Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Getting Started with JATP and the SRX Series Device

These are basic setup instructions to begin using the SRX Series Services Gateway with JATP (for those less familiar with SRX). Refer to the rest of the integration document for further configuration information such as email scanning, infected hosts, and viewing incidents.

Configure the SRX Series Device to Begin

Initial Configuration

To begin using the SRX Series device:

  1. Load the factory defaults.

    load factory-default

  2. Set the root password.

    set system root-authentication <password>

  3. Set the host name.

    set system host-name <hostname>

  4. Commit the configuration. Once you commit, you should see the host name in the prompt.

    commit

Configure Interfaces and a Default Route

On the SRX Series device, configure interfaces and the default route. (For the following instructions, these are generic examples. Please insert your own addresses and interfaces):

  1. Enter the following commands for interfaces:

    set interfaces ge-0/0/2 unit 0 family inet address x.x.x.x/x

    set interfaces ge-0/0/4 unit 0 family inet address x.x.x.x/x

    set interfaces ge-0/0/5 unit 0 family inet address x.x.x.x/x

  2. Enter the following to configure the default route:

    set routing-options static route 0.0.0.0/0 next-hop x.x.x.x

Configure Security Zones

The SRX Series device is a zone-based firewall. You must assign each interface to a zone in order to pass traffic through it: To configure security zones, enter the following commands:

set security zones security-zone untrust interfaces ge-0/0/2.0

set security zones security-zone untrust interfaces ge-0/0/5.0

set security zones security-zone trust host-inbound-traffic system-services all

set security zones security-zone trust host-inbound-traffic protocols all

set security zones security-zone trust interfaces ge-0/0/4.0

Configure DNS

On the SRX Series device, configure DNS using the following commands:

set groups global system name-server x.x.x.x

set groups global system name-server x.x.x.x

Configure NTP

On the SRX Series device, configure NTP using the following commands:

set groups global system processes ntp enable

set groups global system ntp boot-server x.x.x.x

set groups global system ntp server x.x.x.x

On JATP: Login to the Web UI and Enroll SRX Series Devices

Enroll the SRX Series Device to JATP Web UI

Enrollment establishes a secure connection between JATP and the SRX Series device. It also performs basic configurations tasks such as:

  • Downloads and installs certificate authority (CAs) licenses onto your SRX Series device

  • Creates local certificates and enrolls them with JATP

  • Establishes a secure connection to JATP

Warning:

If you are using a custom SSL certificate with JATP, before you enroll SRX Series devices, you must upload the CA bundle containing a CA certificate which validates the JATP certificate. This ONLY applies if you are using a Custom SSL certificate. See The Juniper ATP Operator’s Guide for instructions. Search for the “Managing Certificates” heading. Once this is done, proceed to the enrollment instructions.

Warning:

If you already have SRX Series devices enrolled with JATP and you change the certificate (from the default to custom or vice-versa), you must re-enroll all SRX Series devices.

Warning:

Network Environment Considerations and Requirements

  • It is required that both your Routing Engine (control plane) and Packet Forwarding Engine (data plane) can connect to the Juniper ATP Appliance. (The Packet Forwarding Engine and the Routing Engine perform independently but communicate constantly through a 100-Mbps internal link. This arrangement provides streamlined forwarding and routing control and the ability to run Internet-scale networks at high speeds. Refer to Juniper Network’s Junos documentation for more information.)

  • You do not need to open any ports on the SRX Series device to communicate with JATP. However, if you have a device in the middle, such as a firewall, then that device must have port 443 open.

  • You cannot use FXP0 interfaces to communicate with JATP. You must use a separate revenue interface.

  • If you are using addresses in the same subnet for JATP management and SRX Series management, you must use a virtual router instance to separate the management and revenue interfaces. If the addresses of JATP management and SRX Series management configured through FXP0 are in different subnets, you do not need to configure an additional virtual router instance. Note that traffic must be routed through the revenue interface configured for JATP management.

  • If you are registering JATP through a VPN tunnel, it must be a named tunnel. JATP expects an IP address on the interface. Therefore you must configure an IP address on the VPN tunnel interface before running the OP URL script to enroll the SRX Series device. Otherwise, the registration will fail.

  • SRX Series Integration with JATP requires api keys to generate the enrollment script (op url). The JATP UI only allows generating API keys for local users. Therefore, if users authenticate using radius and attempt to generate an enrollment script to register an SRX Series device, it will fail because the remote user will not have an API key. As a workaround, you can log into the JATP UI using local credentials (https://<JATP IP>/cyadmin/?local_login) and continue with the instructions below. If your network policy doesn’t allow local users, there is no workaround for this issue.

To enroll a SRX Series device with JATP, do the following:

  1. From the JATP web UI, you must enable the API Key for the admin user. This is used for enrolling the SRX Series device. From the Config tab, navigate to System Profile > Users. Select the admin user for JATP and enable the Generate New API Key checkbox. Click Update User.

  2. From the Config tab, navigate to > System Profile > SRX settings and click the Enrollment URL button in top right side of the page. A screen with the enrollment command appears.

  3. Copy the entire enrollment command to your clipboard and click OK.

  4. Paste the command into the Junos OS CLI of the SRX Series device you want to enroll with JATP and press Enter.

    Note:

    (Optional) Use the show services advanced-anti-malware status CLI command to verify that a connection is made to JATP from the SRX Series device.

    Once configured, the SRX Series device communicates with JATP through multiple persistent connections established over a secure channel (TLS 1.2) and the SRX Series device is authenticated using SSL client certificates.

Use the Delete button in the JATP SRX settings page to remove the SRX Series device currently enrolled in JATP. To access the Delete button, click the arrow to the left of the device name to expand device information.

Use the Search field at the top of the page to search for enrolled devices in the list by serial number.

On the SRX Series Device: Configure Security Policies

Configure the Anti-Malware Policy

On the SRX Series device, enter the following commands to create and configure the anti-malware policy. (Note that commands for both SMTP and IMAP are included here.):

set services advanced-anti-malware policy aamw-policy http inspection-profile default

set services advanced-anti-malware policy aamw-policy http action permit

set services advanced-anti-malware policy aamw-policy http notification log

set services advanced-anti-malware policy aamw-policy smtp inspection-profile default

set services advanced-anti-malware policy aamw-policy smtp notification log

set services advanced-anti-malware policy aamw-policy imap inspection-profile default

set services advanced-anti-malware policy aamw-policy imap notification log

set services advanced-anti-malware policy aamw-policy fallback-options notification log

set services advanced-anti-malware policy aamw-policy default-notification log

Configure the SSL Forward Proxy

SSL Forward Proxy is required to collect files from HTTPS traffic in the data plane.

  1. On the SRX Series device, generate the local certificate.

    request security pki generate-key-pair certificate-id ssl-inspect-ca size 2048 type rsa

    request security pki local-certificate generate-self-signed certificate-id ssl-inspect-ca domain-name www.juniper.net subject "CN=www.juniper.net,OU=IT,O=Juniper Networks,L=Sunnyvale,ST=CA,C=US" email security-admin@juniper.net

  2. Load the trusted root CA profiles.

    request security pki ca-certificate ca-profile-group load ca-group-name trusted-ca-* filename default

  3. Enter the following commands to configure the SSL forward proxy.

    set services ssl proxy profile ssl-inspect-profile-dut root-ca ssl-inspect-ca

    set services ssl proxy profile ssl-inspect-profile-dut actions log all

    set services ssl proxy profile ssl-inspect-profile-dut actions ignore-server-auth-failure

    set services ssl proxy profile ssl-inspect-profile-dut trusted-ca all

Optionally, Configure the Anti-Malware Source Interface

If you are using a routing instance, you must configure the source interface for the anti-malware connection. If you are using a non-default routing instance, you do not have to complete this step on the SRX Series device.

set services advanced-anti-malware connection source-interface ge-0/0/2

Configure a Security Intelligence Profile

JATP and SRX use different threat level thresholds. See the JATP and SRX Series Threat Level Comparison Chart for information.

On the SRX Series device, enter the following commands to create a security intelligence profile on the SRX Series device.

set services security-intelligence profile secintel_profile category CC

set services security-intelligence profile secintel_profile rule secintel_rule match threat-level [ 7 8 9 10 ]

set services security-intelligence profile secintel_profile rule secintel_rule then action block drop

set services security-intelligence profile secintel_profile rule secintel_rule then log

set services security-intelligence profile secintel_profile default-rule then action permit

set services security-intelligence profile secintel_profile default-rule then log

set services security-intelligence profile ih_profile category Infected-Hosts

set services security-intelligence profile ih_profile rule ih_rule match threat-level [ 7 8 9 10 ]

set services security-intelligence profile ih_profile rule ih_rule then action block drop

set services security-intelligence profile ih_profile rule ih_rule then log

set services security-intelligence policy secintel_policy Infected-Hosts ih_profile

set services security-intelligence policy secintel_policy CC secintel_profile

Configure a Security Policy

On the SRX Series device, enter the following commands to create a security policy on the SRX Series device for the inspection profiles.

set security policies from-zone trust to-zone untrust policy 1 match source-address any

set security policies from-zone trust to-zone untrust policy 1 match destination-address any

set security policies from-zone trust to-zone untrust policy 1 match application any

set security policies from-zone trust to-zone untrust policy 1 then permit application-services ssl-proxy profile-name ssl-inspect-profile-dut

set security policies from-zone trust to-zone untrust policy 1 then permit application-services advanced-anti-malware-policy aamw-policy

set security policies from-zone trust to-zone untrust policy 1 then permit application-services security-intelligence-policy secintel_policy

The initial configuration is complete.