Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Juniper Advanced Threat Prevention Cloud Policy Overview

The connection to the Juniper ATP Cloud cloud is launched on-demand. It is established only when a condition is met and a file or URL must be sent to the cloud. The cloud inspects the file and returns a verdict number (1 through 10). A verdict number is a score or threat level. The higher the number, the higher the malware threat. The SRX Series device compares this verdict number to the Juniper ATP Cloud policy settings and either permits or denies the session. If the session is denied, a reset packet is sent to the client and the packets are dropped from the server.

Juniper ATP Cloud policies are an extension to the Junos OS security policies. Table 1 shows the additions.

Note:

Starting in Junos OS Release 15.1X49-D80, the match-then condition has been deprecated from the Juniper ATP Cloud policy configuration. For more information, see Juniper Sky Advanced Threat Prevention Release Notes for Junos 15.1X49-D80. The examples below are for Junos OS Release 15.1X49-D80 and later.

Table 1: Juniper ATP Cloud Security Policy Additions

Addition

Description

Action and notification based on the verdict number and threshold

Defines the threshold value and what to do when the verdict number is greater than or equal to the threshold. For example, if the threshold is 7 (the recommended value) and Juniper ATP Cloud returns a verdict number of 8 for a file, then that file is blocked from being downloaded and a log entry is created.

set services advanced-anti-malware policy aamwpolicy1 verdict-threshold recommended

set services advanced-anti-malware policy aamwpolicy1 http action block notification log

Default action and notification

Defines what to do when the verdict number is less than the threshold. For example, if the threshold is 7 and Juniper ATP Cloud returns a verdict number of 3 for a file, then that file is downloaded and a log file is created.

set services advanced-anti-malware policy aamwpolicy1 default-notification log

Name of the inspection profile

Name of the Juniper ATP Cloud profile that defines the types of file to scan.

set services advanced-anti-malware policy aamwpolicy1 http inspection-profile default_profile

Fallback options

Defines what to do when error conditions occur or when there is a lack of resources. The following fallback options are available:

  • action—Permit or block the file regardless of its threat level.

  • notification—Add or do not add this event to the log file.

set services advanced-anti-malware policy aamwpolicy1 fallback-options action permit
set services advanced-anti-malware policy aamwpolicy1 fallback-options notification log
Note:

The above actions assume a valid session is present. If no valid session is present, Juniper ATP Cloud permits the file, regardless of whether you set the fallback option to block.

Blocklist notification

Defines whether to create a log entry when attempting to download a file from a site listed in the blocklist file.

set services advanced-anti-malware policy aamwpolicy1 blacklist-notification log

Whitelist notification

Defines whether to create a log entry when attempting to download a file from a site listed in the allowlist file.

set services advanced-anti-malware policy aamwpolicy1 whitelist-notification log

Name of smtp inspection profile

Name of the inspection profile for SMTP email attachments. The “actions to take” are defined in the Web UI and not through CLI commands.

set services advanced-anti-malware policy aamwpolicy1 smtp inspection-profile my_smtp_profile

Use the show services advanced-anti-malware policy CLI command to view your Juniper ATP Cloud policy settings.

Use the show security policies CLI command to view your firewall policy settings.

For more examples, see Example: Configuring a Juniper Advanced Threat Prevention Cloud Policy Using the CLI.