings: enter the command “edit log main.”

3. Select client type as custom client.

4. Select access log enable.

5. Select upload type text.

6. Select custom client primary <Juniper ATP Appliance Core IP or Splunk Server IP> <any port number you want to use for integration > and click Enter.

7. Enable continuous upload and the integration is done on Juniper ATP Appliance side

1. At the Splunk console, navigate to Settings -> Data Inputs.

2. In the Local Input menu, click Add New in the TCP Port menu. A new page will open with 4 fields:

3. In the Port field input the port number (the port number configured in the Bluecoat custom client), then click Next. Make sure the type remains as TCP.

4. In the next window, select the source type as “bluecoat:proxysg:access:syslog”.

5. On the same page, select the index type as “bcoat_logs,” and click Review.

6. Review the data and click Next. The bluecoat configuaration is now complete.

Within a few minutes the Bluecoat logs will start appearing on the Splunk side. Be sure to use index=”bcoat_logs” for filtering the logs.

In order to allow Bluecoat to connect to Juniper ATP Appliance’s self signed SSL apache server with HTTPS, the PEM file from the Juniper ATP Appliance server must be accessed. Then, you import the PEM file to the Bluecoat SSL certificate list.

1. Navigate to Config > System Settings > System Settings.

2. Change the “Server fully qualified domain name” appropriately. This is going to be the common name in the PEM, and also the host name that Bluecoat is sending the request to. Therefore, you need to make sure Bluecoat can access this host by using the name specified.

3. Click the Submit button. The new PEM file is generated on the server, and the Apache requires a restart to apply the change. Refresh the UI by pressing F5 until you see a new warning “The site’s security certificate is not trusted!” (via Chrome, for example). This warning indicates that the PEM is changed.

4. Navigate to the Bluecoat configuration console.

1. Enter the information required as described below:

   Figure 62: Bluecoat Configuration Settings

   • Availability: This setting controls whether the Juniper ATP Appliance URL is available to be polled by Bluecoat.

   • Exception Page: This is a string to be included in the URL list, allowing Bluecoat to display a predefined exception page if a malicious URL is requested.

   • Cache Age: This value is used to determine how long the malicious URLs list is cached to avoid a repetitive attack and also to help reduce the Juniper ATP Appliance server load.

   • Allowed IPs: If leaving it blank, Juniper ATP Appliance is not checking who polls the list. Otherwise, only the IPs specified is allowed to poll.

2. Get PEM File button. Clicking this button will display the server PEM key content; copy and paste this key into Bluecoat in order to let Bluecoat to accept Juniper ATP Appliance’s self-signed certificate.

   Figure 63: PEM Key Content Display

3. Refresh URL button: Clicking this button will (re-)generate the polling URL.

4. To import a CA Certificate from the Bluecoat side: navigate to the Configuration tab SSL > CA Certificates section and click the Import button.

5. Enter a unique name, and copy and paste the PEM key from system settings to here.

   Figure 64: PEM Copied to Bluecoat

6. Click Apply.

7. Under SSL > CA Certificates, switch the tab to CA Certificate Lists.

8. Highlight “browser-trusted” and click Edit.

9. Add the newly created CA Certificate entry from left to right, then click Apply.

   Figure 65: Adding the CA Certificate to the Bluecoat Configuration

10. To set up the polling, navigate to Policy > Policy Files.

11. Click Install for the “Install Central File from:” section.

12. Paste the URL from the Juniper ATP Appliance server to here:

    Figure 66: Adding the Juniper ATP Appliance URL to the Bluecoat Configuration

13. You will see the “The file was successfully downloaded and installed” message. Check the box “Automatically install new Policy when central file changes”.

14. The final step is to configure how often Bluecoat should poll:

    This sets a 5 minute interval between polls.

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>Environmental Settings>External Event Collectors configuration page:

2. Select Web Gateway as the Source Type.

3. Select Bluecoat Secure Web Gateway as the Vendor Name.

4. For Transport, select the Splunk option.

5. Enter the Optional Splunk Index; for example: pan

6. Select a Default Severity setting: Max | High | Med | Low | Benign

7. Configure Create Incident by selecting the Enable or Disable option. All incidents created by Juniper ATP Appliance from Splunk ingestion will be created according to the severity setting selected in step 6. The Create Incident setting, when enabled, creates incidents for third party events directly and sends email alert notifications, even if there are no correlates with Juniper ATP Appliance-detected events.

8. Click Add to perform the Splunk integration

Use the following procedures to configure Log Collection or Splunk Ingestion for Endpoint AV vendors ESET, McAfee ePO and/or Symantec AV.

• Configuring ESET Endpoint AV Log Collection

• Configuring Symantec EP Endpoint AV Log Collection

• Configuring McAfee ePO Endpoint AV Splunk Ingestion

• Configuring Symantec EP Endpoint AV Log Collection

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>Environmental Settings>External Event Collectors configuration page:

2. Select Endpoint AV as the Source Type.

3. Select ESET as the Vendor Name.

4. For Transport, select the Log Collector option.

5. Enter the Log Source Identifier.

6. Choose an SSL setting: Enabled or Disabled; “enabled” is recommended.

7. Select a Default Severity setting: Max | High | Med | Low | Benign

8. Configure Create Incident by selecting the Enable or Disable option. All incidents created by Juniper ATP Appliance from Splunk ingestion will be created according to the severity setting selected in step 5. The Create Incident setting, when enabled, creates incidents for third party events directly and sends email alert notifications, even if there are no correlates with Juniper ATP Appliance-detected events.

Click Add to perform the ESET Log Collector configuration.

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>Environmental Settings>External Event Collectors configuration page:

2. Select Endpoint AV as the Source Type.

3. Select McAfee ePO as the Vendor Name.

4. For Transport, select the Log Collector option.

5. Enter the Log Source Identifier; for example: MCAFEE-EPO.

6. Choose an SSL setting: Enabled or Disabled; “enabled” is recommended.

7. Select a Default Severity setting: Max | High | Med | Low | Benign

8. Configure Create Incident by selecting the Enable or Disable option. All incidents created by Juniper ATP Appliance from Splunk ingestion will be created according to the severity setting selected in step 5. The Create Incident setting, when enabled, creates incidents for third party events directly and sends email alert notifications, even if there are no correlates with Juniper ATP Appliance-detected events.

9. Click Add to perform the McAfee ePO Log Collector configuration.

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>Environmental Settings>External Event Collectors configuration page:

   Figure 67: Endpoint AV [ESET:Log Collector Configuration]

2. Select Endpoint AV as the Source Type.

3. Select Symantec EP as the Vendor Name.

4. For Transport, select the Log Collector option.

5. Enter the Log Source Identifier.

6. Choose an SSL setting: Enabled or Disabled.

7. Select a Default Severity setting: Max | High | Med | Low | Benign

8. Configure Create Incident by selecting the Enable or Disable option. All incidents created by Juniper ATP Appliance from Splunk ingestion will be created according to the severity setting selected in step 5. The Create Incident setting, when enabled, creates incidents for third party events directly and sends email alert notifications, even if there are no correlates with Juniper ATP Appliance-detected events.

9. Click Add to perform the Symantec EP Log Collector configuration.

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>Environmental Settings>External Event Collectors configuration page:

2. Select Endpoint AV as the Source Type.

3. Select McAfee ePO as the Vendor Name.

4. For Transport, select the Splunk option.

5. Enter the Optional Splunk Index; for example: pan

6. Select a Default Severity setting: Max | High | Med | Low | Benign

7. Configure Create Incident by selecting the Enable or Disable option. All incidents created by Juniper ATP Appliance from Splunk ingestion will be created according to the severity setting selected in step 5. The Create Incident setting, when enabled, creates incidents for third party events directly and sends email alert notifications, even if there are no correlates with Juniper ATP Appliance-detected events.

8. Click Add to perform the Splunk integration.

1. Install McAfee ePO version 5.2 with latest patch.

2. Install latest Splunk enterprise version

3. Install Splunk Add-on for McAfee. https://splunkbase.splunk.com/app/1819/

4. Install and configure DB Connect for Splunk:

   • Download and install DB Connect Version2.4.0 Add-on. This is required to connect to the McAfee ePO database to pull ePO events from the McAfeen ePO server database. https://splunkbase.splunk.com/ app/2686/

     Note:

     This app works on JAVA 1.8 version; be sure to update the ubuntu/windows version to run Splunk with JAVA 1.8

     Steps:

   • Install a JDBC driver for your database. Refer to the section: Microsoft SQL Server. http:// docs.splunk.com/Documentation/DBX/2.4.0/DeployDBX/Installdatabasedrivers

     Note:

     Copy the jdbc driver(sqljdbc4.jar) under path: /opt/splunk/etc/apps/splunk_app_db_connect/bin/lib

   • After installing DB Connect and restarting Splunk Enterprise, launch DB Connect and complete the initial setup http://docs.splunk.com/Documentation/DBX/2.4.0/DeployDBX/ Singleserverdeployment#Set_up_Splunk_DB_Connect

   • Create a database identity, set up a database connection, and create a new database input for Splunk Add-on for McAfee .

     Note:

     • Use the Splunk DB Connect GUI method to create a database connection instead of modifying db_connections.conf file to create a connection.

     • Under the Execution Frequency setting, change from 3600 sec to 1 sec so that it pulls the data from the epo db every second. http://docs.splunk.com/Documentation/AddOns/released/McAfeeEPO/ ConfigureDBConnectv2inputs

5. Generate a threat event on the ePO server and search through that event log to find the endpoint IP address that was attacked, or the malware name; as shown on in the following example:

   

6. Login to the Juniper ATP Appliance Web UI and navigate to Config>Environmental Settings>External Event Collectors and ADD a new external collector using the Splunk option; refer to the Juniper ATP Appliance-Side Configuring McAfee ePO Endpoint AV Splunk Ingestion for more information.

7. View the McAfee ePO threat events on the Juniper ATP Appliance Events Timeline Dashboard by filtering the timeline by “IP Address” of the endpoint.

1. Confirm you have installed McAfee ePO version 5.2 version with the latest patch (hotpatch ePolicy Orchestrator (EPO) 5.3.2 HF1185471).

2. Login to the ePO 5.2 UI and create a syslog-registered server via tabs Configuration>Registered Servers:

   

3. Create a new server by entering all required details as shown in the figure above. Enter the Juniper ATP Appliance Core hostname/IP as the Server Name, and enter 10514 for the TCP port number.

4. Click the Test connection button to confirm that the settings are correct and ePO is ready to send syslog events to Juniper ATP Appliance. The message “Syslog connection success” indicates that the ePO is ready to push threat events to the Juniper ATP Appliance Core and the Juniper ATP Appliance Core is ready to accept the events.

5. View the McAfee ePO threat events on the Juniper ATP Appliance Events Timeline Dashboard by filtering the timeline by the IP Address of the endpoint, as show in the screenshot below.

To configure Carbon Black Response for endpoint alert event handling via direct log ingestion or Splunk ingestion, use the following procedures.

• Configuring Carbon Black Response Log Events via Splunk

• Splunk Side Configuration for Carbon Black Response

• Configuring Carbon Black Response via Direct Log Ingestion

• Carbon Black Response - Splunk Integration

• Carbon Black Response Ingestion Reporting at Juniper ATP Appliance

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>Environmental Settings>External Event Collectors configuration page:

2. Select Carbon Black Response as the Vendor Name.

3. For Transport, select the Splunk option.

4. Enter the Optional Splunk Index; for example: pan

5. Select a Default Severity setting: Max | High | Med | Low | Benign

6. Configure Create Incident by selecting the Enable or Disable option. All incidents created by Juniper ATP Appliance from Splunk ingestion will be created according to the severity setting selected in step 5. The Create Incident setting, when enabled, creates incidents for third party events directly and sends email alert notifications, even if there are no correlates with Juniper ATP Appliance-detected events.

7. Click Add to perform the Splunk integration.

This section does not cover Splunk configuration. However, when configuring Splunk from the Splunk console for integration with Juniper ATP Appliance, there are a few items you’ll need to be sure are set for PAN:

Navigate to Splunk.

1. Navigate to the Juniper ATP Appliance Central Manager Web UI Config>Environmental Settings>External Event Collectors configuration page:

   Figure 68: Endpoint Response [Carbon Black Response:Log Collector Configuration]

2. Select Carbon Black Response as the Vendor Name.

3. For Transport, select the Log Collector option.

4. Enter the Input Port.

5. Select a Default Severity setting: Max | High | Med | Low | Benign

6. Configure Create Incident by selecting the Enable or Disable option. All incidents created by Juniper ATP Appliance from log ingestion will be created according to the severity setting selected in step 5. The Create Incident setting, when enabled, creates incidents for third party events directly and sends email alert notifications, even if there are no correlates with Juniper ATP Appliance-detected events.

7. Click Add to save the Log Collector configuration.

Use the following information to perform Carbon Black Response and Splunk integration using either:

• Carbon Black Response Direct Log Ingestion: Event Forwarder of JSON Logs

• Carbon Black Response Integration via Splunk Forwarder

• Carbon Black Response Ingestion Reporting at Juniper ATP Appliance

IMPORTANT: A few notices about Carbon Black Response and Splunk integration:

• Juniper ATP Appliance requires Active Directory (AD) data for correlation with Carbon Black logs.

• AD, Splunk and Juniper ATP Appliance must be NTP-synced.

• Currently, form Carbon Black, only watchlist alert events are consumed by Juniper ATP Appliance:

  • alert.watchlist.hit.ingress.host

  • alert.watchlist.hit.ingress.binary

  • alert.watchlist.hit.ingress.process

  • alert.watchlist.hit.query.binary

  • alert.watchlist.hit.query.process

• Correlation between Juniper ATP Appliance and Carbon Black Response is within 5 minutes.

• The endpoint hostname is the only match for correlating Carbon Black Response and Juniper ATP Appliance events.

• With Carbon Black Response Event Forwarder, there is an option to forward logs in JSON or LEEF format; Juniper ATP Appliance supports JSON format only at this time for both Splunk and Direct Log ingestion.

• For Direct Log Ingestion, logs can be sent to any random Juniper ATP Appliance port.

• The difference between Carbon Black Response integration and Carbon Black Direct Log Ingestion:

  • During Carbon Black Response integration, Juniper ATP Appliance queries for only those events detected by Juniper ATP Appliance to obtain confirmation about the endpoint execution.

  • In CB Log Ingestion, all events irrespective of whether Juniper ATP Appliance has seen it or not is pulled.

  • If a CB event is correlated in CB log ingestion, then we don’t mark the EX Progression.

1. Install the Carbon Black Response Event Forwarder :

   https://developer.carbonblack.com/reference/enterprise-response/event-forwarder/

2. To send the Carbon Black Response event logs to any server via TCP or UDP, edit the Event Forwarder CONF file as in the example shown below:

   In /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf

   Take the username & password for the above from /etc/cb/cb.conf, search for RabbitMQUser & RabbitMQPassword and copy the value from the above file.

   In /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf

   Search for and enter the values shown below:

   If the TCP option is selected, configure the tap server and the listening port. Currently, you can select any random port to listen to.

   If udp option is selected above, then configure the tap server & the listening port. Currently you can select any random port to listen to:

   Next, run the below command to receive output indicating which server the event forwarder has connected to.

   Start the event-forwarder:

1. From the Carbon Black Response Server, install the Carbon Black Response Event Forwarder:

   https://developer.carbonblack.com/reference/enterprise-response/event-forwarder/

2. Download the relevant binaries from this link:

   https://www.splunk.com/en_us/download/universal-forwarder.html

3. Install Splunk Add on for Bit9 Carbon Black to your Splunk instance. Set the Splunk Common Information Model.

   https://splunkbase.splunk.com/app/2790/

4. Configure the Carbon Black Response Event Forwarder; this is required to save the Carbon Black Response event logs to a file using the contents to forward data to Splunk.

   In /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf

   Apply the username and password shown above from /etc/cb/cb.conf, search for RabbitMQUser and RabbitMQPassword, and copy the value to the above CONF file.

   In /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf

   Search & enter the values below:

   The above outfile can be anything; in this example, the link stores the event logs.

   Run the command below to get the output shown below.

   Start the event-forwarder:

5. Configure the Splunk Add on for Bit 9 Carbon Black Response.

6. Set the Splunk Common Information Model as shown below:

   

7. Configure the Receiver for your Splunk Instance to set the Splunk Forwarder to forward data; Navigate to Splunk > Settings > Forwarding & Receiving.

   

8. Click on Configure Receiving.

   

9. Configure a port to listen on. In this example: port 6666.

   

10. Set up the Splunk Universal Forwarder to forward Carbon Black Response data to Splunk by downloading and installing the Universal Forwarder RPM on the Carbon Black Response server:

    https://www.splunk.com/en_us/download/universal-forwarder.html

    In the above command 10.2.14.219 is the splunk server & 6666 is the port we have configured in Step 3 on which Splunk is receiving.

11. Add an input host file. In this example, cbtest is used, which can be searched for in Splunk.

    The monitor is the directory of data.json, which is configured in Step 1.

    The sourcetype shows which data needs to be sent, which is from Carbon Black Response.

12. Start Splunk.

13. Check the forward-server.

Carbon Black Response log ingestion can be viewed from the Juniper ATP Appliance Central Manager Web UI Incidents page and Events Timeline Dashboard.