Threat Enforcement Configuration - Juniper SRX

Overview

The SafeConnect threat enforcement module allows for the ability to configure enforcement policies based on threats that are detected in a system external from SafeConnect. These policies can then be used with any device type and do not require the use of an agent running on the end-user device.

Once configured policies can be set to either audit or quarantine. With any quarantine policy, end-users will receive a browser-based message informing them of the issue. These messages can be customized with instructions on how to remediate and how long they will need to wait before the quarantine will be re-evaluated.

Configure Juniper SRX

In the firewall, the following commands should be run from the cli to enable IDP event syslog.

Enable the IDP even logging to syslog:

configure
set security log mode event
set security log source-address 10.100.18.12
set system syslog host 10.100.210.200 port 30514 any any
set system syslog host 10.100.210.200 port 30514 match RT_IDP
set system syslog host 10.100.210.200 port 30514 structured-data
set system syslog file idp any any
set system syslog file idp match RT_IDP
set system syslog file idp structured-data
commit

Note: The source-address should be an interface IP of the firewall. The syslog host will be the SafeConnect appliance (In a cluster environment, this will be the manager IP).

Verify the configurations are in place:

show security log

Configure Threat Enforcement Input

After the threat detection system is configured, open the SafeConnect Configuration at https://portal.myweblogon.com:8443/manage (portal.myweblogon.com can be replaced by the manager IP or a branded URL) and choose “Configuration Manager > Threat Enforcement”.

Enable the webapi:

images/download/attachments/6076477/t1.png

From the dropdown, choose Juniper SRX and click ‘Add’.

images/download/attachments/6076477/t2.png

After choosing the Vendor, at least one source must be defined. A source is simply the IP address of the threat detection system. If the threat detection system has multiple interfaces, the IP specified must be the IP that appears as the source address of the alerts. The name can be any descriptive name that is needed.

images/download/attachments/6076477/t3.png

After clicking ‘Submit’, the Threat Detection source will appear in the list.

Configure Threat Enforcement Policies

After at least one source has been defined, Threat Detection policies can now be created. To create a policy, click the ‘Add’ button.

images/download/attachments/6076477/t4.png

The first section is used to define what alerts SafeConnect will listen for. If alert details are not configured, SafeConnect will ignore the alert. The following values are applicable for Juniper SRX and will be ANDed together to find matching packets.

  • Threat Severity: A textual value indicating LOW, MEDIUM or HIGH

  • Attack Name: This field will always be a text value and also support regex matching. This field can be left blank to match all values.

  • Policy Name: This field will always be a text value and also support regex matching. This field can be left blank to match all values.

images/download/attachments/6076477/t5.png

The next section defines how SafeConnect will react to the defined alert. Once configured, the policies will be available in the SafeConnect Policy Manager.

  • Policy Name: The name of the SafeConnect Policy. This value will be used to represent this policy in the Policy Manager and in the Device Manager.

  • Policy Duration: Defines how long SafeConnect will enforce the policy when an alert is recieved. Once this time expires, the policy will no longer be enforced unless a followup alert is received for the device.

  • Enforcement: Defines whether SafeConnect will block a device or simply report on the alert.

  • Web Message: The web message that will be displayed to blocked devices for the duration of the enforcement.

Once configured, click ‘Save’.

images/download/attachments/6076477/t6.png

The resulting Threat Enforcement Policy will now appear in the list and will be available in the Policy Manger.

images/download/attachments/6076477/t7.png

Add Policies to existing Policy Groups

After Threat Enforcement policies have been defined, they will be available in the Policy Manager. Threat Enforcement policies can be added to a Policy Container just like all other SafeConnect policies.

images/download/attachments/6076477/t8.png