SRX

I subscribe to SkyATP services for my SRX and am not sure I am using it to it's full protection.

I need help setting up an SSL Proxy because most web traffic is SSL.  

I noticed so many request in my DNS server for rigi.com from Brazil and Paraguay. I literally had to create a country feed and block the 2 countries. I know that Sky ATP offer DNS Sinkhole but did not know how to properly set it up. I am losing all dropped traffic by the sky ATP but only see 4 to 5 drops per day. 

I am sure I am missing something. I created an account online and run the script they provide to enrol my unit that part is done I added my SkyATP to my Policies they secintel_policy and they show up in Jweb as TPP.  SO I know that traffic is being monitored but very little is dropped by the secintel_policy. 

I tried using this document to activate DNS Sinkhole in vein. 

I would appreciate any help. 

Here is what I was able to add to my config so far:

services {
    advanced-anti-malware {
        connection {
            url https://srxapi.us-west-2.sky.junipersecurity.net;
            authentication {
                tls-profile aamw-ssl;
            }
        }
        policy Sky-ATP-Filter-Traffic {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }
            smtp {
                inspection-profile default_profile;
                notification {
                    log;
                }
            }
            verdict-threshold 4;
        }
        policy SkyATP-default-log-only {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }

for DNS I have 

    dns-filtering {
        sinkhole {
            ipv4-address 10.10.10.102;
            ipv6-address ::1;
            fqdn ns1.domain.com;
        }
    }
}

Do you have a Premium license?  You can check your license type in the device listing on SkyATP portal.

I subscribe to SkyATP services for my SRX and am not sure I am using it to it's full protection.

I need help setting up an SSL Proxy because most web traffic is SSL.  

I noticed so many request in my DNS server for rigi.com from Brazil and Paraguay. I literally had to create a country feed and block the 2 countries. I know that Sky ATP offer DNS Sinkhole but did not know how to properly set it up. I am losing all dropped traffic by the sky ATP but only see 4 to 5 drops per day. 

I am sure I am missing something. I created an account online and run the script they provide to enrol my unit that part is done I added my SkyATP to my Policies they secintel_policy and they show up in Jweb as TPP.  SO I know that traffic is being monitored but very little is dropped by the secintel_policy. 

I tried using this document to activate DNS Sinkhole in vein. 

I would appreciate any help. 

Here is what I was able to add to my config so far:

services {
    advanced-anti-malware {
        connection {
            url https://srxapi.us-west-2.sky.junipersecurity.net;
            authentication {
                tls-profile aamw-ssl;
            }
        }
        policy Sky-ATP-Filter-Traffic {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }
            smtp {
                inspection-profile default_profile;
                notification {
                    log;
                }
            }
            verdict-threshold 4;
        }
        policy SkyATP-default-log-only {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }

for DNS I have 

    dns-filtering {
        sinkhole {
            ipv4-address 10.10.10.102;
            ipv6-address ::1;
            fqdn ns1.domain.com;
        }
    }
}

I subscribe to SkyATP services for my SRX and am not sure I am using it to it's full protection.

I need help setting up an SSL Proxy because most web traffic is SSL.  

I noticed so many request in my DNS server for rigi.com from Brazil and Paraguay. I literally had to create a country feed and block the 2 countries. I know that Sky ATP offer DNS Sinkhole but did not know how to properly set it up. I am losing all dropped traffic by the sky ATP but only see 4 to 5 drops per day. 

I am sure I am missing something. I created an account online and run the script they provide to enrol my unit that part is done I added my SkyATP to my Policies they secintel_policy and they show up in Jweb as TPP.  SO I know that traffic is being monitored but very little is dropped by the secintel_policy. 

I tried using this document to activate DNS Sinkhole in vein. 

I would appreciate any help. 

Here is what I was able to add to my config so far:

services {
    advanced-anti-malware {
        connection {
            url https://srxapi.us-west-2.sky.junipersecurity.net;
            authentication {
                tls-profile aamw-ssl;
            }
        }
        policy Sky-ATP-Filter-Traffic {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }
            smtp {
                inspection-profile default_profile;
                notification {
                    log;
                }
            }
            verdict-threshold 4;
        }
        policy SkyATP-default-log-only {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }

for DNS I have 

    dns-filtering {
        sinkhole {
            ipv4-address 10.10.10.102;
            ipv6-address ::1;
            fqdn ns1.domain.com;
        }
    }
}

To check DNS traffic, you must create a DNS profile and assign it to a security-intelligence policy.

[edit services security-intelligence profile dns_profile]
category DNS;
rule dns-rule-1 {
    match {
        threat-level [ 1 2 3 4 5 6 7 ];
    }
    then {
        action {
            permit;
        }
        log;
    }
}
rule dns-rule-2 {
    match {
        threat-level [ 8 9 10 ];
    }
    then {
        action {
            block {
                drop;
            }
        }
        log;
    }
}

I subscribe to SkyATP services for my SRX and am not sure I am using it to it's full protection.

I need help setting up an SSL Proxy because most web traffic is SSL.  

I noticed so many request in my DNS server for rigi.com from Brazil and Paraguay. I literally had to create a country feed and block the 2 countries. I know that Sky ATP offer DNS Sinkhole but did not know how to properly set it up. I am losing all dropped traffic by the sky ATP but only see 4 to 5 drops per day. 

I am sure I am missing something. I created an account online and run the script they provide to enrol my unit that part is done I added my SkyATP to my Policies they secintel_policy and they show up in Jweb as TPP.  SO I know that traffic is being monitored but very little is dropped by the secintel_policy. 

I tried using this document to activate DNS Sinkhole in vein. 

I would appreciate any help. 

Here is what I was able to add to my config so far:

services {
    advanced-anti-malware {
        connection {
            url https://srxapi.us-west-2.sky.junipersecurity.net;
            authentication {
                tls-profile aamw-ssl;
            }
        }
        policy Sky-ATP-Filter-Traffic {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }
            smtp {
                inspection-profile default_profile;
                notification {
                    log;
                }
            }
            verdict-threshold 4;
        }
        policy SkyATP-default-log-only {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }

for DNS I have 

    dns-filtering {
        sinkhole {
            ipv4-address 10.10.10.102;
            ipv6-address ::1;
            fqdn ns1.domain.com;
        }
    }
}

To check DNS traffic, you must create a DNS profile and assign it to a security-intelligence policy.

[edit services security-intelligence profile dns_profile]
category DNS;
rule dns-rule-1 {
    match {
        threat-level [ 1 2 3 4 5 6 7 ];
    }
    then {
        action {
            permit;
        }
        log;
    }
}
rule dns-rule-2 {
    match {
        threat-level [ 8 9 10 ];
    }
    then {
        action {
            block {
                drop;
            }
        }
        log;
    }
}

I subscribe to SkyATP services for my SRX and am not sure I am using it to it's full protection.

I need help setting up an SSL Proxy because most web traffic is SSL.  

I noticed so many request in my DNS server for rigi.com from Brazil and Paraguay. I literally had to create a country feed and block the 2 countries. I know that Sky ATP offer DNS Sinkhole but did not know how to properly set it up. I am losing all dropped traffic by the sky ATP but only see 4 to 5 drops per day. 

I am sure I am missing something. I created an account online and run the script they provide to enrol my unit that part is done I added my SkyATP to my Policies they secintel_policy and they show up in Jweb as TPP.  SO I know that traffic is being monitored but very little is dropped by the secintel_policy. 

I tried using this document to activate DNS Sinkhole in vein. 

I would appreciate any help. 

Here is what I was able to add to my config so far:

services {
    advanced-anti-malware {
        connection {
            url https://srxapi.us-west-2.sky.junipersecurity.net;
            authentication {
                tls-profile aamw-ssl;
            }
        }
        policy Sky-ATP-Filter-Traffic {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }
            smtp {
                inspection-profile default_profile;
                notification {
                    log;
                }
            }
            verdict-threshold 4;
        }
        policy SkyATP-default-log-only {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }

for DNS I have 

    dns-filtering {
        sinkhole {
            ipv4-address 10.10.10.102;
            ipv6-address ::1;
            fqdn ns1.domain.com;
        }
    }
}

AI already have this in my config

profile dns-policy_Infected-Hosts {
            category Infected-Hosts;
            rule Rule-1 {
                match {
                    threat-level 1;
                }
                then {
                    action {
                        permit;
                    }
                }
            }
            rule Rule-2 {
                match {
                    threat-level [ 2 3 4 5 6 7 8 9 10 ];
                }
                then {
                    action {
                        block {
                            drop;
                        }
                    }
                    log;
                }
            }
        }

To check DNS traffic, you must create a DNS profile and assign it to a security-intelligence policy.

[edit services security-intelligence profile dns_profile]
category DNS;
rule dns-rule-1 {
    match {
        threat-level [ 1 2 3 4 5 6 7 ];
    }
    then {
        action {
            permit;
        }
        log;
    }
}
rule dns-rule-2 {
    match {
        threat-level [ 8 9 10 ];
    }
    then {
        action {
            block {
                drop;
            }
        }
        log;
    }
}

I subscribe to SkyATP services for my SRX and am not sure I am using it to it's full protection.

I need help setting up an SSL Proxy because most web traffic is SSL.  

I noticed so many request in my DNS server for rigi.com from Brazil and Paraguay. I literally had to create a country feed and block the 2 countries. I know that Sky ATP offer DNS Sinkhole but did not know how to properly set it up. I am losing all dropped traffic by the sky ATP but only see 4 to 5 drops per day. 

I am sure I am missing something. I created an account online and run the script they provide to enrol my unit that part is done I added my SkyATP to my Policies they secintel_policy and they show up in Jweb as TPP.  SO I know that traffic is being monitored but very little is dropped by the secintel_policy. 

I tried using this document to activate DNS Sinkhole in vein. 

I would appreciate any help. 

Here is what I was able to add to my config so far:

services {
    advanced-anti-malware {
        connection {
            url https://srxapi.us-west-2.sky.junipersecurity.net;
            authentication {
                tls-profile aamw-ssl;
            }
        }
        policy Sky-ATP-Filter-Traffic {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }
            smtp {
                inspection-profile default_profile;
                notification {
                    log;
                }
            }
            verdict-threshold 4;
        }
        policy SkyATP-default-log-only {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }

for DNS I have 

    dns-filtering {
        sinkhole {
            ipv4-address 10.10.10.102;
            ipv6-address ::1;
            fqdn ns1.domain.com;
        }
    }
}

I subscribe to SkyATP services for my SRX and am not sure I am using it to it's full protection.

I need help setting up an SSL Proxy because most web traffic is SSL.  

I noticed so many request in my DNS server for rigi.com from Brazil and Paraguay. I literally had to create a country feed and block the 2 countries. I know that Sky ATP offer DNS Sinkhole but did not know how to properly set it up. I am losing all dropped traffic by the sky ATP but only see 4 to 5 drops per day. 

I am sure I am missing something. I created an account online and run the script they provide to enrol my unit that part is done I added my SkyATP to my Policies they secintel_policy and they show up in Jweb as TPP.  SO I know that traffic is being monitored but very little is dropped by the secintel_policy. 

I tried using this document to activate DNS Sinkhole in vein. 

I would appreciate any help. 

Here is what I was able to add to my config so far:

services {
    advanced-anti-malware {
        connection {
            url https://srxapi.us-west-2.sky.junipersecurity.net;
            authentication {
                tls-profile aamw-ssl;
            }
        }
        policy Sky-ATP-Filter-Traffic {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }
            smtp {
                inspection-profile default_profile;
                notification {
                    log;
                }
            }
            verdict-threshold 4;
        }
        policy SkyATP-default-log-only {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }

for DNS I have 

    dns-filtering {
        sinkhole {
            ipv4-address 10.10.10.102;
            ipv6-address ::1;
            fqdn ns1.domain.com;
        }
    }
}

Hi John,

     These are the steps to enable DNS Security on the SRX.

• Enroll device to ATP cloud, ensure that device has premium license for ATP cloud.
  • https://www.juniper.net/documentation/us/en/software/sky-atp/atp-cloud-admin-guide/topics/task/sky-atp-device-enrolling-srx-only.html
• Once device is enrolled DNS security can be implemented in 3 configuration steps.

• Step 1:
  • Enable Security Intelligence (SecIntel) for inline blocking of bad domains based on feeds downloaded from ATP cloud.
  • Activate Sinkhole IP if client reaching out to C&C need to be identified.
  • NOTE: The secintel category is "DNS"

  • set services security-intelligence profile dns_protection category DNS

    set services security-intelligence profile dns_protection rule high_risk match threat-level 6

    set services security-intelligence profile dns_protection rule high_risk match threat-level 7

    set services security-intelligence profile dns_protection rule high_risk match threat-level 8

    set services security-intelligence profile dns_protection rule high_risk match threat-level 9

    set services security-intelligence profile dns_protection rule high_risk match threat-level 10

    set services security-intelligence profile dns_protection rule high_risk then action sinkhole

    set services security-intelligence profile dns_protection rule high_risk then log

    set services security-intelligence profile dns_protection rule med_risk match threat-level 4

    set services security-intelligence profile dns_protection rule med_risk match threat-level 5

    set services security-intelligence profile dns_protection rule med_risk then action block drop

    set services security-intelligence profile dns_protection rule med_risk then log

    set services security-intelligence profile dns_protection rule low_risk match threat-level 1

    set services security-intelligence profile dns_protection rule low_risk match threat-level 2

    set services security-intelligence profile dns_protection rule low_risk match threat-level 3

    set services security-intelligence profile dns_protection rule low_risk then action permit

    set services security-intelligence profile dns_protection rule low_risk then log

    set services security-intelligence policy stop_threats DNS dns_protection

  • Enable sinkhole configuration.
    

  • set services dns-filtering sinkhole ipv4-address 192.168.10.254

    set services dns-filtering sinkhole ipv6-address 2001::1

    set services dns-filtering sinkhole fqdn sinkhole.local.com

•  Step 2:
  
  • Enable Security metadata configuration for advanced DNS security detections DGA (Domain Generation Algorithm) and DNS Tunneling.

  • set services security-metadata-streaming policy DNS_ADV_SEC dns detections dga action sinkhole

    set services security-metadata-streaming policy DNS_ADV_SEC dns detections dga notification log

    set services security-metadata-streaming policy DNS_ADV_SEC dns detections tunneling action sinkhole

    set services security-metadata-streaming policy DNS_ADV_SEC dns detections tunneling notification log

    set services security-metadata-streaming policy DNS_ADV_SEC dns detections tunneling inspection-depth 2

• Step 3:  Enable the configured metadata streaming on a Security policy and zone pair where the DNS traffic will be traversing.
  

  • set security policies from-zone trust to-zone untrust policy default-permit match source-address any

    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any

    set security policies from-zone trust to-zone untrust policy default-permit match application any

    set security policies from-zone trust to-zone untrust policy default-permit match dynamic-application any

    set security policies from-zone trust to-zone untrust policy default-permit then permit application-services security-intelligence-policy stop_threats

         Enable on the zone pair which intercepts the DNS traffic.

• • set security policies from-zone trust to-zone untrust application-services security-metadata-streaming-policy DNS_ADV_SEC

• Once the above configuration is configured, DNS statistics should provide the detections.
  

  • root@SRX> show services security-metadata-streaming dns statistics

    Logical system: root-logical-system

    DNS session statistics:

      Cache Hits:                99

      Cache Misses:              182

      C2 Sessions Permitted:     0

      C2 Sessions Dropped:       3

      C2 Sessions Sinkholed:     14

    DNS submission statistics:

      Domain Submission Success:   147

      Domain Submission Failures:  0

      Safe Verdicts Received:      101

      C2 Verdicts Received:        5

      DNS Tunnels Detected:        12

      Latency Fallback Triggered:  35

    ATP latency statistics:

      Average Latency:             34ms

      Maximum Latency:             285ms

      Minimum Latency:             26ms

      sub-50ms response:           103 (96%)

      sub-100ms response:          2 (1%)

      sub-250ms response:          0 (0%)

      sub-500ms response:          2 (1%)

I subscribe to SkyATP services for my SRX and am not sure I am using it to it's full protection.

I need help setting up an SSL Proxy because most web traffic is SSL.  

I noticed so many request in my DNS server for rigi.com from Brazil and Paraguay. I literally had to create a country feed and block the 2 countries. I know that Sky ATP offer DNS Sinkhole but did not know how to properly set it up. I am losing all dropped traffic by the sky ATP but only see 4 to 5 drops per day. 

I am sure I am missing something. I created an account online and run the script they provide to enrol my unit that part is done I added my SkyATP to my Policies they secintel_policy and they show up in Jweb as TPP.  SO I know that traffic is being monitored but very little is dropped by the secintel_policy. 

I tried using this document to activate DNS Sinkhole in vein. 

I would appreciate any help. 

Here is what I was able to add to my config so far:

services {
    advanced-anti-malware {
        connection {
            url https://srxapi.us-west-2.sky.junipersecurity.net;
            authentication {
                tls-profile aamw-ssl;
            }
        }
        policy Sky-ATP-Filter-Traffic {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }
            smtp {
                inspection-profile default_profile;
                notification {
                    log;
                }
            }
            verdict-threshold 4;
        }
        policy SkyATP-default-log-only {
            http {
                inspection-profile default_profile;
                action block;
                notification {
                    log;
                }
            }

for DNS I have 

    dns-filtering {
        sinkhole {
            ipv4-address 10.10.10.102;
            ipv6-address ::1;
            fqdn ns1.domain.com;
        }
    }
}