SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SkyATP

    Posted 11-22-2023 10:23

    Hello, 

    We currently have SkyATP up and running and I've discovered the "Third Party Threat Feeds" features with various updated IP lists.

    We would like to activate it to block traffic coming from IPs or links present in these lists to our equipment behind our firewall.

    We've already activated "set services security-intelligence profile CC-profile category CC" but we can't figure out how to activate it, or even if we need to configure anything on our firewalls to activate the features ticked off in the screenshot below. And if it's activated simply by ticking the box, how can we be sure it's working? 

    Regards,



  • 2.  RE: SkyATP

    This message was posted by a user wishing to remain anonymous
    Posted 11-23-2023 14:48
    This message was posted by a user wishing to remain anonymous

    Please see this document on SecIntel configuration.

    https://www.juniper.net/documentation/us/en/software/sky-atp/help/sky-atp/topics/concept/sky-atp-integrated-feeds.html




  • 3.  RE: SkyATP

    Posted 11-24-2023 06:10

    Hello, 

    Thank you for your feedback, I did have this link. 

    However, the documentation doesn't mention the configuration to activate "Block List" or "DShield" for example. We already have a functional configuration for CC and Infected Hosts but I would like to know if simply activating the checkbox on SkyATP takes into account the "Block List" or "DShield" lists. 

    The link talks about a specific configuration for office365 but that seems to me to be a separate case with ipfilter_* already defined.

    Regards,



    ------------------------------
    ATB
    ------------------------------



  • 4.  RE: SkyATP

    This message was posted by a user wishing to remain anonymous
    Posted 11-27-2023 10:22
    This message was posted by a user wishing to remain anonymous

    You don't have to explicitly create rules for these feeds, srx will check against all feeds enabled on Sky.   When you get a block, the SecIntel log message contains the feed that the block originated on, also the SkyATP portal will also show the feed source when block occurs.




  • 5.  RE: SkyATP

    Posted 11-28-2023 03:33

    Okay, thanks. Because I've had it activated for a good week and I haven't seen any special upturns since the boxes were activated. On the J-Web part, SecIntel sends back blocking information with the info "cc_ip_data", will it be the same with the activation of these boxes or will there be another term to specify that it comes from there? 



    ------------------------------
    ATB
    ------------------------------



  • 6.  RE: SkyATP

    Posted 11-28-2023 12:02

    When various 3rd party threat feeds are selected, they are curated to include a threat level. So all of these feeds are included by default under the CC category on the SRX. The action is based on the CC profile that's created within Secintel configuration. 

    Check the output from the SRX below that includes which has the TOR and Dshield included as part of CC.

    SRX> show services security-intelligence category summary CC

    Category name     :CC
      Status          :Enable
      Description     :Command and Control data schema
      Update interval :1800s
      TTL             :3456000s
    ---<SNIP>--


      Feed name       :cc_ip_dshield
        logical-system:root-logical-system
        Vrf name      :junos-default-vrf
        Version       :20231128.1
        Objects number:19
        Create time   :2023-11-28 05:27:15 UTC
        Update time   :2023-11-28 16:51:58 UTC
        Update status :Store succeeded
        Expired       :No
        Status        :Active
        Options       :N/A
      Feed name       :cc_ip_tor
        logical-system:root-logical-system
        Vrf name      :junos-default-vrf
        Version       :20231128.1
        Objects number:1220
        Create time   :2023-11-28 13:35:58 UTC
        Update time   :2023-11-28 16:51:58 UTC
        Update status :Store succeeded
        Expired       :No
        Status        :Active
        Options       :N/A

    ---<SNIP>--

    Action is determined based on the risk profile configured for the CC category under security-intelligence. In the below profile, I am blocking any threat-level above 7.

    set services security-intelligence profile CC_Prof category CC
    set services security-intelligence profile CC_Prof rule r1 match threat-level 10
    set services security-intelligence profile CC_Prof rule r1 match threat-level 9
    set services security-intelligence profile CC_Prof rule r1 match threat-level 8
    set services security-intelligence profile CC_Prof rule r1 match threat-level 7
    set services security-intelligence profile CC_Prof rule r1 then action block close
    set services security-intelligence profile CC_Prof rule r1 then log



    ------------------------------
    Pradeep Hattiangadi
    ------------------------------