Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Use Case Implementation: Juniper Connected Security Automated Threat Remediation with ForeScout CounterACT and Juniper Networks Devices

This use case shows how to integrate and configure a ForeScout CounterACT security appliance, a Windows 7 supplicant, a Juniper Networks vSRX virtual firewall, a Juniper Networks EX4300 switch, and a Juniper Networks QFX series switch into a Juniper Connected Security.

To implement this use case for threat remediation (block or quarantine) of infected hosts with ForeScout CounterACT, perform the following required set of installation, configuration, and verification steps:

Requirements

This use case uses the following hardware and software components:

  • vSRX virtual firewall running Junos OS Release 15.1X49-D110.4 or later

  • a QFX series switch running Junos OS Release 15.1X53-D60.4 or later

  • an EX4300 switch running Junos OS Release 15.1R5.5 or later

  • Advanced Threat Prevention Cloud (ATP Cloud)

  • Junos Space Network Management Platform, Release 17.2R1 or later

  • Junos Space Security Director, Release 17.2R2 or later

  • Log Collector, Release 17.2R2 or later

  • Policy Enforcer, Release 17.2R2 or later

  • ForeScout CounterACT version 7.0.0-513-2.3.0-1605

  • A virtual machine (VM) running Windows 7 with 2x dual NIC hosts

For a list of supported devices, please refer to the Policy Enforcer Release Notes.

Use Case Topology

The use case topology is illustrated in Figure 1

Figure 1: Juniper Connected Security Automated Threat Remediation with ForeScout CounterACT and Juniper Networks Devices Use Case TopologyNetwork topology diagram showing integration of virtualized and physical components: Internet gateway, Juniper ATP Cloud, Policy Enforcer, Security Director, Log Collector, ForeScout CounterACT, Active Directory, vSRX firewall, ESXi hosts, vQFX switch, EX4300 switch, DHCP server, and virtual host machines with their respective IPs.

The Forescout CounterACT security appliance applies an agentless approach to network security and integrates with Juniper Connected Security to block or quarantine infected hosts on Juniper Networks’ devices, third-party switches, and wireless access controllers that support and do not support 802.1X protocol integration.

In this use case, the infected end user is quarantined into the user vlan VLAN31 on the EX4300 switch. The EX4300 switch has enabled ForeScout CounterACT and has 802.1X authentication enabled on ge-0/0/19. The end user authenticates to the network using 802.1X.

The following events occur in this use case:

  1. The infected endpoint is detected by ATP Cloud.
  2. Policy Enforcer downloads the infected host feed, and then enforces the infected host policy through CounterACT.
  3. CounterACT queries the server for endpoint details for the infected host’s IP address.
  4. CounterACT sends a message to the EX4300 switch, telling it to terminate the session by blocking or quarantining vlan31.
  5. Enforcement occurs on the EX4300 switch on which the endpoint is authenticated.
  6. CounterACT inventories the applications, services, and processes running on the device, checks the OS version and registry settings, and verifies the presence of security agents. As a result, a complete profile of the device and its security status is obtained.

Install and Configure Junos Space, Security Director, and Log Collector

This section shows how to install and configure Junos Space, Security Directory, and Log Collector for this use cases. These applications are used in this use case to provide the centralized policy and management application for consistent network security policies.

This section covers the following procedures:

Configure Basic Junos Space Networking

To configure basic Junos Space Networking in this use case:

  1. Configure relevant routes, netmask, gateway, DNS, and NTP so that all components except Log Collector can connect to the Internet.
  2. Ensure all components are in same time zone.
  3. Ensure that SSH is enabled.
  4. Ensure that Security Director can connect to the ATP Cloud server, Policy Enforcer, and all devices.

For additional information on configuring Junos Space, see Junos Space Network Management Platform Documentation.

Install the required DMI Schemas on Security Director

Download and install the correct matching Junos OS schemas to manage the Juniper Networks’ devices:

  1. Add the DMI schemas for the Juniper Networks’ devices using the instructions at https://www.juniper.net/documentation/en_US/junos-space17.2/platform/topics/task/operational/dmi-schemas-adding-updating.html.
  2. Ensure that device software version and schema version match for all managed devices (SRX Series and EX Series devices).

Install and Configure SRX Series, EX Series, and QFX Series Devices

To install and configure vSRX virtual firewalls, EX Series switches, and QFX Series switches for this use case:

  1. Configure the vSRX device as the enforcement point per your requirements. Click CLI Configuration for SRX Series Device to review the detailed Junos OS CLI code for this use case.
  2. Configure the EX4300 switch per your requirements. Click CLI Configuration for EX4300 Switch to review the detailed Junos OS CLI code for this use case. You configure the EX4300 as an 802.1X authenticator and forward the Windows 7 Supplicant’s credentials to ForeScout CounterACT through the RADIUS protocol. The EX4300 switch also mirrors traffic entering from the port where the Windows 7 Supplicant is connected to a destination port that is connected to the “Monitor” interface of the ForeScout CounterACT virtual appliance.
    Note:

    For detailed instructions on how to deploy both the EX4300 switch and the QFX switch , click the following links:

  3. Configure the QFX switch per your requirements. Click CLI Configuration for QFX Switch to review the detailed Junos OS CLI code for this use case. You configure the QFX switch as standard access switch. The QFX switch’s uplink port on the EX4300 switch also mirrors traffic to a destination port that is connected to the Monitor interface of the ForeScout CounterACT virtual appliance.
  4. Configure basic networking on Junos devices:

    1. On all Junos devices, configure the necessary routing and DNS settings to enable Internet access, as well as connectivity to Junos Space, Policy Enforcer, and the ATP Cloud server.

    2. For the SRX device, ensure that Internet access is enabled both in-band and out-of-band.

  5. Add devices to the Junos Space Network Management platform:

    1. In Junos Space, discover and import the SRX device in your environment.

    2. In Security Director, assign, publish, and update any existing firewall policies to ensure Security Director and the SRX device are in sync.

Install and Configure Microsoft Windows Server and Active Directory

Because ForeScout CounterACT does not have a local user database to use for 802.1X authentication, you must install and configure a Windows Server 2008R2 with Active Directory.

  1. To set up and configure Windows Server 2008R2, click https://docs.microsoft.com/en-us/iis/install/installing-iis-7/install-windows-server-2008-and-windows-server-2008-r2.
  2. To set up and configure Active Directory, click https://www.petri.com/installing-active-directory-windows-server-2008.
  3. Create a user domain account to use later during 802.1X authentication.

Download, Deploy, and Configure Policy Enforcer Virtual Machine

To download, deploy, and configure the Policy Enforcer Virtual Machine:

  1. Download the Policy Enforcer virtual machine image from http://www.juniper.net/support/downloads/?p=sdpe to the management station where the vSphere client is installed.
  2. On the vSphere client, select File > Deploy OVF Template from the menu bar.
  3. Click Browse to locate the OVA file that was downloaded.
  4. Click Next and follow the instructions in the installation wizard.
  5. Once the installation is complete, log in to the virtual machine using root and abc123 as the username and password, respectively.
  6. Configure the network settings, NTP information, and customer information, and complete the wizard.

For more detailed instructions, see https://www.juniper.net/documentation/en_US/release-independent/policy-enforcer/topics/task/installation/policy-enforcer-vm-config.html.

Identify and Connect Policy Enforcer to Security Director

To identify and connect Policy Enforcer to Security Director:

  1. In Security Director, identify the Policy Enforcer virtual machine.
  2. Log in to Security Director and select Administration > PE Settings.
  3. Enter the IP address of the Policy Enforcer virtual machine and the root password, and click OK.
  4. Select Threat Prevention Type as Sky ATP with PE.
    Note:

    At this point, do not run the wizard/guided setup.

Obtain an ATP Cloud license and Create an ATP Cloud Web Portal Account

To obtain an ATP Cloud license and create an ATP Cloud Web Portal account:

  1. ATP Cloud has three service levels: free, basic, and premium. The free license provides limited functionality and is included with the base software. To obtain and install an ATP Cloud basic or premium license, click Managing the Advanced Threat Prevention Cloud License.

    For more details on ATP Cloud service levels and license types, click Advanced Threat Prevention Cloud License Types.

  2. Create an ATP Cloud Web portal account by clicking https://sky.junipersecurity.net and filling in the required information.

Install Root CA on the ATP Cloud Supported SRX Series Devices

Note:

This section is required only if you are enabling HTTPS inspection as part of a malware profile or threat prevention policy.

This section covers the following topics:

Generate Root CA Certificate using Junos OS CLI or OpenSSL on a UNIX Device

Note:

Use only one of these options.

To generate a root CA certificate using the Junos OS CLI on the SRX device:

  1. Generate a PKI public key or private key pair for a local digital certificate.
  2. Using the key pair, define a self-signed certificate by providing FQDN and other details.

Or

To generate a root CA certificate using OpenSSL on a UNIX device:

  1. Generate a PKI public key or private key pair for a local digital certificate.

  2. Copy the key pair onto the SRX device or devices.

  3. On the SRX device(s), import the key pair.

  4. Apply the loaded certificate as root-ca in the SSL proxy profile.

Configure a Certificate Authority Profile Group

To configure a Certificate Authority (CA) profile group.

  1. Create the CA profile.
  2. Junos OS provides a default list of trusted CA certificates that you can load on your system using the default command option.
  3. Verify that the ssl-inspect-ca certificates are loaded.

Export and Import Root CA Certificate into a Web Browser

To export and import the Root CA Certificate into a web browser:

  1. On the SRX device, first export the root CA certificate to a .pem file.
  2. Transfer the .pem file to your Windows client.
    Note:

    If you are using the UNIX device with OpenSSL, the certificate is already on the device and no action is required.

  3. Import the certificate into a browser.

    If you are using a Windows client, instruct the browser to trust the CA root certificate.

    • Internet Explorer (version 8.0):

      1. From the Tools menu, select Internet Options.

      2. On the Content tab, click Certificates.

      3. Select the Trusted Root Certification Authorities tab and click Import.

      4. In the Certificate Import Wizard, navigate to the required root CA certificate and select it.

    • Firefox (version 39.0):

      1. From the Tools menu, select Options.

      2. From the Advanced menu, select the Certificates tab and click View Certificate.

      3. In the Certificate Manager window, select the Authorities tab and click Import.

      4. Navigate to the required root CA certificate and select it.

    • Google Chrome (version 45.0):

      1. From the Settings menu, select Show Advanced Settings.

      2. From the Advanced menu, select the Certificates tab and click View Certificate.

      3. Under HTTPS/SSL, click Manage Certificates.

      4. In the Certificate window, select Trusted Root Certification Authorities and click Import.

      5. In the Certificate Import Wizard, navigate to the required root CA certificate and select it.

    For more details, click: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ssl-proxy-workflow-configuring.html

Or

If you are using a UNIX device, import the certificate into the browser:

Download, Deploy, and Configure the ForeScout CounterACT Virtual Machine

This section covers the following topics:

Prerequisite Tasks

Before you begin this procedure, complete the following tasks:

  1. Obtain an evaluation copy of CounterACT (version: 7.0.0-513-2.3.0-1605) to use with Policy Enforcer.
  2. Obtain a license key and the following plugin packages from the ForeScout representative:

    • ForeScout-dot1x-4.2.0.1010-42001010.fpi

    • ForeScout-eds-3.2.0-32000032.fpi

    • ForeScout-webapi-1.2.2-12020005.fpi

  3. Download and deploy the CounterACT (CA) OVF or the ISO file on an ESXi host.

    • If you download and deploy the ISO file, then:

      1. Create a new virtual machine (VM) and select other 2.6.x Linux (32bit) as the Guest OS.

      2. Upload your ISO file to Datastore.

      3. Configure your CD or DVD drive to boot from Datastore ISO file.

      Note:

      Before you power on the VM, you must enable the Connected at power on option.

    For vSwitch and Network Adaptor configuration settings on the VM required for the Management, Monitor, and Response interfaces, click:

    For this use case, standard deployment mode was used with separate Management, Monitor, and Response interfaces. To gain greater network visibility, the EX4300 switch was configured to mirror traffic from ports where the Windows and Linux hosts were connected, to a destination port that was connected to the Monitor interface of the ForeScout CounterACT virtual appliance. This is also required for IP Address/MAC-ID binding in non-802.1X access switch deployments when no Layer 3 gateway (switch) exists to collect IP information.

    Only the Management interface is used for Auto Threat Remediation actions.

  4. Edit your VM settings based on your performance requirements.

    For more details, click https://www.forescout.com/products/specifications/.

Install and Configure CounterACT Software

To install and configure ForeScout CounterACT software:

  1. Power on the VM and follow the instructions on the console:

    1. Select Install CounterACT to begin the installation. Once the installation completes, the VM reboots.

    2. From the console, select Configure CounterACT to configure the network and system settings.

    3. Select CounterACT Appliance as the installation type.

  2. Ensure that the CounterACT Management interface can connect to the Internet to access your switches.
  3. Use a browser and enter https://pact.ly/S1lnt3 to access and install Juniper CounterACT product trial software. Enter your credentials to confirm and install the product trial software.
    Figure 2: Juniper CounterACT Trial Software PageForeScout CounterACT software download page with version 7.0.0 and above for Windows 107.2 MB and Linux 106.1 MB.

    Download and install either Windows or Linux for your operating system.

  4. From the Start menu, select ForeScout CounterACT > CounterACT Console. The CounterACT Login page appears:
    Figure 3: CounterACT Login PageForescout CounterACT login screen with fields for IP/Name, login method, username, password, and options to save.

    1. In the IP/Name field, enter the CounterACT device IP name.

    2. From the Login Method list, select Password to perform a standard user authentication.

    3. In the User Name and Password fields, enter your ForeScout username and password.

    4. Click Login.

  5. Download and install the CounterACT cumulative update.
    Figure 4: CounterACT Cumulative UpdateCounterACT update dialog with options to download and install, install from file, or skip. Includes link for update details.CounterACT software update with components like HPS Vulnerability DB and Wireless. Post-install process starting, 30 mins. Time Elapsed 00:08. Cancel button available.
  6. Log in to the console again and follow the initial setup wizard. The Welcome page displays the CounterACT component to which you logged in, and information you previously defined during the data center installation.
  7. From the License page, click Install License to install the CounterACT virtual system license.

    Click Next.

    Figure 5: License Installation PageInitial Setup Wizard interface showing License step with Install License button and navigation menu for setup steps like Time and Mail.
  8. From the Time page, define the time settings for your appliance.
    Figure 6: Time Settings PageInitial Setup Wizard for CounterACT appliance showing Time configuration step with timezone set to America/New_York and NTP server ntp.forescout.net.

    CounterACT devices require NTP connectivity (port 123 UDP) to an NTP server. Enter an NTP server for your organization’s connection, or use the default ForeScout NTP server (ntp.foreScout.net). Click Test to verify that NTP Server returns a successful connection.

    Click Next.

  9. CounterACT generates e-mail messages regarding policy and threat protection alert, scheduled reports, critical system operation alerts, and license alerts from the Mail page.
    Note:

    For this use case, do not use the Email Notifications and Alerts option. However, you cannot skip this step, and must enter a dummy e-mail address. Click Next.

    Figure 7: Mail Settings PageInitial Setup Wizard Mail section for configuring admin email and mail relay server with navigation panel and action buttons.
  10. To continue the Initial Setup Wizard, skip setting up the User Directory, Domains, and Authentication Servers plug-ins for now. You will define them later in the procedure. Click Skip >> from the wizard until the Internal Network page appears.
  11. From the Internal Network page, add the IP address range (10.10.10.0 to 10.10.30.255) for the internal network that you want CounterACT to manage. Click Next.
    Figure 8: Internal Network SettingsInitial Setup Wizard for configuring an internal network; current step highlighted: Internal Network. Field for segment name set to LAN. Table shows IP range 10.10.30.0 to 10.10.30.255. Navigation buttons: Help, Apply, Previous, Next, Skip, Finish, Cancel.
  12. From the Enforcement Mode page, enable NAT Detection, and accept the other default enforcement mode settings and click Next.
    Figure 9: Enforcement Mode SettingsInitial Setup Wizard interface for configuring a network appliance. Current step: Enforcement Mode. Options: Full Enforcement with NAT Detection or Partial Enforcement with Auto Discovery. Navigation buttons include Help, Apply, Previous, Next, Skip, Finish, and Cancel.
  13. From the Channels page:

    1. Define a new channel by selecting Add from the Channels list. This channel is used to match the appliance interface connections that detect and respond to traffic on the network interfaces.

    2. From the Monitor list, select eth1 as an interface.

    3. From the Response list, select eth2 as an interface.

    4. Assign both interfaces at the Data Center.

    5. Enable the All VLANs option and verify that the Monitor interface receives the mirrored traffic from the configured EX4300 switch.

    Figure 10: Channels SettingsInitial Setup Wizard of CounterACT showing Channels configuration; monitor and response interfaces setup with eth1 to eth2.
  14. To continue the Initial Setup Wizard, skip setting up the Switch plug-in for now. You will define them later in the procedure. Click Skip >> from the wizard until the Policy page appears.
  15. From the Policy page, accept the default setting for Classify hosts (enabled) for Asset Classification. Click Next.
    Figure 11: Policy SettingsInitial Setup Wizard screen for configuring network policies, showing Policy section with options for asset classification and guest detection, current step highlighted in navigation panel, and buttons for navigation and actions at the bottom.
  16. From the Inventory page, accept the default setting for Enable Inventory Discovery (enabled). Click Next.
    Figure 12: Inventory SettingsInitial Setup Wizard for network inventory management showing Inventory step. Sidebar lists setup steps with Inventory highlighted. Main panel describes Inventory feature and has Enable Inventory Discovery checked. Options for inventory include Classification and Device Information. Selected properties include Applications Installed and Company. Navigation buttons at bottom.
  17. From the Finish page, review the wizard configuration summary. Click Finish to complete the initial setup. Click Save to save the configuration file to the external file.
    Figure 13: Finish Initial Setup PageInitial Setup Wizard for CounterACT appliance completed with green checkmarks; Switch config skipped, others saved. Options: Check for updates, Save, Help, Apply, Previous, Skip, Finish.
    Note:

    (Optional) To disable the map functionality, select Tools > Options > Map.

  18. To download and install the updated packages, click Check for updates (or select Tools > Check for Updates).
    Figure 14: Check for Updates ScreenSoftware interface for network security management displaying Software Updates section with package names, current and update versions, progress log, and install button.
  19. From the Software Updates page:

    1. Install the Infrastructure Update Pack.

    2. Install the second Service Pack. After the service package installation is complete, CounterACT will automatically restart. Click OK to restart the console.

      Figure 15: Service Package Installation Complete ScreenCounterACT Appliance Console interface with update message. Sections: Views, Detections, Filters, Profile, Compliance, All Policies. Timestamp 3/2/18 4:02:04 PM.

    3. Log in with your credentials.

    4. Click Check for updates (or select Tools > Check for Updates) and install the other remaining software update packages.

    Note:

    For this use case, de-select both HPS Inspection Engine and Macintosh/Linux Property Scanner packages. These are not required for this use case example.

Install and Configure CounterACT Plugins

CounterACT is delivered with several bundled plugins:

  • ForeScout-dot1x-4.2.0.1010-42001010.fpi

  • ForeScout-eds-3.2.0-32000032.fpi

  • ForeScout-webapi-1.2.2-12020005.fpi

These plugins link CounterACT to the network infrastructure (switches, domain servers, and user directories), and provide core endpoint detection and management functionality, including a comprehensive set of host properties and actions.

  1. Log in to the CounterACT console and select Tools > Options > Plugins to install the packages.
    Figure 16: CounterACT Plugins ScreenForeScout CounterACT interface showing Options window in Plugins section. File dialog for plugin installation with .fpi files visible.
  2. Select each plugin and click Install. After the installation completes, click Close.
  3. Select Tools > Options > Plugins to verify that the following services are running:

    • User Directory

    • Switch

    • 802.1X

    • Data Exchange (DEX)

    • WebAPI

Configure User Directory Plugin

The User Directory Plugin resolves endpoint user details and performs endpoint authentication through authentication and directory servers.

To configure the User Directory servers:

  1. Select Tools > Options > User Directory. From the User Directory page, click Add.
  2. From the Edit Server page, on the General pane, define basic server parameters and functionality:

    1. Enter the hostname of the server in the Name field.

    2. From the Type list, select the server type. The server type can be any one of the following:

      Figure 17: Server Type OptionsDropdown menu listing directory services and authentication systems: Microsoft Active Directory, Novell eDirectory, Oracle Directory Server, IBM Lotus Notes, OpenLDAP Server, RADIUS, TACACS.

    3. Enable these configuration parameters for the server: Use as directory, Use for authentication, and Use for Console Login.

    4. Enter a comment about the server configuration in the Comment field.

    5. Click the Settings tab.

  3. From the Settings pane, define Microsoft Active Directory server parameters:

    1. In the Communication section, enter the IP address of the server in the Address field.

    2. Enter the port number in the Port field.

    3. Enable All for the Accessed By field. This ensures that all of the CounterACT devices can communicate and have access to the configured server.

    4. In the Directory section, enter the domain name in the Domain field.

    5. Enter the credentials to authenticate the directory for querying other user details in the Administrator field.

    6. Enter and verify the Administrator’s password in the Password fields.

    7. Select None for the Additional Domain Aliases field. The systems looks up a user in this directory only if its domain name matches the configured directory domain.

    8. Click the Test tab.

  4. From the Test pane, define parameters for testing the connection between the server and the User Directory Plugin.

    1. In the Directory section, enter the user name to query in the User field.

    2. In the Authentication section, enter Administrator in the User field and enter and verify the administrator’s password in the Password fields.

    3. Click OK, then click Apply to save and apply the configuration settings.

      Figure 18: User Directory Plugin ParametersUser Directory plugin configuration interface showing a dialog box titled Saving User Directory Plugin Configuration on 172.30.77.100 with a message Applying User Directory plugin configuration and a Done progress bar. Options to Add Edit Remove Test and Duplicate are on the right. Apply Cancel and Help buttons are at the bottom.
  5. Click Test to test your configuration.
    Figure 19: Configuration Test ScreenConfiguration Test Completed window showing server tests. Columns: Name GothamCity Type Directory Server Test Authentication Server Test IP Address Managed By 172.30.77.100 Status Success Status Details Authenticated Administrator successfully. Test 2/2 completed. Buttons: Additional Data... Close.

Configure Switch Plugin

The Switch Plugin queries each switch for:

  • Switch port attributes and information about connected endpoints.

  • ARP table to discover new endpoints connected to the switch.

The information can be obtained via CLI and/or SNMP.

To configure the Switch Plugin for the EX4300 switch:

  1. Select Tools > Options > Switch. From the Switch page, click Add.
  2. From the Edit Switch page, on the General pane, define basic switch parameters and functionality.

    1. Enter the IP address or FQDN of the switch in the Address field. The Console uses the value you enter to identify the switch entry.

    2. From the Connecting Appliance list, specify the CounterACT device that will manage this switch.

    3. From the Vendor list, specify the vendor of the network device you want the plugin to manage. Since each Vendor CLI and SNMP are different, it is important to pick the right vendor. CounterACT will associate the right format for the switch then.

    4. Enter a comment about the switch configuration in the Comment field.

    5. Click the CLI tab.

  3. From the CLI pane, configure the use of CLI for communication from the Switch Plugin to the switch.

    1. Enable the Use CLI option to activate CLI access.

      Note:

      SSH is the permanently selected connection type for Juniper Networks switches.

    2. Enter a user name and password in the User and Password fields. The Switch Plugin uses these credentials to log in to the switch.

      Note:

      For plugin management of Juniper’s switches, the user that you configure must have superuser permission on Juniper’s switches.

      Do not use the root login for CLI access to EX Series switches.

    3. In the Privileged Access Parameters section, enable the Enable privileged access option to provide the plugin write privileges on the switch.

    4. Select the No password option to indicate that the switch set up does not require a password.

    5. Click the Permissions tab.

  4. From the Permissions pane, define read, write, and advanced permission settings for the switch.

    1. In the MAC Permissions section, enable the Read: MACs connected to switch port and port properties (MAC address table) option. Enabling MAC read permission allows CounterACT to read a switch’s MAC address table and discover connected endpoints and their network interface.

    2. Enable the Write: Enable Actions (Switch block, Assign to VLAN, ACL) option to enable the Switch Plugin permission to apply the Assign to VLAN action, the Switch Block action, and ACL actions on endpoints detected on the managed switch.

      Note:

      ACL configuration is not required for this use case configuration.

    3. Click the 802.1X tab. (This pane shows up only if the 802.1X plugin is installed)

  5. From the 802.1X pane, configure RADIUS-based authentication and authorization for detected endpoints when attempting to connect to a Juniper Networks’ network through an EX4300 Series switch.

    1. In the RADIUS Secret as configured in switches fields, enter the necessary RADIUS secret to allow communication between the CounterACT RADIUS server and the managed switch.

    2. Click OK, then click Apply to save and apply the configuration settings.

      Figure 20: 802.1X RADIUS-based Authentication Secret ConfirmationGraphical user interface for managing switch plugin configurations with tabs labeled Switch and ACL Repository. Pop-up window confirms successful configuration save on 172.30.77.100. Action buttons include Add, Edit, Remove, Duplicate, Discover, Stop All, Approve, Test, Export, Import, Help, Apply, and Cancel.
  6. Click Test to test your configuration.
    Figure 21: Switch Configuration Test ScreenConfiguration Test interface for a network switch showing test results. IP: 172.30.77.62. All 10 tests completed. Status: Passed, Not configured, Not applicable.
    Note:

    To configure the QFX switch, repeat the same configuration steps as for the EX4300 switch. However, you must configure ACL functionality for the QFX switch because QFX is deployed as a standard access switch (without 802.1X), and auto-threat remediation is performed by applying ACLs.

    From the User Directory page, enable and/or select the following fields from the ACL pane:

    • Enable ACL

    • Add ACL firewall filter to physical ports

    • Add CounterACT authentication servers permit rules

    • Use system-defined name (forescout_acl)

Configure 802.1X Plugin

The 802.1X Plugin enables CounterACT to authenticate 802.1X switch or wireless connections to the network. The plugin is compatible with the IEEE 802.1X specification and the RADIUS authentication protocol.

To configure the 802.1X Plugin:

  1. Select Tools > Options > 802.1x.
    Figure 22: 802.1X OptionsCounterACT 802.1x settings interface showing sidebar with 802.1x selected, main panel with Authentication Source, Pre-Admission Authorization, Server Certificate, and RADIUS Settings, and buttons for Help, Apply, and Cancel.
  2. From the 802.1X page, on the Authentication Sources pane, select the user directory that validates the credentials provided during the endpoint authentication. You configure all of the authentication sources in the User Directory Plugin.
  3. Click the Pre-Admission Authorization tab and define a set of prioritized rules. The CounterACT RADIUS server uses these rules to evaluate the endpoints for authorization after they have been authenticated by the applicable RADIUS server (an Authentication Source selection).
    Figure 23: Pre-Admission Authorization TabConfiguration interface for network authentication under Pre-Admission Authorization tab, showing a rule with EAP-Type set to PEAP and 3 Attributes.
  4. Click Add to add multiple conditions for the rule.
    Figure 24: Pre-Admission Authorization ConditionsConfiguration interface for setting conditions with EAP-Type criterion as PEAP. Options to Add, Edit, or Remove conditions.
  5. Add your Authorization Attributes. Enter VLAN as the Tunnel-Type, and 31 as the Tunnel-Private-Group. Click OK.
    Figure 25: Adding Authorization AttributesConfiguration interface for network authorization settings with options to deny access, field labeled VLAN, table with attributes Tunnel-Medium-Type IEEE-802, Tunnel-Type VLAN, Tunnel-Private-Group-ID 31, and buttons for adding, editing, removing, OK, and Cancel.
  6. Click the Server Certificate tab. Enable the Use self-signed certificate option.
    Figure 26: Server Certificate OptionsConfiguration interface for server certificates with "Server Certificate" tab selected. Self-signed certificate checkbox checked. Private key password fields present. CA Host OS set to Windows-Based. Help, Apply, Cancel buttons visible.
  7. Click the RADIUS Settings tab. Enable the CounterACT RADIUS Logging option, and accept all of the other default settings.
    Figure 27: RADIUS SettingsConfiguration interface for RADIUS server settings with options for logging, authentication and accounting ports, LDAP queries, and buttons for help, apply, and cancel.
  8. Click Apply to save and apply the configuration settings.
    Figure 28: Applying 802.1X Configuration SettingsSaving 802.1x configuration on device 172.30.77.100, showing progress and completion messages with Done and Close buttons.

Configure Windows 7 Supplicant

You should have already installed the Microsoft Windows Server and Active Directory. Click Install and Configure Microsoft Windows Server and Active Directory to review the instructions.

To configure the Windows 7 Supplicant:

  1. Ensure that the Windows 7 Supplicant is configured with the Active Directory domain that you previously created.
    Figure 29: Windows Supplicant Configuration VerificationSystem window displaying Intel Xeon CPU X5690 at 3.47GHz, 3GB RAM, 64-bit OS, no Pen/Touch, computer name Win7x64, domain domain.jnpr.net.
  2. Ensure that the Wired AutoConfig service is running.
    Figure 30: Wired AutoConfig Service Configuration ConfirmationWindows Services Manager displaying Wired AutoConfig service selection and details for managing system services on a Windows OS.
  3. Enable 802.1X PEAP authentication for the Local Area Connection.
    Figure 31: 802.1X PEAP Authentication ConfirmationNetwork authentication settings window with IEEE 802.1X and PEAP selected, credentials saved, and no fallback access.
  4. Click Settings and ensure that the Validate server certificate option is not selected.
    Figure 32: Protected EAP PropertiesProtected EAP Properties window for configuring wireless network authentication settings in Windows, featuring options for server certificate validation, trusted CAs, authentication method selection, and network access protection.
  5. Configure the user credential settings. Select the Automatically use my Windows login name and password option to use the user credentials you previously configured in Active Directory.
    Figure 33: Windows Login and Password ConfirmationConfiguration window for IEEE 802.1X network authentication settings on Intel PRO/1000 MT Network Connection.
  6. Click Authentication > Additional Settings > Replace credentials and enter the credentials of the user you created in Active Directory.
    Figure 34: Replacing CredentialsAdvanced settings for 802.1X authentication and Windows Security credential prompt for secure network access configuration.
  7. To confirm that the 802.1X authentication works on Windows 7 Supplicant and verify that the user is placed correctly in the User VLAN (vlan31), enter the show dot1x interface and show vlans vlan31 commands.
    Figure 35: show dot1X interface and show vlans OutputOutput of network commands on Juniper device: 802.1X on ge-0/0/19.0 is authenticated with MAC 00:50:56:9E:37:24 as user JTAC-EMEA\xxxxxxx; VLAN 31 includes interfaces ge-0/0/18.0 and ge-0/0/19.0.
  8. To review the session information (username, IP address, and MAC-ID) on the CounterACT Console, right-click on your host, and select Information > Details.
    Figure 36: Session Information VerificationForeScout CounterACT interface displaying host details: user redacted, IP 10.10.30.69, MAC 0050569e3724, domain, JUNOS EX OS, 802.1x authentication. Timestamp 3/8/18 4:42:38 PM.

Test and Troubleshoot 802.1X Authentication

To test the 802.1X authentication against ForeScout CounterACT:

  1. Log in using the credentials of the domain account (user) you created in the User Directory.
    Figure 37: Troubleshoot Rejected AuthenticationsForeScout CounterACT Policy Manager Policy Wizard interface for creating or editing policies showcasing "Troubleshoot Rejected Authentications" under 802.1x category with options to add, edit, and navigate.
  2. Ensure that the EX4300 switch is configured properly for 802.1X authentication. Click CLI Configuration for EX4300 Switch to review the configuration file.

To troubleshoot 802.1X authentication issues:

  1. From the ForeScout CounterACT Console, click the Policy tab and create a policy using the Troubleshoot Rejected Authentications template (listed under 802.1X Enforcement).

  2. Start your policy to troubleshoot the issue.

To view logs from the ForeScout CounterACT Console:

  1. Select Log > Policy Log. From the Policy Log page, enter your Windows 7 supplicant’s MAC or IP address.

    Figure 38: Policy Log SettingsConfiguration window for Policy Log in software application with options to filter logs by time scope, host scope, and record limitation. Time scope allows selection of relative time or specific date range. Host scope filters by IP range or MAC address 0050569e3724. Record limit set to 10000. Buttons OK and Cancel apply or discard changes.

  2. Click OK. The policy log files appear.

    Figure 39: Policy Log FilesPolicy Log interface showing authentication events for MAC address 0050569e3724 with columns: Time, Host, Details, and unused column. Includes filtering, search field, and navigation buttons.

  3. If 802.1X authentication works and your Windows 7 supplicant obtains an IP address from the DHCP server running on SRX, you can then generate some traffic to verify that your Windows 7 supplicant (for example, 10.10.30.69) appears on the Host list under the Home tab.

    Figure 40: Policy Log 802.1X Authentication ConfirmationForeScout CounterACT interface showing a detections table with device details and profile section with user and network info.
    Note:

    Additionally, if you already configured the other host (Windows or Linux system) that is connected to the QFX switch and obtained an IP address from the DHCP server running on SRX, you can then generate some traffic for it, and the host address (for example, 10.10.30.99) will also appear on the Host list.

Configure Data Exchange Plugin

The Data Exchange (DEX) Plugin enables CounterACT to use web services to communicate with external entities. CounterACT queries external services and receives updates through the CounterACT web service hosted by the plugin. In this case DEX in conjunction with the ForeScout Connector will monitor PE for any communication.

To configure the Data Exchange (DEX) Plugin:

  1. Select Tools > Options > Data Exchange (DEX).
  2. From the Data Exchange (DEX) page, select CounterACT Web Service > Accounts tab.
    Figure 41: Data Exchange AccountsCounterACT Web Service tab interface for account credentials; Administrator account selected with options to add, edit, or remove accounts.
  3. Click Add and enter the following information:

    1. In the Name field, enter the name of the CounterACT web service account.

    2. In the Description field, enter a brief description of the purpose of the web service account.

    3. In the Username field, enter the username used to authorize CounterACT to access the web service account.

    4. In the Password field, enter the password used to authorize CounterACT to access the web service account.

    5. Click OK and the account appears in the Account tab.

  4. Click the Properties tab. From the Properties page, click Add to add the following properties:

    • block

    • quarantine

    • Test

    Note:

    You must include the Test property; otherwise, you cannot add CounterACT as a third-party connector to Policy Enforcer successfully.

    Figure 42: Data Exchange PropertiesCounterACT Web Service tab in Data Exchange configuration interface showing property settings with options to add, edit, or remove properties.
  5. Click the Security Settings tab. A white list of IP addresses is used to permit access to the CounterACT web service. From the Security Settings page, click Add and add the IP address range for the Policy Enforcer. Click OK. The IP address appears in the IP Address Range list.
    Figure 43: Data Exchange Security SettingsConfiguration interface for Data Exchange DEX security settings in CounterACT Web Service tab showing allowed IP range 172.30.77.104 with Add Remove and Edit buttons.
  6. From the Data Exchange (DEX) page, click Apply to save and apply the configuration settings.
    Figure 44: Data Exchange Applying Configuration SettingsSaving Data Exchange Plugin Configuration on 172.30.77.100 with tabs for SQL or LDAP, External Web Services, CounterACT Web Service, and General Settings.

Configure Web API Plugin

The Web API Plugin enables external entities to communicate with CounterACT using simple, yet powerful web service requests based on HTTP interaction. Configure the Web API Plugin to create an account for Policy Enforcer integration.

To configure the Web API Plugin:

  1. Select Tools > Options > Web API.
  2. From the Web API page, in the User Credentials section, click Add.
    Figure 45: Web API User CredentialsUser interface for managing credentials in CounterACT Web API settings; edit credentials for admin user with apply and cancel options.
  3. Enter the same username and password that you previously created for the Data Exchange (DEX) configuration and click OK.
  4. Click the Client IPs tab and click Add. Add the Policy Enforcer IP address into the access list.

    Click OK.

    Figure 46: Web API Client IP TabConfiguration interface for managing client IP ranges in CounterACT Web API settings. Shows allowed IP 172.30.77.104 with add, remove, edit, apply, and cancel options.
  5. From the Web API page, click Apply to save and apply the configuration settings.
    Figure 47: Web API Applying Configuration SettingsConfiguration interface for managing CounterACT Web API settings. Client IPs tab shows IP 172.30.77.104. Dialog saving plugin configuration for IP 172.30.77.100.

Verify Plugins

To verify that all of the required plugins are running, select Tools > Options > Plugins. The Plugins page appears showing the status of each plugin.

Figure 48: Verifying PluginsForeScout CounterACT console showing plugins list with status and actions for managing network security plugins.

Configure Automated Threat Remediation Policies

Using Policy Manager, create these automated threat remediation policies:

  • NETCONF policies–used to connect hosts to the QFX switch.

  • 802.1X policies–used to connect hosts to the EX4300 switch and used for 802.1X authentication.

To create an automated threat remediation NETCONF policy or 802.1X policy:

  1. Select Policy > Policy Manager.
  2. From the Policy Manager page, click Add.
    Figure 49: Policy Manager PagePolicy Manager interface showing list of network policies with details like Name, Category, Status, User Scope, Segments, Conditions, and Actions. Buttons for Add, Edit, Categorize, Remove, Duplicate, Move to, Export, Start, Stop, and Custom on the right for managing policies.
  3. Click Custom and click Next.

    1. a. Based on your requirements, create the following sets of SDSN block and quarantine policies to secure host-to-switch and switch-to-802.1X server traffic. In the Name field, enter these policy names:

      • SDSN BLOCK—dot1x

      • SDSN QUARANTINE—dot1x

      • SDSN BLOCK—NETCONF

      • SDSN QUARANTINE—NETCONF

      Figure 50: Block and Quarantine PoliciesConfiguration interface for network security policy SDSN BLOCK - dot1x; Deny Access to Default VLAN; IP Ranges: LAN; No Filters or Exceptions; Re-check every 8 hours.

    2. In the Description field, enter a description for each policy. Click Next.

  4. From the Scope page, select the IP Range option. Enter the IP address range for the LAN segment as endpoints to be inspected for this policy. Click OK.
    Figure 51: IP Address Range in Block and Quarantine PoliciesConfiguration window for network policy SDSN BLOCK - dot1x showing LAN segment with IP range 10.10.30.0 to 10.10.30.255.
  5. Click Next to skip the Advanced section and open the Main Rule page. A rule contains a set of conditions and actions:

    • A condition is a set of properties that is queried when evaluating endpoints.

    • An action is the measure that CounterACT takes at endpoints.

  6. From the Main Rule page, click Add from the Condition section of the page to add a condition.
    Figure 52: Adding Conditions to Block and Quarantine PoliciesConfiguration window for SDSN BLOCK - dot1x policy with condition "All criteria are True" and action "802.1x Authorize". Advanced settings recheck every 8 hours.
  7. Define the condition for block or quarantine.
    Figure 53: Defining Conditions for Block and Quarantine PoliciesConfiguration window titled Condition for policy enforcement with search term block, properties tree, and criteria options.
  8. From the Main Rule page, click Add from the Actions section of the page. From the Action page, define these actions:

    1. SDSN BLOCK - dot1x─select 802.1x Authorize in the left pane and enable the Deny Access option as an action.

      Figure 54: 802.1X Blocking AccessConfiguration interface for network actions focusing on 802.1x Authorization with action list and parameters for VLAN and access settings.

    2. SDSN QUARANTINE - dot1x─select 802.1x Authorize in the left pane and enter vlan32 in the VLAN field as an action.

      Figure 55: 802.1X Quarantine Traffic to a VLANScreenshot of network security software interface showing 802.1x Authorization settings with action menu for security tasks, deny access option, and VLAN field.

    3. SDSN BLOCK - NETCONF─select Endpoint Address ACL in the left pane and enter an ACL as an action in the Parameters tab.

      Figure 56: Endpoint Access ACLSoftware interface for configuring network security actions. Left panel lists actions like killing processes and restricting access. "Endpoint Address ACL" selected under "Restrict." Right panel allows configuring ACL rules based on MAC addresses. Buttons for Help, OK, and Cancel at bottom.

    4. SDSN QUARANTINE - NETCONF─select Assign to VLAN in the left pane and enter vlan32 in the VLAN name field under the Parameters tab to add as an action.

      Figure 57: SDSN Quarantine Assign to VLANConfiguration interface for network management showing action menu with Assign to VLAN highlighted and parameters tab to specify VLAN ID and name.
  9. Click OK and then click Next. Skip configuring sub-rules on the Sub-Rules page.
  10. From the Policy Manager page, click Apply to save and apply the configuration settings. Review the Status of your policy and verify that it is active indicated with an arrow and green box:

Configure the Policy Enforcer Connector for Third-Party Switches

  1. Log in to Security Director and navigate to Administration > Policy Enforcer > Connectors and create a new connector. A blue loading/wait circle indicates that creation of the connector is in progress.
    Figure 58: ConnectorsJunos Space Security Director interface showing Connectors section with one active connector named PS of type ForescoutCounter with IP 172.30.77.100 and port 443.
  2. Enter the following General page details:

    • Name─Enter a unique string.

    • Description─Enter a description.

    • ConnectorType─Select the required third-party network of devices to connect to your secure fabric and create policies for this network. Select ForeScout CounterACT. Click Next.

  3. Enter the following General page details:

    • IP Address─Enter the IP (IPv4 or IPv6) address of the product management server.

    • Port─Select the port to use from the list. If you leave this blank, port 443 is the default.

    • Username─Enter the username of the server for the selected ForeScout CounterACT connector type. For example, Admin.

    • Password─Enter the password of the server for the selected ForeScout CounterACT connector type.

    • DEX User Role─Enter the password of the server for the selected ForeScout CounterACT connector type. For example, Administrator. This has to match the Name field configured on page 58 under the DEX plugin. Click Next.

  4. On the Network Details page, add subnet information to the connector configuration so you can include those subnets in groups and then apply policies to those groups. Click Next.
  5. On the Configuration page, enter the values for the Web API username and password. Click Finish.

Configure ATP Cloud with Threat Prevention Policies

To configure ATP Cloud and set up threat prevention policies:

  • Configure a secure fabric. A secure fabric is a collection of sites which contain network devices (switches, routers, firewalls, and other security devices) used in policy enforcement groups.

  • Define a site and add endpoints to it (switches and firewalls).

  • Configure policy enforcement groups. A policy enforcement group is a grouping of endpoints to which threat prevention policies are applied.

  • Create a threat prevention policy.

  • Apply threat prevention policies to policy enforcement groups

Note:

If you are using Policy Enforcer for threat prevention with ATP Cloud, Guided Setup is the most efficient way to complete the initial configuration.

To perform the configuration using Guided Setup:

  1. In Security Director, navigate to Configure > Guided Setup > Threat Prevention.
    Figure 59: Threat Prevention Policy SetupDiagram of Threat Prevention Policy Setup for network security, illustrating policy enforcement for infected hosts. Shows Sky ATP features like Secure Fabric and threat policies for C&C Server, Infected Hosts, and Malware. Network setup connects internet to firewall, switches, devices, and threat feed integration.
  2. Click Start Setup and follow the wizard.
    Figure 60: Sky ATP with SDSN SetupSky ATP setup interface with progress bar at step 1: Secure Fabric. Secure Fabric section shows Sites table with columns for Site, Enforcement Points, IP, Model, and Description. Options to add enforcement points available.
  3. Create a secure fabric site that includes enforcement points for only the SRX Series device and the ForeScout CounterACT connector. Click Next.
    Figure 61: Secure Fabric Threat Prevention Policy SetupThreat Prevention Policy setup interface showing step 1 of 5: Secure Fabric. Sites table lists BETA with enforcement points vSRX_L3_QFX IP 172.30.77.230 model VSRX and PS IP 172.30.77.100 model Connector. Options to add, edit, delete entries. Cancel or Next step available.
  4. Create a policy enforcement group and select the site. As per your requirements, determine the type of endpoints you are including in your policy enforcement group: IP address, subnet, or location. Endpoints cannot belong to multiple policy enforcement groups. Click Next.
    Figure 62: Policy Enforcement GroupsThreat Prevention Policy configuration interface showing step 2. IPSUBNET group being configured with IP Address type and subnet 10.10.30.0/24.
  5. Add the ATP Cloud realm by providing the relevant details from your ATP Cloud account.

    Before you configure the ATP Cloud realm, ensure that you:

    • Have an ATP Cloud account with an associated license.

    • Understand which type of ATP Cloud license you have: free, basic, or premium. The license controls which ATP Cloud features are available. Click Obtain an ATP Cloud license and Create an ATP Cloud Web Portal Account for more details.

    • Know which region is covered by the realm you are creating. You must a select a region when you configure a realm.

      Figure 63: Sky ATP RealmLogin form for Sky ATP Realm with fields for location dropdown, username, password, realm, and buttons for Cancel and OK.

    Enter Location, Username (Your username for ATP Cloud is your e-mail address), Password, and a name for the Realm. Click OK.

  6. Verify that the ATP Cloud realm has been added.
    Figure 64: ATP Cloud Realm Creation VerificationThreat Prevention Policy setup interface showing Step 3: Sky ATP Realm. Displays realm info, device count, assigned sites, firewalls, and locations. Navigation and action buttons include Add, Edit, Cancel, and Next.

    The value 1 should appear in the Perimeter Firewall in Sites column, indicating that ATP Cloud has detected the SRX Series device.

    Note:

    If the realm addition is not successful, it indicates that there is a network issue and Security Director or Policy Enforcer cannot connect to the Internet. Ensure all devices/components can connect to the Internet and each other.

  7. Create a threat prevention policy, as per your requirements. Threat prevention policies provide protection and monitoring for selected threat profiles, including command & control (C&C) servers, infected hosts, and malware.

    • Determine the type of profile to use for this policy: C&C server, infected hosts, or malware. You can select one or more threat profiles in a policy.

    • Determine which action to take if a threat is found.

    • Know which policy enforcement group to add to this policy.

    Figure 65: Create Threat Prevention PolicyConfiguration interface for creating a Threat Prevention Policy in a cybersecurity tool. Features name and description fields, C&C profile option, threat score range slider for permit, monitor, and block actions, action dropdown with default Drop connection silently, and Cancel and OK buttons.

    Click OK.

  8. Threat Prevention Policy needs a profile for HTTP downloads; this profile indicates what type of files need to be scanned for threats. To add a profile for HTTP file downloads, in the Device Profile area, expand the Realm and select the required profile. Click OK.
    Figure 66: Threat Prevention Device ProfileConfiguration screen for a cybersecurity application showing a realm named ps-security-lab-ams-2 with default_profile. File categories have 32 MB limits. Connections are dropped silently. IMAP attachments monitored with a threat score of 8. All traffic logged.
  9. Assign the threat prevention policy to the desired policy enforcement group by clicking Assign to Groups.
    Figure 67: Assigning a Threat Prevention Policy to a Policy Enforcement GroupConfiguration interface for Threat Prevention Policy setup in network security system. Current step is Policies, configuring a policy named POLICY. Options include blocking C&C servers and infected hosts, setting malware and DDoS actions, policy enforcement, and logging behavior. Navigation buttons allow moving through the setup process.
  10. Select the policy enforcement group and click OK.
    Figure 68: Policy Enforcement Group SelectionAssign to Policy Enforcement Groups dialog box showing Available section with 0 items and Selected section with 1 item. Arrow buttons to move items and Cancel and OK buttons at the bottom.
  11. The system performs a rule analysis, and prepares device configurations that include the threat prevention policies.
    Figure 69: Rule AnalysisProgress bar at 20 percent for Rule Analysis with text Taking snapshot indicating ongoing process.
  12. Once the analysis is complete, instruct the system to push the updated policy and configuration changes to the SRX Series device by clicking Update.
    Figure 70: Updating Policy and Configuration ChangesView Change List interface showing policies to be edited. One device-specific policy named vSPX_L3_QFX has two rules added. Update and Cancel buttons are present.
  13. When the push is complete, the system returns to the Policies page. Click OK.
    Figure 71: Policy Update ConfirmationJob status screen showing three-step process completion with checkmarks. Job details: Update Devices, ID 294972, user super, state In Progress, 100 percent complete. Device vSRX_L3 status Success with service FWPolicy. Options: Export to CSV, OK button.
    Note:

    If the update fails, complete the Threat Prevention Policy Guided Setup. Navigate to Devices > Security Devices and resynchronize your SRX with the network. Then, navigate to Configure > Threat Prevention -> Policies, click Update Required and push the update once again If additional troubleshooting is required, you can view the configuration changes pushed onto an SRX Series device by selecting Monitor > Job Management.

    Configuration changes pushed to the SRX device:

    Figure 72: SRX ConfigurationvSRX firewall configuration view for vSRX_L3 instance in CLI format showing security settings and policies including global address book, firewall policy, security intelligence, and anti-malware configurations.
  14. Click Finish to finalize the Threat Prevention Policy Guided Setup.
    Figure 73: Threat Prevent Policy SetupUser interface for setting up Threat Prevention Policy in cybersecurity system, focused on Geo IP with no data available in the table.

    The system displays the summary of the configuration. Click OK.

    Figure 74: Threat Prevention Policy Configuration SummaryConfiguration summary screen for Threat Prevention Policy Setup with options to edit sites, policy enforcement groups, sky atp realms, threat prevention policies, and geo IP policies. Navigation buttons: Cancel, Back, OK.

Use Case Verification

To verify the use case configuration, perform the following actions:

Verify the Enrollment of Devices in ATP Cloud on an SRX Series Device

Purpose

Verify that the SRX Series device is connected to the ATP Cloud server.

Action

On the SRX device, use the show services advanced-anti-malware status CLI command.

Meaning

The CLI output displays the Connection status as Connected. The Server hostname field displays the ATP Cloud server hostname.

Verify the Enrollment of Policy Enforcer and SRX Series Devices in ATP Cloud

Purpose

Verify that Policy Enforcer and the SRX Series device are enrolled with ATP Cloud.

Action

In ATP Cloud, navigate to the Enrolled Devices page and review the connection information for enrolled devices, including the serial number, model number, tier level (free, basic, premium) enrollment status in ATP Cloud, last telemetry activity, and last activity seen.

Figure 75: Verifying Enrolled Devices in ATP CloudDashboard for managing enrolled devices, showing details like serial number, host, model number, tier, submission state, last telemetry activity, last activity, and license expiration. Action buttons include Enroll, Disenroll, and Device Lookup.

Meaning

The Host field displays details for the enrolled firewall (vSRX_L3_QFX) and for the Policy Enforcer device. You can click the serial numbers for more details.

Verify the Enrollment of Devices with ATP Cloud in Security Director

Purpose

Verify that the SRX Series device enrolled with ATP Cloud in Security Director.

Action

In Security Directory, navigate to Devices > Secure Fabric.

Figure 76: Verifying Device Enrollment in Security DirectorSecure Fabric interface showing site BETA with enforcement points vSRX at 172.30.77.230 and PS at 172.30.77.100 enrolled in SkyATP. Last update March 06, 2018.

Meaning

A green dot with checkmark displays in the SkyATP Enroll Status field and confirms the enrollment of the SRX Series device with the ATP Cloud realm.

Verify ForeScout CounterACT Functionality to Block Infected Endpoint (with 802.1X Authentication)

Purpose

Test the ForeScout CounterACT integration and functionality when an endpoint is infected. In this example, you verify when the enforcement policy is configured to block the infected host with 802.1X authentication.

Action

Note:

A client VM or physical PC is required to trigger an attack.

Before the attack, confirm the following:

  • Confirm that Windows Supplicant is authenticated and in User VLAN (vlan31).

  • Confirm that the endpoint 10.10.30.69 can ping to Internet (IP address 8.8.8.8) and Layer 2 connected default gateway (10.10.30.254). Before the attack, the endpoint starts continuous pings to other endpoints on the LAN and Internet.

    The endpoint pings the C&C server on the Internet from Windows Supplicant (in this example from the IP address 184.75.221.43).

    Figure 77: Confirming Ping from Windows SupplicantWindows environment with multiple windows: cmd.exe running ping 10.10.30.254 -t; cmd.exe running ping 8.8.8.8 -t; cmd.exe with ipconfig output showing IP 10.10.30.69 and gateway 10.10.30.254; Windows Explorer showing Network Connections with active and disabled adapters.

After the attack, the 802.1X session is terminated with RADIUS CoA on the EX4300 switch initiated by ForeScout CounterACT.

Confirm the following:

  • Confirm that Windows Supplicant cannot connect to the Internet or the LAN anymore.

    Figure 78: Confirming Ping from Windows Supplicant is Blocked After the AttackComputer screen with three command prompt windows showing ping tests; network issues indicated by timeouts. Network Connections window shows active, disabled, and authentication-failed adapters.

  • After the RADIUS CoA disconnect message, confirm that the Windows Supplicant is not in User VLAN (vlan31) anymore but in the default VLAN.

  • Confirm that further authentication requests are rejected by ForeScout CounterACT.

  • Confirm the SDSN BLOCK (dot1x) policy match and automated threat remediation action details by navigating to ForeScout CounterACT > Home.

    Figure 79: 802.1X SDSN Block Policy Match VerificationForeScout CounterACT interface shows blocked devices under SDSN BLOCK - dot1x policy, detected device with IP 10.10.30.69, and timestamp 3/8/18 8:32:48 PM.

  • Navigate to Log > Host Log. Review the details for the SDSN BLOCK (dot1x) policy.

    Figure 80: 802.1X Host LogHost Log interface with details of 802.1x authentication events for IP 10.1.0.30.69 including RADIUS rejections and SDSN BLOCK actions.

  • Confirm that the Windows Supplicant’s IP address was also added to the Infected-Hosts Feed on the SRX Series device to block Internet access.

  • In the ATP Cloud portal, navigate to Monitor > Hosts. Confirm the host IP address (10.10.30.69), MAC-ID, and switch port of the Windows Supplicant.

    Figure 81: ATP Cloud Host MonitoringCybersecurity system screenshot showing host 10.10.30.69 with high threat level 9. Investigation open, blocking recommended.

Meaning

All ping sessions show that the traffic is blocked after the threat was detected, confirming that the automated threat remediation use case is working properly.

The Hosts page lists compromised hosts and their associated threat levels. The output confirms that ATP Cloud and Security Director have detected the infected host. You can monitor and mitigate malware detections on a per host basis.

Verify ForeScout CounterACT Functionality to Quarantine Infected Endpoint (with 802.1X Authentication)

Purpose

Test the ForeScout CounterACT integration and functionality when an endpoint is infected. In this example, you verify when the enforcement policy is configured to quarantine the infected host with 802.1X authentication.

Action

Note:

A client VM or physical PC is required to trigger an attack.

Before the attack, confirm the following:

  • Release the infected host on the ATP Cloud portal or in Security Director (Monitor > Threat Prevention > Hosts).

  • Ensure that Internet or LAN access is restored for the Windows Supplicant.

  • On the Policy Enforcer > Threat Prevention Policy page, change infected host profile actions to Quarantine and add the VLAN ID as vlan32. Click OK.

    Figure 82: Threat Prevention Policy Pre-Attack ConfigurationConfiguration screen for Threat Prevention Policy. Actions set to Drop connection silently recommended. Infected host profile included with Quarantine action on vlan32. Malware profile included with HTTP File Download toggled on. Cancel and OK buttons at the bottom.

  • Confirm that Windows Supplicant is authenticated and in User VLAN (vlan31).

  • Confirm that the endpoint 10.10.30.69 can ping to Internet (IP address 8.8.8.8) and Layer 2 connected default gateway (10.10.30.254). Before the attack, the endpoint starts continuous pings to other endpoints on the LAN and Internet.

    Figure 83: Confirming Ping from Windows Supplication Before the AttackComputer screen with four windows: two pinging IP addresses 10.10.30.254 and 8.8.8.8; one showing ipconfig results; one displaying network adapters.

    The endpoint pings the C&C server on the Internet from Windows Supplicant (in this example from the IP address 184.75.221.43).

After the attack, the 802.1X session is terminated with RADIUS CoA on the EX4300 switch initiated by ForeScout CounterACT.

Confirm the following:

  • Confirm that Windows Supplicant re-authenticates and is automatically moved into Quarantine VLAN (vlan32). As a result, the Windows Supplicant cannot connect to the Internet or the LAN anymore.

    Figure 84: Confirm Traffic is Moved to Quarantine VLAN After AttackComputer screen with command prompt windows showing ping commands to various IP addresses and unreachable host messages. Network connections window displays adapter statuses.

  • After the RADIUS CoA disconnect message and re-authentication, confirm that the Windows Supplicant is now in Quarantine VLAN (vlan32).

  • Confirm that further authentication requests are rejected by ForeScout CounterACT.

  • Confirm the SDSN QUARANTINE (dot1x) policy match and automated threat remediation action details by navigating to ForeScout CounterACT > Home.

    Figure 85: 802.1X SDSN Quarantine Policy MatchForeScout CounterACT interface showing navigation tabs, views panel with device categories, detections panel listing device details, and filters for network management. Timestamp: 3/6/18 9:04:50 PM.

  • Navigate to Log > Host Log. Review the details for the SDSN QUARANTINE (dot1x) policy.

    Figure 86: 802.1X SDSN Quarantine Host LogHost Log interface displaying network events for IP 10.10.30.69, with columns for time, host, details, and MAC address.

  • Confirm that the Windows Supplicant’s IP address was also added to the Infected-Hosts Feed on the SRX Series device to block Internet access.

  • In the ATP Cloud portal, navigate to Monitor > Hosts. Confirm the host IP address (10.10.30.69), MAC-ID, and switch port of the Windows Supplicant.

    Figure 87: Confirming Host Details in ATP CloudCybersecurity system screenshot showing host 10.10.30.69 with high threat level 9, investigation open, recommend blocking.

Meaning

The output shows that the ATP Cloud infected host feed containing the Windows Supplicant’s IP address 10.10.30.69 has been successfully downloaded, resulting in the SRX device taking an action to quarantine the IP address.

The Hosts page lists compromised hosts and their associated threat levels. The output confirms that ATP Cloud and Security Director have detected and quarantined the infected host. You can monitor and mitigate malware detections on a per host basis. You can also drill down and verify why the host is marked as infected (for this use case, the C&C server IP address). For malware, details of the downloaded file display.

Verify ForeScout CounterACT Functionality to Block Infected Endpoint (with NETCONF)

Purpose

Test the ForeScout CounterACT integration and functionality when an endpoint is infected. In this example, you verify when the enforcement policy is NETCONF, and it is configured block the infected host.

Action

Note:

A client VM or physical PC is required to trigger an attack.

Before the attack, confirm the following:

  • On the Policy Enforcer > Threat Prevention Policy page, change infected host profile actions to Drop connection silently. Click OK.

    Figure 88: Drop Connection Silently OptionConfiguration interface for Threat Prevention Policy: Infected host profile included with action Drop connection silently. Malware profile included, HTTP scanning enabled, HTTPS scanning disabled. Buttons Cancel and OK present.

  • Navigate to the Policies tab. From the Console, stop both SDSN BLOCK–dot1x and SDSN QUARANTINE–dot1x polices, and start both SDSN BLOCK–NETCONF and SDSN QUARANTINE–NETCONF policies.

    Figure 89: Policies Tab in Policy ManagerPolicy Manager interface showing a list of network policies with details including Name, Category, Status, User Scope, Segments, Conditions, and Actions. Buttons on the right allow for managing policies: Add, Edit, Categorize, Remove, Duplicate, Move to, Export, Start, Stop, and Custom.

  • Confirm that the Linux host is in User VLAN (vlan31) with IP address 10.10.30.99.

    Figure 90: Linux Host ConfirmationScreenshot of terminal showing network configuration: ifconfig eth1 output with MAC 00:50:56:94:32:19, IPv4 10.10.30.99, IPv6 fe80::250:56ff:fe94:3219/64, MTU 1500; Ethernet switching table for vlan31 with dynamic MACs and interfaces xe-0/0/0.0, xe-0/0/1.0; VLAN info for vlan31 with tag 31 and interfaces xe-0/0/0.0*, xe-0/0/1.0*.

  • Confirm that the endpoint 10.10.30.99 can ping to Internet (IP address 8.8.8.8) and Layer 2 connected default gateway (10.10.30.254). Before the attack, the endpoint starts continuous pings to other endpoints on the LAN and Internet.

    Figure 91: Internet PingLinux terminal output showing two ping commands: first pings 8.8.8.8 with 4 packets, 0 percent loss, second pings 10.10.30.254 with 4 packets, 0 percent loss, both test network connectivity.

    The endpoint pings the C&C server on the Internet from the Linux host (in this example from the IP address 184.75.221.43).

    Figure 92: C&C Server PingPing command output showing 10 packets transmitted to 184.75.221.43 with 100 percent packet loss indicating no network connectivity.

After the attack, ForeScout CounterACT applies ACL on the QFX switch using NETCONF. Confirm the following:

  • Confirm that the Linux host cannot connect to the Internet or the LAN anymore.

    Figure 93: Confirming Disconnected Linux HostTerminal output showing network configuration: firewall rules for forescout_acl, discarding specific MAC traffic and accepting others; ping tests to 8.8.8.8 and 10.10.30.254 fail with 100% packet loss.

  • Confirm the SDSN BLOCK (NETCONF) policy match and automated threat remediation action details by navigating to ForeScout CounterACT > Home.

    Figure 94: Confirming Policy Match and Automated Threat Remediation DetailsForeScout CounterACT interface showing connected devices compliance with security policies. Navigation tabs, views panel, detections table with host 10.10.30.99 details, policy details, filters, and timestamp 3/6/10 11:19:16 PM.

  • Navigate to Log > Host Log. Review the details for the SDSN BLOCK (NETCONF) policy.

    Figure 95: SDSN Block Host LogHost Log interface showing events for IP 10.10.30.99, including timestamps, MAC 005056943219, VLAN assignments, and security actions.

  • Confirm that the Linux host’s IP address was also added to the Infected-Hosts Feed on the SRX Series device to block Internet access.

  • In the ATP Cloud portal, navigate to Monitor > Hosts. Confirm the host IP address (10.10.30.99), MAC-ID, and switch port of the Linux host.

    Figure 96: Confirming Host Information in ATP Cloud PortalHost 10.10.30.99 flagged high threat level, first seen 27 Feb 2018. Recommended to block and investigate.

Meaning

All ping sessions show that the traffic is blocked after the threat was detected, confirming that the automated threat remediation use case is working properly.

The Hosts page lists compromised hosts and their associated threat levels. The output confirms that ATP Cloud and Security Director have detected the infected host. You can monitor and mitigate malware detections on a per host basis.

Verify ForeScout CounterACT Functionality to Quarantine Infected Endpoint (with NETCONF)

Purpose

Test the ForeScout CounterACT integration and functionality when an endpoint is infected. In this example, you verify when the enforcement policy NETCONF, and it is configured to quarantine the infected host.

Action

Note:

A client VM or physical PC is required to trigger an attack.

Before the attack, confirm the following:

  • Release the infected host on the ATP Cloud portal or in Security Director (Monitor > Threat Prevention > Hosts).

  • Ensure that Internet or LAN access is restored for the Linux host.

  • On the Policy Enforcer > Threat Prevention Policy page, change infected host profile actions to Quarantine and add the VLAN ID as vlan32. Click OK.

    Figure 97: Changing Threat Prevention Policy to QuarantineConfiguration interface for Threat Prevention Policy in cybersecurity system; drop connection silently, quarantine infected hosts in vlan32, enable HTTP file scanning.

  • Confirm that the Linux host is in User VLAN (vlan31) with IP address 10.10.30.99.

    Figure 98: Confirming Linux Host DetailsOutput of ifconfig eth1 command showing network interface details: eth1, MAC 00:50:56:94:32:19, IPv4 10.10.30.99, IPv6 fe80::250:56ff:fe94:3219/64, MTU 1500, RX Packets 2744588, TX Packets 2290151, RX Errors 1688.Juniper Junos CLI outputs show Ethernet switching table with dynamic MAC entries, VLAN details for VLANs 1, 31, 32, and xe-0/0/1 interface in VLAN 31 access mode.

  • Confirm that the endpoint 10.10.30.99 can ping to Internet (IP address 8.8.8.8) and Layer 2 connected default gateway (10.10.30.254). Before the attack, the endpoint starts continuous pings to other endpoints on the LAN and Internet.

    Figure 99: Confirming Internet ConnectivityOutput of two ping commands in a Linux terminal: ping 8.8.8.8 with 0 percent packet loss and an average RTT of 8.080 ms; ping 10.10.30.254 with 0 percent packet loss and an average RTT of 6.300 ms.

    The endpoint pings the C&C server on the Internet from the Linux host (in this example from the IP address 184.75.221.43).

    Figure 100: Confirming Connection to C&C ServerPing command output showing 100 percent packet loss for IP address 184.75.221.43 indicating unreachable host.

After the attack, ForeScout CounterACT changes the VLAN configuration of the interface connecting the Linux host from User VLAN (vlan31) to Quarantine VLAN (vlan32) on the QFX switch using NETCONF.

Confirm the following:

  • Confirm that the Linux host cannot connect to the Internet or the LAN anymore.

    Figure 101: Confirming Linux Host Cannot Connect to Internet or LANTerminal output showing network configuration and troubleshooting: Interface xe-0/0/1 with VLAN32, failed pings to 8.8.8.8 and 10.10.30.254 indicate connectivity issues.

  • Confirm the SDSN QUARANTINE (NETCONF) policy match and automated threat remediation action details by navigating to ForeScout CounterACT > Home.

    Figure 102: Confirming Policy Match and Automated Threat Remediation DetailsForeScout CounterACT interface showing device with IP 10.10.30.99 quarantined under SDSN QUARANTINE - netconf policy.

  • Navigate to Log > Host Log. Review the details for the SDSN BLOCK (NETCONF) policy.

    Figure 103: SDSN Block Policy Host LogHost log interface showing actions for IP 10.10.30.99 and MAC 005056943219, including VLAN assignments and policy evaluations.

  • Confirm that the Linux host’s IP address was also added to the Infected-Hosts Feed on the SRX Series device to block Internet access.

  • In the ATP Cloud portal, navigate to Monitor > Hosts. Confirm the host IP address (10.10.30.99), MAC-ID, and switch port of the Linux host.

    Figure 104: Confirming Host Details in ATP Cloud PortalNetwork monitoring tool interface showing details for host n/a@10.10.30.99 with high threat level. Recommendations: block and investigate.

Meaning

The output shows that the ATP Cloud infected host feed containing the Linux host’s IP address 10.10.30.99 has been successfully downloaded, resulting in the SRX device taking an action to quarantine the IP address.

The Hosts page lists compromised hosts and their associated threat levels. The output confirms that ATP Cloud and Security Director have detected and quarantined the infected host. You can monitor and mitigate malware detections on a per host basis.

Appendix A: Device Configurations

This section provides the following device configurations:

CLI Configuration for SRX Series Device

CLI Configuration for EX4300 Switch

CLI Configuration for QFX Switch

Appendix B: Troubleshooting Adding Third-Party Connector

If you encounter problems while adding the third-party connector, review the following log files for troubleshooting information.

This section covers the following third-party connector issues:

Troubleshooting Policy Enforcer

To troubleshoot Policy Enforcer, review these logs:

  • /srv/feeder/connectors/forescout/logs/forescout_connector.log

  • /srv/feeder/log/controller.log

  • If the following log message displays in the forescout_connector.log file:

    Then navigate to the ForeScout CounterACT CLI and enter this command:

Troubleshooting ForeScout CounterACT

To enable debugging on the CLI for the DEX (eds) and Web API plugins, enter the following commands:

  • fstool eds debug 10

  • fstool webapi debug 10

Review the following log files:

  • /usr/local/forescout/log/plugin/eds

  • /usr/local/forescout/log/plugin/webapi

Related Documentation