SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Properly setup SkyATP with DNS Protection

    Posted 09-26-2023 18:33

    I subscribe to SkyATP services for my SRX and am not sure I am using it to it's full protection.

    I need help setting up an SSL Proxy because most web traffic is SSL.  

    I noticed so many request in my DNS server for rigi.com from Brazil and Paraguay. I literally had to create a country feed and block the 2 countries. I know that Sky ATP offer DNS Sinkhole but did not know how to properly set it up. I am losing all dropped traffic by the sky ATP but only see 4 to 5 drops per day. 

    I am sure I am missing something. I created an account online and run the script they provide to enrol my unit that part is done I added my SkyATP to my Policies they secintel_policy and they show up in Jweb as TPP.  SO I know that traffic is being monitored but very little is dropped by the secintel_policy. 

    I tried using this document to activate DNS Sinkhole in vein. 

    I would appreciate any help. 

    Here is what I was able to add to my config so far:

    services {
        advanced-anti-malware {
            connection {
                url https://srxapi.us-west-2.sky.junipersecurity.net;
                authentication {
                    tls-profile aamw-ssl;
                }
            }
            policy Sky-ATP-Filter-Traffic {
                http {
                    inspection-profile default_profile;
                    action block;
                    notification {
                        log;
                    }
                }
                smtp {
                    inspection-profile default_profile;
                    notification {
                        log;
                    }
                }
                verdict-threshold 4;
            }
            policy SkyATP-default-log-only {
                http {
                    inspection-profile default_profile;
                    action block;
                    notification {
                        log;
                    }
                }

    for DNS I have 

        dns-filtering {
            sinkhole {
                ipv4-address 10.10.10.102;
                ipv6-address ::1;
                fqdn ns1.domain.com;
            }
        }
    }



    ------------------------------
    JOHN HARRISON
    ------------------------------


  • 2.  RE: Properly setup SkyATP with DNS Protection

    This message was posted by a user wishing to remain anonymous
    Posted 09-27-2023 11:11
    This message was posted by a user wishing to remain anonymous

    Do you have a Premium license?  You can check your license type in the device listing on SkyATP portal.




  • 3.  RE: Properly setup SkyATP with DNS Protection

    Posted 09-27-2023 15:43

    Yes we do



    ------------------------------
    JOHN HARRISON
    ------------------------------



  • 4.  RE: Properly setup SkyATP with DNS Protection

    This message was posted by a user wishing to remain anonymous
    Posted 09-30-2023 15:06
    This message was posted by a user wishing to remain anonymous

    To check DNS traffic, you must create a DNS profile and assign it to a security-intelligence policy.

    [edit services security-intelligence profile dns_profile]
    category DNS;
    rule dns-rule-1 {
        match {
            threat-level [ 1 2 3 4 5 6 7 ];
        }
        then {
            action {
                permit;
            }
            log;
        }
    }
    rule dns-rule-2 {
        match {
            threat-level [ 8 9 10 ];
        }
        then {
            action {
                block {
                    drop;
                }
            }
            log;
        }
    }




  • 5.  RE: Properly setup SkyATP with DNS Protection

    Posted 09-30-2023 18:19

    I am not able to copy and paste this in my config I get a commit error. Can you please give me the config settings to add to my config. Thank you



    ------------------------------
    JOHN HARRISON
    ------------------------------



  • 6.  RE: Properly setup SkyATP with DNS Protection

    Posted 09-30-2023 19:25

    AI already have this in my config

    profile dns-policy_Infected-Hosts {
                category Infected-Hosts;
                rule Rule-1 {
                    match {
                        threat-level 1;
                    }
                    then {
                        action {
                            permit;
                        }
                    }
                }
                rule Rule-2 {
                    match {
                        threat-level [ 2 3 4 5 6 7 8 9 10 ];
                    }
                    then {
                        action {
                            block {
                                drop;
                            }
                        }
                        log;
                    }
                }
            }



    ------------------------------
    JOHN HARRISON
    ------------------------------



  • 7.  RE: Properly setup SkyATP with DNS Protection

    This message was posted by a user wishing to remain anonymous
    Posted 10-01-2023 11:54
    This message was posted by a user wishing to remain anonymous

    I would add log statement to the permit block to help w/ troubleshooting.




  • 8.  RE: Properly setup SkyATP with DNS Protection

    Posted 10-04-2023 06:12

    Hi John,

         These are the steps to enable DNS Security on the SRX.

    • Step 1:
      • Enable Security Intelligence (SecIntel) for inline blocking of bad domains based on feeds downloaded from ATP cloud.
      • Activate Sinkhole IP if client reaching out to C&C need to be identified.
      • NOTE: The secintel category is "DNS"
      • set services security-intelligence profile dns_protection category DNS

        set services security-intelligence profile dns_protection rule high_risk match threat-level 6