Advanced Threat Prevention Features

Read this topic to understand how to create Security Intel (SecIntel) profiles and advanced anti-malware profiles and apply them in application policies on WAN Edge devices.

Juniper Networks' Advanced Threat Prevention (ATP) offers a comprehensive suite of features designed to detect, analyze, and prevent advanced cyber threats. Juniper Mist supports the following features:

SecIntel Threat Intelligence Feeds—Juniper's curated security intelligence feeds, SecIntel, provide dynamic and automatic updates to identify and block malicious domains, URLs, and IP addresses. In Juniper Mist, SecIntel profiles, enable you to block malicious and unwanted traffic such as Command and Control (C&C) communications, compromised IP addresses or IP subnets, and domains connected to malicious activities.
Advanced Anti-Malware (AAMW)—Juniper Networks Anti-Malware is a security solution that uses cloud-sourced data to protect against advanced cybersecurity threats. This feature detects and blocks malware and unwanted files on the network before they reach an endpoint. In Juniper Mist, you can create anti-malware profiles for WAN Edge devices, detailing which files need cloud analysis and the steps to take when malware is detected.

The Advanced Threat Prevention feature is supported on SRX Series Firewalls. In this context, any mention of a WAN Edge device refers to an SRX Series Firewall deployed as a WAN Edge device.

Prerequisites

Ensure you have following available:

Juniper Advanced Threat Prevention Cloud account and an ATP Cloud Realm created from your account. See Registering a Juniper Advanced Threat Prevention Cloud Account.
Your ATP Cloud account associated with a license. For more information, see Software Licenses for ATP Cloud.

Enrollment of a WAN Edge device in ATP Cloud occurs once a realm is created and either a SecIntel or an AAMW profile is associated with a security policy for that device.

Add ATP Credential Details

Juniper Mist automatically enrolls devices in Cloud ATP Services as required. To integrate Juniper Mist Cloud with ATP Cloud, you need to provide ATP credential details in the Juniper Mist portal.

On Juniper Mist portal, select Organization > Admin > Settings.
Scroll-down to Secure WAN Edge Integration pane and click Add Credentials.
In Add Provider window, enter the details.
Figure 1: Add Credentials for ATP Cloud
- Provider—Select ATP Cloud. Currently, we support US Prod Instance as ATP Cloud Service Provider.
- Email Address—Enter the username (ATP account credential).
- Password—Enter the password for the username.
- Realm—Enter the associated Realm name.
Click Add to continue.
Note: Only the Global instance of ATP is supported.

Create Security Intelligence (SecIntel) Profiles

SecIntel offers meticulously curated and verified threat intelligence sourced from Juniper Networks’ Advanced Threat Prevention (ATP) Cloud. This intelligence is delivered to WAN Edge device for effectively blocking Command and Control (C&C) communications at line rate. By enabling automatic and responsive traffic filtering, SecIntel provides real-time threat intelligence.

Many of the feeds include an associated threat score, allowing customers to define security rules and controls that are applied to traffic passing through their devices. The SecIntel security service integrates Juniper threat feeds, including those for C&C communications, malicious domains, and infected hosts. See also: SecIntel Feeds Overview and Benefits.

SecIntel profiles, which can be incorporated into application policies, enable the blocking of malicious and unwanted traffic such as C&C communications, compromised IP addresses or subnets, and domains linked to malicious activities.

To create a SecIntel profile:

In the Juniper Mist cloud portal, select Organization > WAN > Application Policy.
Under Profiles, click Security Intel (SRX Only) tab. The page displays SecIntel profiles defined (if available).

Click Add Security Intel Profile and enter the following details:

Figure 2: Create SecIntel Profile

Add Name for the profile.

Select one of the following supported profile types:

C&C Default Action—Lets you configure actions against C&C servers that have attempted to contact and compromise hosts on your network.
DNS Default Action—Lets you configure actions against the domains that are known to be associated with malicious activities.
Infected Host Default Action—Lets you configure actions against infected hosts, which are local devices that are potentially compromised because they appear to be part of a C&C network or exhibit other symptoms.

You have an option to select the strict, standard, or default. The profiles (strict, standard, default) define different levels of actions, with "strict" being more aggressive and potentially blocking more traffic, while "default" might offer a more balanced approach as provided in Table 1.

Table 1: Profiles Actions Based on Threat Score
Profile	Threat Score	Action
Default	1—8	Monitor (Log) and permit
Default	9—10	Block
Standard	1—5	Monitor (Log) and permit
Standard	6—10	Block
Strict	1—2	Monitor (Log) and permit
Strict	3—10	Block

Click Save.

The profile you created appears under Security Intel (SRX Only) pane. Next, you need to apply the profile in an application policy by using the following steps:

In Application Policy pane, select an exsisting application or create a new application.
Enter the policy details such as Network / User, Action, and Application / Destination.
Under Advanced Security Services, click + and scroll-down to Security Intel (SRX Only).
Figure 3: Apply SecIntel Profile in Application Policy
Select the SecIntel profile that you created in the previous step. You can also select available profiles (strict, standard, default).
Click Save.

Create Advanced Anti-Malware Profiles

This feature detects and blocks malware and unwanted files on the network before they reach an endpoint. Like SecIntel, anti-malware profiles can be created from the application policy screen and included in an application policy.

To create an Anti-Malware profile:

In the Juniper Mist cloud portal, select Organization > WAN > Application Policy.
Under Profiles, click Anti-Malware (SRX Only) tab. The page displays anti-malware profiles defined (if available).

Click Add Anti-Malware (SRX Only) and enter the following details:

Figure 4: Create Anti-Malware Profile

Add Name.

Select one or more file categories as provided in the table below:

Table 2: File Category Contents
Category	Description	File Types
Archive	Archive files	.zip, .rar, .tar, .gzip
PDF	PDF, e-mail, and MBOX files	.email, .mbox, .pdf, .pdfa
Rich Application	Installable Internet Applications such as Adobe Flash, JavaFX, Microsoft Silverlight	.swf, .xap, .xbap
OS package	OS-specific update applications	.deb, .dmg
Java	Java applications, archives, and libraries	.class, .ear, .jar, .war
Script	Scripting files	.bat, .js, .pl, .ps1, .py, .sct, .sh, .tcl, .vbs, plsm, pyc, pyo
Document	All document types except PDFs	.chm, .doc, .docx, .dotx, .hta, .html, .pot, .ppa, .pps, .ppt, .pptsm, .pptx, .ps, .rtf, .txt, .xlsx, .xml, .xsl, .xslt
Executable	Executable binaries	.bin, .com, .dat, .exe, .msi, .msm, .mst
Library	Dynamic and static libraries and kernel modules	.a, .dll, .kext, .ko, .o, .so, .ocx
Mobile	Mobile formats	.apk, .ipa
Configuration	Configuration files	.inf, .ini, .lnk, .reg, .plist

Click Save.

The profile you created appears under Anti-Malware (SRX Only) pane. Next, you need to apply the profile in an application policy by using the following steps:

In Application Policy pane, select an exsisting application or create a new application.
Enter the policy details such as Network / User, Action, and Application / Destination.
Under Advanced Security Services, click + and scroll-down to Anti-Malware (SRX Only).
Figure 5: Apply Anti-Malware Profile in Application Policy
Select the Anti-Malware profile that you created in the previous step. You can also select available profiles (executables, standard, docs-only).
Click Save.

View WAN Edge Device Status

In the Juniper Mist Portal, select WAN Edges > WAN Edges to view basic device monitoring information

The Advanced Security section, located below the device ports, shows the status of security services. A green check mark (X) indicates that the service is active on the device. In the following sample, Antivirus, Advanced-Antimalware, AppSecure , and SSL are active with the green check mark.

Figure 6: Advanced Security Status Details

Below the port information and security section, you’ll find Properties pane that contains generalized platform-related information.

Click WAN Edge Events or navigate through Monitor > Insights and select the site and the WAN Edge that you want to view.

Click an event to see a summary on the right side of the page.

Figure 7: WAN Edge Events Details

View Security Events

The Juniper Mist Security Events page, accessible through Site > WAN Edge > Security Events, provides a centralized view of security-related events. It displays a log of security events detected by Juniper Mist to monitor the security posture of the network. Users can filter and view details allowing for proactive security response and analysis.

Figure 8: Security Events

Click one of the tabs AAMW (Advanced Anti-Malware) or SecIntel to see the related security event details. In the example above, the page shows incident details for Command and Control (C&C) with a severity level of Minor. It also indicates the action taken, which is Permit in this case. Additionally, you can view other information such as the device name, site, source and destination addresses, and source and destination ports information.

ON THIS PAGE