ON THIS PAGE
Configure Flow-Based Antivirus Policy
Overview
Let’s take a look at a typical enterprise network. An end user unknowingly visits a compromised website and downloads a malicious content. This action results in compromise of the endpoint. The harmful content on the endpoint also becomes a threat to other hosts within the network. It is important to prevent the download of the malicious content.
You can use an SRX Series Firewall with flow-based antivirus to protect users from virus attacks and to prevent the spread of malware in your network. The flow-based antivirus scans network traffic for viruses, Trojans, rootkits, and other types of malicious code and blocks the malicious content immediately when detected.
The following configuration creates a flow-based antivirus policy with the following properties:
-
Firewall policy name is firewall-av-policy.
-
Flow antivirus policy is av-policy.
-
Block any file if its returned verdict is greater than or equal to 7 and create a log entry.
-
When there is an error condition, allow files to be downloaded and create a log entry.
Requirements
Before you begin
-
Configure security zones and security policies. For more information, see Example: Creating Security Zones in Security Policies User Guide for Security Devices.
-
Verify that you have a valid Juniper license. For licensing information about AI-Predictive Threat Prevention, see Software Licenses for SRX Series Firewalls.
-
The CDN server must be reachable from the SRX Series Firewall. For releases before Junos OS 24.2R1, the Juniper content delivery network (CDN) server must be https://signatures.juniper.net/phase. From Junos OS Release 24.2R1 onwards, the CDN server is https://signatures.juniper.net/.
-
SRX Series Firewall with Junos OS Release 23.4R1 or later
Configuration
Step-By-Step Procedure
The following configuration requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
-
Create the antivirus policy and block any file if its returned verdict is greater than or equal to 7.
set services anti-virus policy av-policy action block set services anti-virus policy av-policy default-notification log set services anti-virus policy av-policy fallback-options notification log set services anti-virus policy av-policy http-client-notify message "test message for anti-virus flow" set services anti-virus policy av-policy notification log set services anti-virus policy av-policy verdict-threshold 7
- By default, the latest antivirus signature pack is automatically downloaded
from the Juniper Networks content delivery network (CDN) server to your
firewall device every five minutes. You can manually update the virus
signature database by specifying the URL of the CDN
server.
set services anti-virus update url https://signatures.juniper.net/
set services anti-virus update automatic interval <5...60>command.Note:Use the proxy profile to the antivirus pattern update process.
set services anti-virus update proxy-profile proxy-name
-
Configure the firewall policy and apply the antivirus policy.
set security policies from-zone trust to-zone untrust policy fw-av-policy match source-address any set security policies from-zone trust to-zone untrust policy fw-av-policy match destination-address any set security policies from-zone trust to-zone untrust policy fw-av-policy match application any set security policies from-zone trust to-zone untrust policy fw-av-policy match dynamic-application any set security policies from-zone trust to-zone untrust policy fw-av-policy then permit application-services anti-virus-policy av-policy
-
Commit the configuration.
commit
You can use the AI-PTP tab in the Allowlists page to add, replace, merge, or delete AI-PTP signatures in the allowlists. You can add the file signatures that are identified as false positives to the allowlists. This process excludes the specified signatures from malware inspection performed by the SRX Series Firewalls. For more information, see Create Allowlists and Blocklists.
To view the list of anti-virus signatures added to the allowlists
on SRX Series Firewalls, use the CLI command show services anti-virus
signature-exempt-list.
Anti-virus Signature Exempt List: C1994069136041805794 J5381964424818232941 J12111449344962437113 J4660909146742838820 Total exempt signatures: 4
To clear the file signature allowlists on the SRX Series
Firewalls, use CLI command clear services anti-virus
signature-exempt-list.
You can also run the following CLI commands on your SRX Series Firewalls to add, delete, export, and import file signatures:
-
request services anti-virus signature-exempt-list add <signature-id>—add file signature IDs on your SRX Series Firewall. For example,request services anti-virus signature-exempt-list add J4660909146742838820. -
request services anti-virus signature-exempt-list delete <signature-id>—delete file signature IDs on your SRX Series Firewall. For example,request services anti-virus signature-exempt-list delete J4660909146742838820. -
request services anti-virus signature-exempt-list import <txt-file-with-signature-ids>—import TXT file that contains signature IDs on your SRX Series Firewall. For example,request services anti-virus signature-exempt-list import /var/tmp/av-exempt-list.txt. -
request services anti-virus signature-exempt-list export <txt-file-with-signature-ids>—export TXT file that contain signature IDs from your SRX Series Firewall. For example,request services anti-virus signature-exempt-list export /var/tmp/av-exempt-list.txt.
Results
From configuration mode, confirm your configuration by entering the show
services anti-virus policy av-policy and show configuration
|display set commands. If the output does not display the intended
configuration, repeat the configuration instructions to correct it.
Check the results of the configuration:
show services anti-virus
update {
url https://signatures.juniper.net/;
}
policy av-policy {
action block;
default-notification {
log;
}
fallback-options {
notification {
log;
}
}
http-client-notify {
message "test message for anti-virus flow";
}
notification {
log;
}
verdict-threshold 7;
}
show security policies from-zone trust to-zone untrust
policy fw-av-policy {
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
}
then {
permit {
application-services {
anti-virus-policy av-policy;
}
}
}
}
Verification
To verify the configuration is working properly, use the following steps:
Obtaining Information About the Current Antivirus Statistics
Purpose
After some traffic has passed through your SRX Series Firewall, check the statistics to see how many sessions were permitted, blocked, and so on according to your profile and policy settings.
Action
From operational mode, enter the show services anti-virus
statistics command.
Sample Output
show services anti-virus statistics
show services anti-virus statistics
Anti-virus scan statistics:
Virus DB type: anti-virus
Total signatures: 11
Anti-virus DB version: 1654594666
Anti-virus DB update time: 2022-08-25 13:03:58 PDT
Total HTTP HTTPS SMTP SMTPS IMAP IMAPS SMB
File scanned: 419382 81947 177549 16067 31591 15994 31925 64309
Virus found: 290713 1613 161485 15940 31591 15994 31925 32165
Virus blocked: 290713 1613 161485 15940 31591 15994 31925 32165
Virus permitted: 0 0 0 0 0 0 0 0
Meaning
Shows statistics on viruses scanned, identified and blocked or permitted.