SRX

I subscribe to SkyATP services for my SRX and am not sure I am using it to it's full protection.

I need help setting up an SSL Proxy because most web traffic is SSL.  

I noticed so many request in my DNS server for rigi.com from Brazil and Paraguay. I literally had to create a country feed and block the 2 countries. I know that Sky ATP offer DNS Sinkhole but did not know how to properly set it up. I am losing all dropped traffic by the sky ATP but only see 4 to 5 drops per day. 

I am sure I am missing something. I created an account online and run the script they provide to enrol my unit that part is done I added my SkyATP to my Policies they secintel_policy and they show up in Jweb as TPP.  SO I know that traffic is being monitored but very little is dropped by the secintel_policy. 

I tried using this document to activate DNS Sinkhole in vein. 

I would appreciate any help. 

Here is what I was able to add to my config so far:

services {
    advanced-anti-malware {
        connection {
            url https://srxapi.us-west-2.sky.junipersecurity.net;
            authentication {
                tls-profile aamw-ssl;
            }
        }
        policy Sky-ATP-Filter-Traffic {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }
            smtp {
                inspection-profile default_profile;
                notification {
                    log;
                }
            }
            verdict-threshold 4;
        }
        policy SkyATP-default-log-only {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }

for DNS I have 

    dns-filtering {
        sinkhole {
            ipv4-address 10.10.10.102;
            ipv6-address ::1;
            fqdn ns1.domain.com;
        }
    }
}

Do you have a Premium license?  You can check your license type in the device listing on SkyATP portal.

I subscribe to SkyATP services for my SRX and am not sure I am using it to it's full protection.

I need help setting up an SSL Proxy because most web traffic is SSL.  

I noticed so many request in my DNS server for rigi.com from Brazil and Paraguay. I literally had to create a country feed and block the 2 countries. I know that Sky ATP offer DNS Sinkhole but did not know how to properly set it up. I am losing all dropped traffic by the sky ATP but only see 4 to 5 drops per day. 

I am sure I am missing something. I created an account online and run the script they provide to enrol my unit that part is done I added my SkyATP to my Policies they secintel_policy and they show up in Jweb as TPP.  SO I know that traffic is being monitored but very little is dropped by the secintel_policy. 

I tried using this document to activate DNS Sinkhole in vein. 

I would appreciate any help. 

Here is what I was able to add to my config so far:

services {
    advanced-anti-malware {
        connection {
            url https://srxapi.us-west-2.sky.junipersecurity.net;
            authentication {
                tls-profile aamw-ssl;
            }
        }
        policy Sky-ATP-Filter-Traffic {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }
            smtp {
                inspection-profile default_profile;
                notification {
                    log;
                }
            }
            verdict-threshold 4;
        }
        policy SkyATP-default-log-only {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }

for DNS I have 

    dns-filtering {
        sinkhole {
            ipv4-address 10.10.10.102;
            ipv6-address ::1;
            fqdn ns1.domain.com;
        }
    }
}

I subscribe to SkyATP services for my SRX and am not sure I am using it to it's full protection.

I need help setting up an SSL Proxy because most web traffic is SSL.  

I noticed so many request in my DNS server for rigi.com from Brazil and Paraguay. I literally had to create a country feed and block the 2 countries. I know that Sky ATP offer DNS Sinkhole but did not know how to properly set it up. I am losing all dropped traffic by the sky ATP but only see 4 to 5 drops per day. 

I am sure I am missing something. I created an account online and run the script they provide to enrol my unit that part is done I added my SkyATP to my Policies they secintel_policy and they show up in Jweb as TPP.  SO I know that traffic is being monitored but very little is dropped by the secintel_policy. 

I tried using this document to activate DNS Sinkhole in vein. 

I would appreciate any help. 

Here is what I was able to add to my config so far:

services {
    advanced-anti-malware {
        connection {
            url https://srxapi.us-west-2.sky.junipersecurity.net;
            authentication {
                tls-profile aamw-ssl;
            }
        }
        policy Sky-ATP-Filter-Traffic {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }
            smtp {
                inspection-profile default_profile;
                notification {
                    log;
                }
            }
            verdict-threshold 4;
        }
        policy SkyATP-default-log-only {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }

for DNS I have 

    dns-filtering {
        sinkhole {
            ipv4-address 10.10.10.102;
            ipv6-address ::1;
            fqdn ns1.domain.com;
        }
    }
}

To check DNS traffic, you must create a DNS profile and assign it to a security-intelligence policy.

[edit services security-intelligence profile dns_profile]
category DNS;
rule dns-rule-1 {
    match {
        threat-level [ 1 2 3 4 5 6 7 ];
    }
    then {
        action {
            permit;
        }
        log;
    }
}
rule dns-rule-2 {
    match {
        threat-level [ 8 9 10 ];
    }
    then {
        action {
            block {
                drop;
            }
        }
        log;
    }
}

I subscribe to SkyATP services for my SRX and am not sure I am using it to it's full protection.

I need help setting up an SSL Proxy because most web traffic is SSL.  

I noticed so many request in my DNS server for rigi.com from Brazil and Paraguay. I literally had to create a country feed and block the 2 countries. I know that Sky ATP offer DNS Sinkhole but did not know how to properly set it up. I am losing all dropped traffic by the sky ATP but only see 4 to 5 drops per day. 

I am sure I am missing something. I created an account online and run the script they provide to enrol my unit that part is done I added my SkyATP to my Policies they secintel_policy and they show up in Jweb as TPP.  SO I know that traffic is being monitored but very little is dropped by the secintel_policy. 

I tried using this document to activate DNS Sinkhole in vein. 

I would appreciate any help. 

Here is what I was able to add to my config so far:

services {
    advanced-anti-malware {
        connection {
            url https://srxapi.us-west-2.sky.junipersecurity.net;
            authentication {
                tls-profile aamw-ssl;
            }
        }
        policy Sky-ATP-Filter-Traffic {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }
            smtp {
                inspection-profile default_profile;
                notification {
                    log;
                }
            }
            verdict-threshold 4;
        }
        policy SkyATP-default-log-only {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }

for DNS I have 

    dns-filtering {
        sinkhole {
            ipv4-address 10.10.10.102;
            ipv6-address ::1;
            fqdn ns1.domain.com;
        }
    }
}