Thank you so much for you help here is the result after committing the steps above
run show services security-metadata-streaming dns statistics
Logical system: root-logical-system
DNS session statistics:
Cache Hits: 155
Cache Misses: 227
C2 Sessions Permitted: 0
C2 Sessions Dropped: 0
C2 Sessions Sinkholed: 0
DNS submission statistics:
Domain Submission Success: 1764
Domain Submission Failures: 0
Safe Verdicts Received: 1738
C2 Verdicts Received: 0
DNS Tunnels Detected: 0
Latency Fallback Triggered: 24
ATP latency statistics:
Average Latency: 65ms
Maximum Latency: 409ms
Minimum Latency: 59ms
sub-50ms response: 0 (0%)
sub-100ms response: 1667 (99%)
sub-250ms response: 2 (0%)
sub-500ms response: 1 (0%)
------------------------------
JOHN HARRISON
------------------------------
Original Message:
Sent: 10-04-2023 03:04
From: Pradeep Hattiangadi
Subject: Properly setup SkyATP with DNS Protection
Hi John,
These are the steps to enable DNS Security on the SRX.
- Enroll device to ATP cloud, ensure that device has premium license for ATP cloud.
- Once device is enrolled DNS security can be implemented in 3 configuration steps.
- Step 1:
- Enable Security Intelligence (SecIntel) for inline blocking of bad domains based on feeds downloaded from ATP cloud.
- Activate Sinkhole IP if client reaching out to C&C need to be identified.
- NOTE: The secintel category is "DNS"
set services security-intelligence profile dns_protection category DNS
set services security-intelligence profile dns_protection rule high_risk match threat-level 6
set services security-intelligence profile dns_protection rule high_risk match threat-level 7
set services security-intelligence profile dns_protection rule high_risk match threat-level 8
set services security-intelligence profile dns_protection rule high_risk match threat-level 9
set services security-intelligence profile dns_protection rule high_risk match threat-level 10
set services security-intelligence profile dns_protection rule high_risk then action sinkhole
set services security-intelligence profile dns_protection rule high_risk then log
set services security-intelligence profile dns_protection rule med_risk match threat-level 4
set services security-intelligence profile dns_protection rule med_risk match threat-level 5
set services security-intelligence profile dns_protection rule med_risk then action block drop
set services security-intelligence profile dns_protection rule med_risk then log
set services security-intelligence profile dns_protection rule low_risk match threat-level 1
set services security-intelligence profile dns_protection rule low_risk match threat-level 2
set services security-intelligence profile dns_protection rule low_risk match threat-level 3
set services security-intelligence profile dns_protection rule low_risk then action permit
set services security-intelligence profile dns_protection rule low_risk then log
set services security-intelligence policy stop_threats DNS dns_protection
- Enable sinkhole configuration.
set services dns-filtering sinkhole ipv4-address 192.168.10.254
set services dns-filtering sinkhole ipv6-address 2001::1
set services dns-filtering sinkhole fqdn sinkhole.local.com
- Step 2:
- Enable Security metadata configuration for advanced DNS security detections DGA (Domain Generation Algorithm) and DNS Tunneling.
set services security-metadata-streaming policy DNS_ADV_SEC dns detections dga action sinkhole
set services security-metadata-streaming policy DNS_ADV_SEC dns detections dga notification log
set services security-metadata-streaming policy DNS_ADV_SEC dns detections tunneling action sinkhole
set services security-metadata-streaming policy DNS_ADV_SEC dns detections tunneling notification log
set services security-metadata-streaming policy DNS_ADV_SEC dns detections tunneling inspection-depth 2
- Step 3: Enable the configured metadata streaming on a Security policy and zone pair where the DNS traffic will be traversing.
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit match dynamic-application any
set security policies from-zone trust to-zone untrust policy default-permit then permit application-services security-intelligence-policy stop_threats
Enable on the zone pair which intercepts the DNS traffic.
- set security policies from-zone trust to-zone untrust application-services security-metadata-streaming-policy DNS_ADV_SEC
- Once the above configuration is configured, DNS statistics should provide the detections.
root@SRX> show services security-metadata-streaming dns statistics
Logical system: root-logical-system
DNS session statistics:
Cache Hits: 99
Cache Misses: 182
C2 Sessions Permitted: 0
C2 Sessions Dropped: 3
C2 Sessions Sinkholed: 14
DNS submission statistics:
Domain Submission Success: 147
Domain Submission Failures: 0
Safe Verdicts Received: 101
C2 Verdicts Received: 5
DNS Tunnels Detected: 12
Latency Fallback Triggered: 35
ATP latency statistics:
Average Latency: 34ms
Maximum Latency: 285ms
Minimum Latency: 26ms
sub-50ms response: 103 (96%)
sub-100ms response: 2 (1%)
sub-250ms response: 0 (0%)
sub-500ms response: 2 (1%)
------------------------------
Pradeep Hattiangadi
Original Message:
Sent: 09-26-2023 17:04
From: JOHN HARRISON
Subject: Properly setup SkyATP with DNS Protection
I subscribe to SkyATP services for my SRX and am not sure I am using it to it's full protection.
I need help setting up an SSL Proxy because most web traffic is SSL.
I noticed so many request in my DNS server for rigi.com from Brazil and Paraguay. I literally had to create a country feed and block the 2 countries. I know that Sky ATP offer DNS Sinkhole but did not know how to properly set it up. I am losing all dropped traffic by the sky ATP but only see 4 to 5 drops per day.
I am sure I am missing something. I created an account online and run the script they provide to enrol my unit that part is done I added my SkyATP to my Policies they secintel_policy and they show up in Jweb as TPP. SO I know that traffic is being monitored but very little is dropped by the secintel_policy.
I tried using this document to activate DNS Sinkhole in vein.
I would appreciate any help.
Here is what I was able to add to my config so far:
services {
advanced-anti-malware {
connection {
url https://srxapi.us-west-2.sky.junipersecurity.net;
authentication {
tls-profile aamw-ssl;
}
}
policy Sky-ATP-Filter-Traffic {
http {
inspection-profile default_profile;
action block;
notification {
log;
}
}
smtp {
inspection-profile default_profile;
notification {
log;
}
}
verdict-threshold 4;
}
policy SkyATP-default-log-only {
http {
inspection-profile default_profile;
action block;
notification {
log;
}
}
for DNS I have
dns-filtering {
sinkhole {
ipv4-address 10.10.10.102;
ipv6-address ::1;
fqdn ns1.domain.com;
}
}
}
------------------------------
JOHN HARRISON
------------------------------