Using Guided Setup for No Juniper ATP Cloud (No Selection)
Guided Setup is the most efficient way to complete your initial configuration. Locate Guided Setup from the Configuration > Guided Setup > Threat Prevention menu.
You would make no ATP Cloud selection to configure Juniper Connected Security using only custom feeds. Custom feeds are the only threat prevention type available if you make no selection for ATP Cloud Configuration Type in the Policy Enforcer Settings page.
Before you begin the guided setup process, you must enter the IP address and login credentials for the policy enforcer virtual machine on the Policy Enforcer Settings page. If you haven’t yet done that, go to Administration > Policy Enforcer > Settings and enter the necessary information. See Policy Enforcer Settings for more information.
There are some concepts you should understand before you begin the configuration. It is recommended you read about them here in advance. Policy Enforcer Configuration Concepts.
The Guided Setup process offers the following steps for configuring threat prevention with custom feeds (No ATP Cloud selection). Click Start Setup to begin.
Tenants—You can create a tenant representing an Enterprise. When a tenant is created, a VRF is assigned to the tenant. When a site is associated with this tenant, only those devices that have the VRF associated with the tenant can be added to the site.
Note:In Policy Enforcer Release 20.1R1, only MX series devices support LSYS and VRF. Also, only root-logical system is supported. All the sites of a realm are either with tenants or without tenants.
Secure Fabric—Secure Fabric is a collection of network devices (switches, routers, firewalls, and other security devices), used by users or user groups, to which policies for aggregated threat prevention are applied. Once created, secure fabric is located under Devices. For secure fabric, the following is configured:
Sites—A site is a collection of network devices participating in threat prevention. Using quick setup, you can create your own site, but note that a device can only belong to one site and you must remove it from the any other site where it is used to use it elsewhere.
Click Add Devices in the Device Name column or in the IP address column to add devices to a site. Using the check boxes in the device list, you should indicate which devices are firewalls or switches.
Policy Enforcement Group—A policy enforcement group is a grouping of endpoints ready to receive advance threat prevention policies. Create a policy enforcement group by adding endpoints (firewalls and switches) under one common group name and later applying a security policy to that group. For policy enforcement group, the following is configured:
Once configured, policy enforcement groups are located under Configure > Shared Objects. A policy enforcement groups has the following fields:
Name and Description.
Group Type—IP Address, Subnet, or Location
Endpoint—IP addresses included in the group
Custom Feeds— Policy Enforcer uses threat feeds to provide actionable intelligence to policies about various types of threats. These feeds can come from different sources. In this case, the feeds are customized by adding IP addresses, domains, and URLs to your own lists.
The following types of custom threat feeds are available:
Dynamic Address—A dynamic address is a group of IP addresses that can be imported from external sources. These IP addresses are for specific domains or for entities that have a common attribute such as a particular undesired location that poses a threat. You can then configure security policies to use the dynamic addresses within a security policy.
Allowlist—An allowlist contains known trusted IP addresses, URLs, and domains. Content downloaded from locations on the allowlist does not have to be inspected for malware.
Blocklist—A blocklist contains known untrusted IP addresses, URLs, and domains. Access to locations on the blocklist is blocked, and therefore no content can be downloaded from those sites.
Infected Host—Infected hosts are hosts known to be compromised.
Note:The Juniper ATP Cloud advanced anti-malware detection of the infected host is not supported in SRX Series 300 and SRX Series 320 devices, if these devices are running Junos OS release prior to 18.3R1.
DDoS—Using DDoS threat feed, policy Enforcer blocks source IP addresses in the feed, rate limit the traffic from the source IP addresses, and takes BGP Flowspec action to apply null-route filtering or redirect the traffic to scrubbing centers.
Command and Control Server (C&C)—C&C is a centralized computer that issues commands to botnets (compromised networks of computers) and receives reports back from them. Botnets can be used to gather sensitive information, such as account numbers or credit card information, or to participate in a distributed DDoS attack.
Threat Prevention Policy—A threat prevention policy requires you to create a name for the policy, choose one or more profile types depending on the type of threat prevention this policy provides (infected hosts), and select a log setting. Once configured, you apply policies to policy enforcement groups.
Once configured, threat prevention policies are located under Configure > Threat Prevention > Policies. A policy has the following fields:
Name and Description.
Profiles—The type of threat this policy manages:
Infected Hosts—An infected host profile would provide information on compromised hosts and their associated threat levels. Host information includes IP address, threat level, blocked status, when the threat was seen, command and control hits, and malware detections.
Logging—All traffic is logged by default. Use the pulldown to narrow the types of traffic to be logged.
Group—Once your policy is created, it is applied to the policy enforcement group.
The last page is a summary of the items you have configured using quick setup. Click OK to be taken to the Policies page under Configure > Threat Prevention > Policies and your policy is listed there.
You must update to apply your new or edited policy configuration. Clicking the Ready to Update link takes you the Threat Policy Analysis page. See Threat Policy Analysis Overview. From there you can view your changes and choose to Update now, Update later, or Save them in draft form without updating.