Sky Atp Admin Guide PDF
Sky Atp Admin Guide PDF
Guide
Modified: 2017-09-08
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates in
the United States and other countries. All other trademarks may be property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
The information in this document is current as of the date on the title page.
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that
EULA.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Documentation Conventions
Caution Indicates a situation that might result in loss of data or hardware damage.
Laser warning Alerts you to the risk of personal injury from a laser.
Table 2 on page xii defines the text and syntax conventions used in this guide.
Bold text like this Represents text that you type. To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this Represents output that appears on the user@host> show chassis alarms
terminal screen.
No alarms currently active
Italic text like this • Introduces or emphasizes important • A policy term is a named structure
new terms. that defines match conditions and
• Identifies guide names. actions.
• Junos OS CLI User Guide
• Identifies RFC and Internet draft titles.
• RFC 1997, BGP Communities Attribute
Italic text like this Represents variables (options for which Configure the machine’s domain name:
you substitute a value) in commands or
configuration statements. [edit]
root@# set system domain-name
domain-name
Text like this Represents names of configuration • To configure a stub area, include the
statements, commands, files, and stub statement at the [edit protocols
directories; configuration hierarchy levels; ospf area area-id] hierarchy level.
or labels on routing platform • The console port is labeled CONSOLE.
components.
< > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>;
# (pound sign) Indicates a comment specified on the rsvp { # Required for dynamic MPLS only
same line as the configuration statement
to which it applies.
[ ] (square brackets) Encloses a variable for which you can community name members [
substitute one or more values. community-ids ]
GUI Conventions
Bold text like this Represents graphical user interface (GUI) • In the Logical Interfaces box, select
items you click or select. All Interfaces.
• To cancel the configuration, click
Cancel.
> (bold right angle bracket) Separates levels in a hierarchy of menu In the configuration editor hierarchy,
selections. select Protocols>Ospf.
Documentation Feedback
• Online feedback rating system—On any page of the Juniper Networks TechLibrary site
at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content,
and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at
http://www.juniper.net/techpubs/feedback/.
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/
Malware Today
The threat landscape has evolved. Malware started out as experiments or pranks but
has recently become widespread and sophisticated. Attackers have migrated from using
broad, unfocused tactics and are now creating specialized malware, intended for a select
target or groups of targets, with the ultimate goal of becoming embedded in the target’s
infrastructure. Preliminary results published by Symantec suggest that “the release rate
of malicious code and other unwanted programs may be exceeding that of legitimate
software applications.”
With the emergence of these specialized threats, a new category of security has also
emerged with the purpose of detecting, analyzing, and preventing advanced threats that
are able to avoid more detection by the more traditional security methods. Juniper
Network’s solution for preventing advanced and emerging threats is Sky Advanced Threat
Prevention (Sky ATP), a cloud-based anti-malware solution for SRX Series devices.
Juniper Networks Sky Advanced Threat Prevention (Sky ATP) is a security framework
that protects all hosts in your network against evolving security threats by employing
• The SRX Series device extracts potentially malicious objects and files and sends them
to the cloud for analysis.
• Known malicious files are quickly identified and dropped before they can infect a host.
• Multiple techniques identify new malware, adding it to the known list of malware.
• Correlation between newly identified malware and known Command and Control
(C&C) sites aids analysis.
• The SRX Series device blocks known malicious file downloads and outbound C&C
traffic.
• Layer 3 mode
• Tap mode
• Transparent mode using MAC address. For more information, see Transparent mode
on SRX Series devices.
• Secure wire mode (high-level transparent mode using the interface to directly passing
traffic, not by MAC address.) For more information, see Understanding Secure Wire.
• Integrated with the SRX Series device to simplify deployment and enhance the
anti-threat capabilities of the firewall.
• Checks inbound and outbound traffic with policy enhancements that allow users to
stop malware, quarantine infected systems, prevent data exfiltration, and disrupt
lateral movement.
• Scalable to handle increasing loads that require more computing resources, increased
network bandwidth to receive more customer submissions, and a large storage for
malware.
• APIs for C&C feeds, whitelist and blacklist operations, and file submission. See the
Threat Intelligence Open API Setup Guide for more information.
Command and control C&C feeds are essentially a list of servers that are known command
(C&C) cloud feeds and control for botnets. The list also includes servers that are
known sources for malware downloads.
Infected host cloud feeds Infected hosts indicate local devices that are potentially
compromised because they appear to be part of a C&C network
or other exhibit other symptoms.
Whitelists, blacklists and A whitelist is simply a list of known IP addresses that you trust
custom cloud feeds and a blacklist is a list that you do not trust.
SRX Series device Submits extracted file content for analysis and detected C&C hits
inside the customer network.
Service portal (Web UI) Graphics interface displaying information about detected threats
inside the customer network.
For inbound traffic, security policies on the SRX Series device look for specific types of
files, like .exe files, to inspect. When one is encountered, the security policy sends the file
to the Sky ATP cloud for inspection. The SRX Series device holds the last few KB of the
file from the destination client while Sky ATP checks if this file has already been analyzed.
If so, a verdict is returned and the file is either sent to the client or blocked depending on
the file’s threat level and the user-defined policy in place. If the cloud has not inspected
this file before, the file is sent to the client while Sky ATP performs an exhaustive analysis.
If the file’s threat level indicates malware (and depending on the user-defined
configurations) the client system is marked as an infected host and blocked from
outbound traffic. For more information, see “How is Malware Analyzed and Detected?”
on page 8.
Figure 3 on page 7 shows an example flow of a client requesting a file download with
Sky ATP.
Step Description
1 A client system behind an SRX Series devices requests a file download from the Internet. The SRX Series device
forwards that request to the appropriate server.
2 The SRX Series device receives the downloaded file and checks its security profile to see if any additional action
must be performed.
3 The downloaded file type is on the list of files that must be inspected and is sent to the cloud for analysis.
4 Sky ATP has inspected this file before and has the analysis stored in cache. In this example, the file is not malware
and the verdict is sent back to the SRX Series device.
5 Based on user-defined policies and because this file is not malware, the SRX Series device sends the file to the
client.
For outbound traffic, the SRX Series device monitors traffic that matches C&C feeds it
receives, blocks these C&C requests, and reports them to Sky ATP. A list of infected hosts
is available so that the SRX Series device can block inbound and outbound traffic.
• Campus edge firewall—Sky ATP analyzes files downloaded from the Internet and
protects end-user devices.
• Data center edge—Like the campus edge firewall, Sky ATP prevents infected files and
application malware from running on your computers.
Sky ATP uses a pipeline approach to analyzing and detecting malware. If an analysis
reveals that the file is absolutely malware, it is not necessary to continue the pipeline to
further examine the malware. See Figure 5 on page 9.
Each analysis technique creates a verdict number, which is combined to create a final
verdict number between 1 and 10. A verdict number is a score or threat level. The higher
the number, the higher the malware threat. The SRX Series device compares this verdict
number to the policy settings and either permits or denies the session. If the session is
denied, a reset packet is sent to the client and the packets are dropped from the server.
Cache Lookup
When a file is analyzed, a file hash is generated, and the results of the analysis are stored
in a database. When a file is uploaded to the Sky ATP cloud, the first step is to check
whether this file has been looked at before. If it has, the stored verdict is returned to the
SRX Series device and there is no need to re-analyze the file. In addition to files scanned
by Sky ATP, information about common malware files is also stored to provide faster
response.
Cache lookup is performed in real time. All other techniques are done offline. This means
that if the cache lookup does not return a verdict, the file is sent to the client system while
the Sky ATP cloud continues to examine the file using the remaining pipeline techniques.
If a later analysis returns a malware verdict, then the file and host are flagged.
Antivirus Scan
The advantage of antivirus software is its protection against a large number of potential
threats, such as viruses, trojans, worms, spyware, and rootkits. The disadvantage of
antivirus software is that it is always behind the malware. The virus comes first and the
patch to the virus comes second. Antivirus is better at defending familiar threats and
known malware than zero-day threats.
Sky ATP utilizes multiple antivirus software packages, not just one, to analyze a file. The
results are then fed into the machine learning algorithm to overcome false positives and
false negatives.
Static Analysis
Static analysis examines files without actually running them. Basic static analysis is
straightforward and fast, typically around 30 seconds. The following are examples of
areas static analysis inspects:
• Metadata information—Name of the file, the vendor or creator of this file, and the
original data the file was compiled on.
• Categories of instructions used—Is the file modifying the Windows registry? Is it touching
disk I/O APIs?.
• File entropy—How random is the file? A common technique for malware is to encrypt
portions of the code and then decrypt it during runtime. A lot of encryption is a strong
indication a this file is malware.
The output of the static analysis is fed into the machine learning algorithm to improve
the verdict accuracy.
Dynamic Analysis
The majority of the time spent inspecting a file is in dynamic analysis. With dynamic
analysis, often called sandboxing, a file is studied as it is executed in a secure environment.
During this analysis, an operating system environment is set up, typically in a virtual
machine, and tools are started to monitor all activity. The file is uploaded to this
environment and is allowed to run for several minutes. Once the allotted time has passed,
the record of activity is downloaded and passed to the machine learning algorithm to
generate a verdict.
Sophisticated malware can detect a sandbox environment due to its lack of human
interaction, such as mouse movement. Sky ATP uses a number of deception techniques
to trick the malware into determining this is a real user environment. For example, Sky
ATP can:
• Create fake high-value targets in the client, such as stored credentials, user files, and
a realistic network with Internet access.
Deception techniques by themselves greatly boost the detection rate while reducing
false positives. They also boosts the detection rate of the sandbox the file is running in
because they get the malware to perform more activity. The more the file runs the more
data is obtained to detect whether it is malware.
samples and thousands of goodware samples. It learns what malware looks like, and is
regularly re-programmed to get smarter as threats evolve.
Threat Levels
Sky ATP assigns a number between 0-10 to indicate the threat level of files scanned for
malware and the threat level for infected hosts. See Table 4 on page 11.
For more information on threat levels, see the Sky ATP Web UI online help.
• Free—The free model solution is available on all supported SRX Series devices (see
the Supported Platforms Guide) and for customers that have a valid support contract,
but only scans executable file types (see “Sky Advanced Threat Prevention Profile
Overview” on page 77). Based on this result, the SRX Series device can allow the traffic
or perform inline blocking.
• Basic—Includes executable scanning and adds filtering using the following threat feed
types: Command and Control, GeoIP, Custom Filtering, and Threat Intel feeds. Threat
Intel feeds use APIs that allow you to injects feeds into Sky ATP.
• Premium—Includes all features provided in the Free and Basic-Threat Feeds licenses,
but provides deeper analysis. All file types are examined using several analysis
techniques to give better coverage. Full reporting provides details about the threats
found on your network.
NOTE: You do not need to download any additional software to run Sky ATP.
Table 5 on page 12 shows a comparison between the free model and the premium model.
Table 5: Comparing the Sky ATP Free Model, Basic-Threat Feed, and
Premium Model
Free Model Basic-Threat Feeds Model Premium Model
Inspects only executable Inspects only executable file No restrictions on object file types
file types. Executables go types. Executables go through inspected beyond those imposed by
through the entire the entire pipeline (cache, the Sky ATP service. You can specify
pipeline (cache, antivirus, antivirus, static and dynamic). which file types are sent to service
static and dynamic). for inspection.
For more information on analysis techniques, see “How is Malware Analyzed and
Detected?” on page 8. For additional information on product options, see the Sky ATP
datasheet.
For more information on this and premium license SKUs, contact your local sales
representative.
• SRX340 and SRX345 Series devices—Purchase the JSE bundle (which includes
AppSecure), or purchase the JSB bundle and the AppSecure license separately.
• SRX 1500 Series devices—Purchase the JSE bundle (which includes AppSecure.)
File Limitations
Table 6 on page 13 lists the maximum number of files per day you can submit to the Sky
ATP cloud for inspection.
Table 6: Maximum Number of Files Per Day Per Device Submitted to Cloud for Inspection
Free model (files per day per Premium model (files per day per
Platform device) device)
Table 6: Maximum Number of Files Per Day Per Device Submitted to Cloud for
Inspection (continued)
Free model (files per day per Premium model (files per day per
Platform device) device)
When an SRX Series device has reached its maximum number of files, it goes into a
paused state as shown in the Submission State column in the Devices > All Devices tab.
See Figure 6 on page 14. Currently, this is the only notification for when the maximum
limit is reached. The device automatically changes to the allowed state when it once
again is below the maximum limit.
When an SRX Series device is in the paused state, the action defined in the fallback-option
property of the set services advanced-anti-malware policy CLI command determines what
to do with files. For example, in the following policy statement, files can be downloaded
to the client systems when the SRX Series device associated with this policy is in the
paused state.
The count does not reset at a specific time, such as midnight local time. Instead, a sliding
window counter determines the number of files submitted to the cloud based on the
current time.
For more information on files and file types, see “Sky Advanced Threat Prevention Profile
Overview” on page 77.
Although Sky ATP is a free add-on to an SRX Series device, you must still enable it prior
to using it. To enable Sky ATP, perform the following tasks:
1. (Optional) Obtain a Sky ATP premium license. See Obtaining the Sky Advanced Threat
Prevention License.
2. Register an account on the Sky ATP cloud Web portal. See “Registering a Sky Advanced
Threat Prevention Account” on page 19.
3. Download and run the Sky ATP script on your SRX Series device. See “Downloading
and Running the Sky Advanced Threat Prevention Script” on page 23.
This topic describes how to install the Sky ATP premium license onto your SRX Series
devices and vSRX deployments. You do not need to install the Sky ATP free license as
these are included your base software. Note that the free license has a limited feature
set (see “Sky Advanced Threat Prevention License Types” on page 11 and “Sky Advanced
Threat Prevention File Limitations” on page 13).
When installing the license key, you must use the license that is specific your device type.
For example, the Sky ATP premium license available for the SRX Series device cannot
be used on vSRX deployments.
1. Contact your local sales office or Juniper Networks partner to place an order for the
Sky ATP premium license.
2. (SRX Series devices only) Use the show chassis hardware CLI command to find the
serial number of the SRX Series devices that are to be tied to the Sky ATP premium
license.
[edit]
root@SRX# run show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis CM1915AK0326 SRX1500
Midplane REV 09 750-058562 ACMH1590 SRX1500
Pseudo CB 0
Routing Engine 0 BUILTIN BUILTIN SRX Routing Engine
FPC 0 REV 08 711-053832 ACMG3280 FEB
PIC 0 BUILTIN BUILTIN 12x1G-T-4x1G-SFP-4x10G
Look for the serial number associated with the chassis item. In the above example,
the serial number is CM1915AK0326.
NOTE: You must have a valid Juniper Networks Customer Support Center
(CSC) account to log in.
NOTE: The 30-day trial license period begins on the day you install the
evaluation license.
To continue using Sky ATP features after the optional 30-day period, you
must purchase and install the date-based license; otherwise, the features
are disabled.
After installing your trial license, set up your realm and contact information before using
Sky ATP. For more information, see Registering a Sky Advanced Threat Prevention Account.
The following instructions describe how to install a license key from the CLI. You can also
add a new license key with J-Web (see Managing Licenses for vSRX.)
NOTE: If you are reinstalling a Sky ATP license key on your vSRX, you must
first remove the existing Sky ATP license. For information on removing licenses
on the vSRX, see Managing Licenses for vSRX.
1. Use the request system license add command to manually paste the license key in
the terminal.
NOTE: You can save the license key to a file and upload the file to the
vSRX file system through FTP or Secure Copy (SCP), and then use the
request system license add file-name command to install the license.
2. (Optional) Use the show system license command to view details of the licenses.
You can install the license key on as many vSRX deployments as needed. However, be
aware that this can affect your file limitation. For example, suppose you purchased a
premium license that has a 10,000 files per day submission to cloud limit. If you install
the premium license on 1000 vSRX deployments and each deployment submits 10 files
to the cloud within the first hour of a day, then no more submissions can be made for the
remainder of that day.
High Availability
Before enrolling your devices with the Sky ATP cloud, set up your HA cluster as described
in your product documentation. For vSRX deployments, make sure the same license key
is used on both cluster nodes. When enrolling your devices, you only need to enroll one
node. The Sky ATP cloud will recognize this is an HA cluster and will automatically enroll
the other node.
To create a Sky ATP account, you must first have a Customer Support Center (CSC) user
account. For more information, see Creating a User Account.
When setting up your Sky ATP account, you must come up with a realm name that
uniquely identifies you and your company. For example, you can use your company name
and your location, such as Juniper-Mktg-Sunnyvale, for your realm name. Realm names
can only contain alphanumeric characters and the dash (“-”) symbol.
1. Open a Web browser, type the following URL and press Enter.
https://sky.junipersecurity.net
The management interface login page appears. See Figure 7 on page 19.
3. Enter your single sign-on (SSO) or CSC username and password and click Next. This
is the same username and password as your CSC account.
4. Enter your unique realm name, company name, and optionally a description. Then
press Next.
NOTE: Verify your realm name before clicking Next. Currently there is no
way to delete realms through the Web UI.
5. Enter your contact information and click Next. Should Juniper Networks need to contact
you, the information you enter here is used as your contact information.
6. Enter a valid e-mail address and password. This will be your log in information to
access the Sky ATP management interface.
7. Click Finish.
The Sky ATP uses a Junos OS operation (op) script to help you configure your SRX Series
device to connect to the Sky ATP cloud service. This script performs the following tasks:
• Downloads and installs certificate authority (CAs) licenses onto your SRX Series device.
• Creates local certificates and enrolls them with the cloud server.
NOTE: Sky ATP requires that both your Routing Engine (control plane) and
Packet Forwarding Engine (data plane) can connect to the Internet but the
“to-cloud” connection should not go through the management interface, for
example, fxp0. You do not need to open any ports on the SRX Series device
to communicate with the cloud server. However, if you have a device in the
middle, such as a firewall, then that device must have ports 8080 and 443
open.
Sky ATP requires that your SRX Series device host name contain only
alphanumeric ASCII characters (a-z, A-Z, 0-9), the underscore symbol ( _ )
and the dash symbol ( - ).
For SRX340, SRX345 and SRX500M Series devices, you must run the set security
forwarding-process enhanced-services-mode command before running the op script or
before running the set services advanced-anti-malware connection command. A reboot
of your SRX Series device is required if you are using C&C or GeoIP feeds.
NOTE: When enrolling devices, Sky ATP generates a unique op script for
each request. Each time you click Enroll, you’ll get slightly different
parameters in the ops script. The screenshot above is just an example. Do
not copy the above example onto your SRX device. Instead, copy and
paste the output you receive from your Web UI and use that to enroll your
SRX devices.
3. Paste this command into the Junos OS CLI of the SRX Series device you want to enroll
with Sky ATP and press Enter. Your screen will look similar to the following.
NOTE: If for some reason the ops script fails, disenroll the device (see
“Disenrolling an SRX Series Device from Sky Advanced Threat Prevention”
on page 43) and then re-enroll it.
The SRX Series device you enrolled now appears in the table. See Figure 12 on page 25.
Once configured, the SRX Series device communicates to the cloud through multiple
persistent connections established over a secure channel (TLS 1.2) and the SRX device
is authenticated using SSL client certificates.
As stated earlier, the script performs basic Sky ATP configuration on the SRX Series
device. These include:
NOTE: You do not need to copy the following examples and run them on
your SRX Series device. The list here is simply to show you what is being
configured by the ops script. If you run into any issues, such as certificates,
rerun the ops script again.
Sky ATP uses SSL forward proxy as the client and server authentication. Instead of
importing the signing certificate and its issuer’s certificates into the trusted-ca list of
client browsers, SSL forward proxy now generates a certificate chain and sends this
certificate chain to clients. Certificate chaining helps to eliminate the need to distribute
the signing certificates of SSL forward proxy to the clients because clients can now
implicitly trust the SSL forward proxy certificate.
The following CLI commands load the local certificate into the PKID cache and load the
certificate-chain into the CA certificate cache in PKID, respectively.
user@root> request security pki local-certificate load filename ssl_proxy_ca.crt key sslserver.key
certificate-id ssl-inspect-ca
where:
ssl-inspect-ca—Is the certificate ID that SSL forward proxy uses in configuring the root-ca
in the SSL forward proxy profile.
The following is an example of SSL forward proxy certificate chaining used by the op
script.
Configuration Overview
NOTE: These steps assume that you already have your SRX Series device(s)
installed, configured, and operational at your site.
(optional) Update the Update your administrator profile to add more users with “Sky Advanced Threat Prevention
administrator profile administrator privileges to your security realm and to set the Administrator Profile Overview” on
thresholds for receiving alert emails. A default administrator page 37
profile is created when you register an account.
Enroll your SRX Series Select the SRX Series devices to communicate with Sky ATP. “Enrolling an SRX Series Device With
devices Only those listed in the management interface can send files Sky Advanced Threat Prevention” on
to the cloud for inspection and receive results. page 41
This step is done in the Web UI and on your SRX Series device.
Set global Select Configure > Global Configuration to set the default Web UI tooltips and online help
configurations threshold and optionally, e-mail accounts when certain
thresholds are reached. For example, you can send e-mails to
an IT department when thresholds of 5 are met and send
e-mails to an escalation department when thresholds of 9 are
met.
(optional) Create Create whitelists and blacklists to list network nodes that you “Sky Advanced Threat Prevention
whitelists and trust and don’t trust. Whitelisted websites are trusted websites Whitelist and Blacklist Overview” on
blacklists where files downloaded from do not need to be inspected. page 45
Blacklisted websites are locations from which downloads
should be blocked. Files downloaded from websites that are
not in the whitelist or blacklist are sent to the cloud for
inspection.
(optional) Create the Sky ATP profiles define which file types are to be sent to the “Sky Advanced Threat Prevention
Sky ATP profile cloud for inspection. For example, you may want to inspect Profile Overview” on page 77
executable files but not documents. If you don’t create a
profile, the default one is used.
(optional) Identify Compromised hosts are systems where there is a high “Sky Advanced Threat Prevention
compromised hosts confidence that attackers have gained unauthorized access. Infected Host Overview” on page 69
Once identified, Sky ATP recommends an action and you can
create security policies to take enforcement actions on the
inbound and outbound traffic on these infected hosts.
(optional) Block The SRX Series device can intercept and perform an “Sky Advanced Threat Prevention
outbound requests to enforcement action when a host on your network tries to Command and Control Overview” on
a C&C host initiate contact with a possible C&C server on the Internet. page 65
Configure the Advanced anti-malware security policies reside on the SRX “Sky Advanced Threat Prevention
Advanced Series device and determine which conditions to send files to Policy Overview” on page 79
Anti-Malware Policy on the cloud and what to do when a file when a file receives a
the SRX Series Device verdict number above the configured threshold.
Configure the Security Create the security intelligence policies on the SRX Series “Configuring the SRX Series Devices
Intelligence Policy on device to act on infected hosts and attempts to connect with to Block Infected Hosts” on page 75
the SRX Series Device a C&C server.
“Configuring the SRX Series Device
This step is done on the SRX Series device. to Block Outbound Requests to a
C&C Host” on page 67
Enable the firewall Create your SRX Series firewall policy to filter and log traffic “Configuring the SRX Series Devices
policy in the network using the set security policies from-zone to-zone to Block Infected Hosts” on page 75
CLI commands.
“Configuring the SRX Series Device
This step is done on the SRX Series device. to Block Outbound Requests to a
C&C Host” on page 67
You can optionally use APIs for C&C feeds, whitelist and blacklist operations, and file
submission. See the Threat Intelligence Open API Setup Guide for more information.
NOTE:
The cloud sends data, such as your Sky ATP whitelists, blacklists and profiles,
to the SRX Series device every few seconds. You do not need to manually
push your data from the cloud to your SRX Series device. Only new and
updated information is sent; the cloud does not continually send all data.
The cloud feed URL (for example, for blacklists and whitelists. For a complete list, see
“Juniper Networks Sky Advanced Threat Prevention” on page 3.) is set up automatically
for you when you run the op script to configure your SRX Series device. See “Downloading
and Running the Sky Advanced Threat Prevention Script” on page 23. There are no further
steps you need to do to configure the cloud feed URL.
If you want to check the cloud feed URL on your SRX Series device, run the show services
security-intelligence URL CLI command. Your output should look similar to the following:
If you do not see a URL listed, run the ops script again as it configures other settings in
addition to the cloud feed URL.
The Sky ATP Web UI is a web-based service portal that lets you monitor malware
download through your SRX Series devices. The Web UI is hosted by Juniper Networks
in the cloud. There is no separate download for you to install on your local system.
NOTE: If you are a licensed Junos Space Security Director, you can use Security
Director 16.1 and later screens to set up and use Sky ATP. For more information
using Security Director with Sky ATP, see the Policy Enforcer administration
guide and the Security Director online help. The remainder of this guide refers
to using Sky ATP with the Web UI.
You can perform the following tasks with the Web UI:
• Configuring—Create and view whitelists and blacklists that list safe or harmful network
nodes, and profiles that define what file types to submit to Sky ATP for investigation.
• Reporting—Use the dashboard to view and drill into various reports, such as most
infected file types, top malwares identified, and infected hosts.
The Web UI has infotips that provide information about a specific screen, field or object.
To view the infotip, hover over the question mark (?) without clicking it. See
Figure 13 on page 34.
1. Open a Web browser that has Hypertext Transfer Protocol (HTTP) or HTTP over
Secure Sockets Layer (HTTPS) enabled.
For information on supported browsers and their version numbers, see the Sky
Advanced Threat Prevention Supported Platforms Guide.
https://sky.junipersecurity.net
3. On the login page, type your username (your account e-mail address), password, and
realm name and click Log In.
To terminate your session at any time, click the icon in the upper-right corner and click
Logout. See Figure 15 on page 35.
When you register an account for Sky ATP, an administrator account is created for you.
The administrator account is a user account that lets you make changes to the threat
protection configuration in the Web UI. Only administrators can log in to the Web UI;
there is no user or non-administrator account. This administrator account is only for the
Web UI and does not grant access to any of your SRX Series devices.
When you first start the Sky ATP Web UI, you will want to update your administrator
account with the following information:
• Your full name and one or more e-mail addresses to receive e-mails when, for example,
a file verdict is greater than the threshold for blocking.
• Accounts for other users that you want to have administrator privileges in the Web UI.
• (premium license only) The default threat level threshold for blocking.
To access the administrator profile, click the Administration tab in the Web UI.
Multiple administrators can log in to the Web UI at the same time. The Web UI
does not lock windows when someone is editing it, nor does it notify other
sessions that a person is using it. If multiple administrators are editing the same
window at the same time, the last session to save their settings overwrites the
other session’s changes
Application View application tokens that allow Security Director or Open API users to
Tokens securely access Sky ATP APIs over HTTPS. When a token is used, you can view
the IP address of the user and the date of last usage by clicking the token name.
Then you can block or unblock IP addresses that are trying to use individual
tokens. An application token is marked inactive if it has not been used for 30
days. Once inactive, all access using the token is blocked until it is activated
again. If an application token has not been used for 90 days, it is automatically
deleted and cannot be recovered again.
For more information on updating administrator profile settings, see the Web UI infotips
and online help.
Reset Password
If you forget your password to login to the Sky ATP dashboard, you can reset it using a
link sent by email when you click Forgot Password from the Sky ATP login screen. The
following section provides details for resetting your password securely over email.
• To reset your password you must enter the realm name and a valid email address.
• Once you receive your password reset email, the link expires immediately upon use or
within one hour. If you want to reset your password again, you must step through the
process to receive a new link.
• Use this process if you have forgotten your password. If you are logged into the
dashboard and want to change your password, you can do that from the Administration
> My Profile page. See Modifying My Profile for those instructions.
1. Click the Forgot Password link on the Sky ATP dashboard login page.
2. In the screen that appears, enter the Email address associated with your account.
4. Click Continue. An email with a link for resetting your password is sent. Note that the
link expires within one hour of receiving it.
6. Enter a new password and then enter it again to confirm it. The password must contain
an uppercase and a lowercase letter, a number, and a special character.
7. Click Continue. The password is now reset. You should receive an email confirming
the reset action. You can now login with the new password.
• Dashboard Overview
• Enrolling an SRX Series Device With Sky Advanced Threat Prevention on page 41
• Disenrolling an SRX Series Device from Sky Advanced Threat Prevention on page 43
• Removing an SRX Series Device From Sky Advanced Threat Prevention on page 43
Only devices enrolled with Sky ATP can send files for malware inspection.
Before enrolling a device, check whether the device is already enrolled. To do this, use
the Devices screen or the Device Lookup option in the Web UI (see Searching for SRX
Series Devices Within Sky Advanced Threat Prevention). If the device is already enrolled,
disenroll it first before enrolling it again.
Sky ATP uses a Junos OS operation (op) script to help you configure your SRX Series
device to connect to the Sky Advanced Threat Prevention cloud service. This script
performs the following tasks:
• Downloads and installs certificate authority (CAs) licenses onto your SRX Series device.
• Creates local certificates and enrolls them with the cloud server.
NOTE: Sky Advanced Threat Prevention requires that both your Routing
Engine (control plane) and Packet Forwarding Engine (data plane) can
connect to the Internet. Sky Advanced Threat Prevention requires the
following ports to be open on the SRX Series device: 80, 8080, and 443.
3. Paste the command into the Junos OS CLI of the SRX Series device you want to enroll
with Sky ATP and press Enter.
NOTE: If the script fails, disenroll the device (see instructions for disenrolling
devices) and then re-enroll it.
Once configured, the SRX Series device communicates to the cloud through multiple
persistent connections established over a secure channel (TLS 1.2) and the SRX Series
device is authenticated using SSL client certificates.
In the Sky ATP Web UI Enrolled Devices page, basic connection information for all enrolled
devices is provided, including serial number, model number, tier level (free or not)
enrollment status in Sky ATP, last telemetry activity, and last activity seen. Click the serial
number for more details. In addition to Enroll, the following buttons are available:
Enroll Use the Enroll button to obtain a enroll command to run on eligible SRX Series
devices. This command enrolls them in Sky ATP and is valid for 7 days. Once enrolled,
SRX Series device appears in the Devices and Connections list.
Disenroll Use the Disenroll button to obtain a disenroll command to run on SRX Series devices
currently enrolled in Sky ATP. This command removes those devices from Sky ATP
enrollment and is valid for 7 days.
Device Lookup Use the Device Lookup button search for the device serial number(s) in the licensing
database to determine the tier (premium, feed only, free) of the device. For this
search, the device does not have to be currently enrolled in Sky ATP.
Remove Removing an SRX Series device is different than disenrolling it. Use the Remove
option only when the associated SRX Series device is not responding (for example,
hardware failure). Removing it, disassociates it from the cloud without running the
Junos OS operation (op) script on the device (see Enrolling and Disenrolling Devices).
You can later enroll it using the Enroll option when the device is again available.
For HA configurations, you only need to enroll the cluster master. The cloud will detect
that this is a cluster and will automatically enroll both the master and slave as a pair.
Both devices, however, must be licensed accordingly. For example, if you want premium
features, both devices must be entitled with the premium license.
NOTE: Sky ATP supports only the active-passive cluster configuration. The
passive (non-active) node does not establish a connection to the cloud until
it becomes the active node. Active-active cluster configuration is not
supported.
Related • Removing an SRX Series Device From Sky Advanced Threat Prevention on page 43
Documentation
• Searching for SRX Series Devices Within Sky Advanced Threat Prevention
• Device Information
If you no longer want an SRX Series device to send files to the cloud for inspection, use
the disenroll option to disassociate it from Sky ATP. See Figure 16 on page 43. The disenroll
process generates an ops script to be run on SRX Series devices and resets any properties
set by the enroll process. You can enroll this device at a later time using the Enroll option.
For more information on disenrolling SRX Series devices, see the Web UI infotips and
online help.
If you no longer want an SRX Series device to send files to the cloud for inspection, use
the disenroll option to disassociate it from Sky Advanced Threat Prevention. The disenroll
process generates an ops script to be run on SRX Series devices and resets any properties
set by the enroll process.
1. Select the check box associated with the device you want to disasssociate and click
Disenroll.
3. Paste this command into the Junos OS CLI of the device you want to disenroll and
press Enter.
You can re-enroll this device at a later time using the Enroll option.
Related • Searching for SRX Series Devices Within Sky Advanced Threat Prevention
Documentation
• Enrolling an SRX Series Device With Sky Advanced Threat Prevention on page 41
• Device Information
A whitelist contains known trusted IP addresses and URLs. Content downloaded from
locations on the whitelist does not have to be inspected for malware. A blacklist contains
known untrusted IP addresses and URLs. Access to locations on the blacklist is blocked,
and therefore no content can be downloaded from those sites.
There are four kinds of whitelists and blacklists. Each list has Global items added and
updated by the cloud. There are also Custom lists that allow you to add items manually.
All are configured on the Sky ATP cloud server. The priority order is as follows:
• Custom whitelist
• Custom blacklist
• Global whitelist
• Global blacklist
NOTE: The global whitelist and global blacklist contents are hidden. You
cannot view or edit them.
• URL
• IP address
• Hostname
The Web UI performs basic syntax checks to ensure your entries are valid.
The cloud feed URL for whitelists and blacklists is set up automatically for you when you
run the op script to configure your SRX Series device. See “Downloading and Running
the Sky Advanced Threat Prevention Script” on page 23.
Sky ATP periodically polls for new and updated content and automatically downloads
them to your SRX Series device. There is no need to manually push your whitelist or
blacklist files.
If you do not see your updates, wait a few minutes and try the command again. You might
be outside the Sky ATP polling period.
Once your whitelists or blacklists are created, create an advanced anti-malware policy
to log (or don’t log) when attempting to download a file from a site listed in the blacklist
or white list files. For example, the following creates a policy named aawmpolicy1 and
creates log entries.
NOTE: Currently you configure GeoIP through CLI commands and not through
the Web interface.
The cloud feed URL is set up automatically for you when you run the op script to configure
your SRX Series device. See “Downloading and Running the Sky Advanced Threat
Prevention Script” on page 23.
Currently, configuring GeoIP and security policies is done completely on the SRX Series
device using CLI commands.
To configure Sky ATP with GeoIP, you first create the GeoIP DAE and specify the interested
countries. Then, create a security firewall policy to reference the DAE and define whether
to allow or block access.
1. Create the DAE using the set security dynamic-address CLI command. Set the category
to GeoIP and property to country (all lowercase). When specifying the countries, use
the two-letter ISO 3166 country code in capital ASCII letters; for example, US or DE.
For a complete list of country codes, see ISO 3166-1 alpha-2.
In the following example, the DAE name is my-geoip and the interested countries are
the United States (US) and Great Britain (GB).
2. Use the show security dynamic-address CLI command to verify your settings. Your
output should look similar to the following:
[edit]
3. Create the security firewall policy using the set security policies CLI command.
In the following example, the policy is from the untrust to trust zone, the policy name
is my-geoip-policy, the source address is my-geoip created in Step 1, and the action is
to deny access from the countries listed in my-geoip.
4. Use the show security policies CLI command to verify your settings. Your output should
look similar to the following:
...
With Email Management, enrolled SRX devices transparently submit potentially malicious
email attachments to the cloud for inspection. Once an attachment is evaluated, Sky
ATP assigns the file a threat score between 0-10 with 10 being the most malicious.
Configure Sky ATP to take one of the following actions when an email attachment is
determined to be malicious:
• Deliver malicious messages with warning headers added—When you select this option,
headers are added to emails that most mail servers recognize and filter into Spam or
Junk folders.
• Permit—You can select to permit the email and the recipient receives it intact.
Quarantine Release
If the recipient selects to release a quarantined email, it is allowed to pass through the
SRX series with a header message that prevents it from being quarantined again, but the
attachments are placed in a password-protected ZIP file. The password required to open
the ZIP file is also included as a separate attachment. The administrator is notified when
the recipient takes an action on the email (either to release or delete it).
If you configure Sky ATP to have the recipient send a request to the administrator to
release the email, the recipient previews the email in the Sky ATP quarantine portal and
can select to Delete the email or Request to Release. The recipient receives a message
when the administrator takes action (either to release or delete the email.)
Access this page from Configure > Email Management > SMTP.
• Decide how malicious emails are handled: quarantined, delivered with headers, or
permitted.
2. Based on your selections, configuration options will vary. See the tables below.
Action to take Quarantine malicious messages—When you select to quarantine malicious email
messages, in place of the original email, intended recipients receive a custom
email you configure with information on the quarantining. Both the original email
and the attachment are stored in the cloud in an encrypted format.
Release option • Recipients can release email—This option provides recipients with a link to
the Sky ATP quarantine portal where they can preview the email. From the
portal, recipients can select to Release the email or Delete it. Either action
causes a message to be sent to the administrator.
Learn More Link URL If you have a corporate web site with further information for users, enter that
URL here. If you leave this field blank, this option will not appear to the end user.
Subject When an email is quarantined, the recipient receives a custom message informing
them of their quarantined email. For this custom message, enter a subject
indicating a suspicious email sent to them has been quarantined, such as
"Malware Detected."
Custom Message Enter information to help email recipients understand what they should do next.
Custom Link Text Enter custom text for the Sky ATP quarantine portal link where recipients can
preview quarantined emails and take action on them.
Buttons • Click Preview to view the custom message that will be sent to a recipient when
an email is quarantined. Then click Save.
• Click Reset to clear all fields without saving.
• Click Save if you are satisfied with the configuration.
Action to take Deliver malicious messages with warning headers added—When you select to
deliver a suspicious email with warning headers, you can add headers to emails
that most mail servers will recognize and filter into spam or junk folders.
SMTP Headers • X-Distribution (Bulk, Spam)—Use this header for messages that are sent to
a large distribution list and are most likely spam. You can also select “Do not
add this header.”
• X-Spam-Flag—This is a common header added to incoming emails that are
possibly spam and should be redirected into spam or junk folders. You can
also select “Do not add this header.”
• Subject Prefix—You can prepend headers with information for the recipient,
such as "Possible Spam."
Action to take Permit—You can select to permit the message and no further configuration is
required.
5. Click OK.
Access this page from the Configure > Email Management menu.
Use custom blacklists and whitelists to filter email according to administrator defined
lists.
• Compile a list of known malicious email addresses or domains to add to your blacklist.
If an email matches the blacklist, it is considered to be malicious and is handled the
same way as an email with a malicious attachment, blocked and a replacement email
is sent. If an email matches the whitelist, that email is allowed through without any
scanning.
• It is worth noting that attackers can easily fake the “From” email address of an email,
making blacklists a less effective way to stop malicious emails.
The procedure for adding addresses to blacklists and whitelists is the same, although
the results are very different. Be sure you are adding the entry to the correct list.
3. Enter the full address in the format [email protected] or wildcard the name to permit
or block all emails from a specific domain. For example, *@domain.com.
4. Click OK.
The SMTP quarantine monitor page lists quarantined emails with their threat score and
other details including sender and recipient. You can also take action on quarantined
emails here, including releasing them and adding them to the blacklist.
Time Range Use the slider to narrow or increase the time-frame within the selected the time
parameter in the top right: 12 hrs, 24 hrs, 7 days or custom.
Total Email Scanned This lists the total number of emails scanned during the chosen time-frame and
then categorizes them into blocked, quarantined, released, and permitted emails.
Malicious Email Count This is a graphical representation of emails, organized by time, with lines for blocked
emails, quarantined and not released emails, and quarantined and released emails.
Emails Scanned This is a graphical representation of emails, organized by time, with lines for total
emails, and emails with one or more attachments.
Email Classification This is another graphical view of classified emails, organized by percentage of
blocked emails, quarantined and not released emails, and quarantined and released
emails.
Subject Click the Read This link to go to the Sky ATP quarantine portal and preview the
email.
Malicious Attachment Click on the attachment name to go to the Sky ATP file scanning page where you
can view details about the attachment.
Threat Score The threat score of the attachment, 0-10, with 10 being the most malicious.
Threat Name The type of threat found in the attachment, for example, worm or trojan.
Action The action taken, including the date and the person (recipient or administrator)
who took the action.
Using the available buttons on the Details page, you can take the following actions on
blocked emails:
• Release
Note the following behavior regarding modes (permit and block) and blacklists and
whitelists.
• In permit mode:
• In block mode:
• If an e-mail address is configured in the blacklist, the e-mail is blocked and is not
sent to the cloud for scanning.
Unlike file scanning policies where you define an action permit or action block statement,
with SMTP email management the action to take is defined in the Configure > Email
Management > SMTP window. All other actions are defined with CLI commands as before.
Shown below is an example policy with email attachments addressed in profile profile2.
default-notification {
log;
}
whitelist-notification {
log;
}
blacklist-notification {
log;
}
fallback-options {
action permit; # default is permit and no log.
notification log;
}
}
...
In the above example, the email profile (profile2) looks like this:
The firewall policy is similar to before. The AAMW policy is place in trust to untrust zone.
.See the example below.
}
}
}
}
Shown below is another example, using the show services advanced-anti-malware policy
CLI command. In this example, emails are quarantined if their attachments are found to
contain malware. A verdict score of 8 and above indicates malware.
Optionally you can configure forward and reverse proxy for server and client protection,
respectively. For example, if you are using SMTPS, you may want to configure reverse
proxy. For more information on configuring reverse proxy, see “Configuring Reverse Proxy”
on page 62.
}
}
Use the show services advanced-anti-malware statistics CLI command to view statistical
information about email management.
As before, use the clear services advanced-anti-malware statistics CLI command to clear
the above statistics when you are troubleshooting.
For debugging purposes, you can also set SMTP trace options.
Before configuring the SMTP threat prevention policy, make sure you have done the
following:
• Define the action to take (quarantine or deliver malicious messages) and the end-user
email notification in the Configure > Email Management > SMTP window.
• (Optional) Create a profile in the Configure > Device Profiles window to indicate which
email attachment types to scan. Or, you can use the default profile.
The following steps show the minimum configuration. To configure the threat prevention
policy for SMTP using the CLI:
• Associate the policy with the SMTP profile. In this example, it is the default_profile
profile.
• Configure your global threshold. If a verdict comes back equal to or higher than this
threshold, then it is considered to be malware. In this example, the global threshold
is set to 7.
• When there is an error condition, send the email to the recipient and create a log
entry.
2. Configure the firewall policy to enable the advanced anti-malware application service.
• Load the server certificates and their keys into the SRX Series device certificate
repository.
Starting with Junos OS Release 15.1X49-D80, the SRX Series device acts as a proxy, so
it can downgrade SSL negotiation to RSA. This was not possible in prior releases. Other
changes are shown in Table 15 on page 62.
Table 15: Comparing Reverse Proxy Before and After Junos OS Release 15.1X49-D80
Feature Prior to 15.1X49-D80 15.1X49-D80 and later
Proxy model Runs only in tap mode Instead of participating Terminates client SSL on the SRX Series device and
in SSL handshake, it listens to the SSL initiates a new SSL connection with a server.
handshake, computes session keys and then Decrypts SSL traffic from the client/server and
decrypts the SSL traffic. encrypts again (after inspection) before sending to
the server/client.
Protocol version Does not support TLS Version 1.1 and 1.2. Supports all current protocol versions.
Echo system Tightly coupled with IDP engine and its Uses existing SSL forward proxy with TCP proxy
detector. underneath.
Security services Decrypted SSL traffic can be inspected only Just like forward proxy, decrypted SSL traffic is
by IDP. available for all security services.
Ciphers supported Limited set of ciphers are supported. All commonly used ciphers are supported.
The remainder of this topic uses the term SSL proxy to denote both forward proxy and
reverse proxy.
Like forward proxy, reverse proxy requires a profile to be configured at the firewall rule
level. In addition, you must also configure server certificates with private keys for reverse
proxy. During an SSL handshake, the SSL proxy performs a lookup for a matching server
private key in its server private key hash table database. If the lookup is successful, the
handshake continues. Otherwise, SSL proxy aborts the hand shake. Reverse proxy does
not prohibit server certificates. It forwards the actual server certificate/chain as is to the
client without modifying it. Intercepting the server certificate occurs only with forward
proxy. The following shows example forward and reverse proxy profile configurations.
needed.
root-ca ssl-inspect-ca;
actions {
ignore-server-auth-failure;
log {
all;
}
}
}
profile ssl-1 {
root-ca ssl-inspect-ca;
actions {
ignore-server-auth-failure;
log {
all;
}
}
}
profile ssl-2 {
root-ca ssl-inspect-ca;
actions {
ignore-server-auth-failure;
log {
all;
}
}
}
profile ssl-server-protection { # For reverse proxy. No root-ca is needed.
server-certificate ssl-server-protection;
actions {
log {
all;
}
}
}
}
...
You must configure either root-ca or server-certificate in an SSL proxy profile. Otherwise
the commit check fails. See Table 16 on page 63.
Yes Yes Commit check fails. Configuring both server-certificate and root-ca
in the same profile is not supported.
Configuring multiple instances of forward and reverse proxy profiles are supported. But
for a given firewall policy, only one profile (either a forward or reverse proxy profile) can
be configured. Configuring both forward and reverse proxy on the same device is also
supported.
You cannot configure the previous reverse proxy implementation with the new reverse
proxy implementation for a given firewall policy. If both are configured, you will receive
a commit check failure message.
1. Load the server certificates and their keys into the SRX Series device certificate
repository using the CLI command request security pki local-certificate load filename
filename key key certificate-id certificate-id. For example:
2. Attach the server certificate identifier to the SSL Proxy profile using the CLI command
set services ssl proxy profile profile server-certificate certificate-id. For example
3. Use the show services ssl CLI command to verify your configuration. For example:
Command and control (C&C) servers remotely send malicious commands to a botnet,
or a network of compromised computers. The botnets can be used to gather sensitive
information, such as account numbers or credit card information, or to participate in a
distributed denial-of-service (DDoS) attack.
When a host on your network tries to initiate contact with a possible C&C server on the
Internet, the SRX Series device can intercept the traffic and perform an enforcement
action based on real-time feed information from Sky ATP. The Web UI identifies the C&C
server IP address, it’s threat level, number of times the C&C server has been contacted,
etc.
An FP/FPN button lets you report false positive or false negative for each C&C server
listed. When reporting false negative, Sky ATP will assign a C&C threat level equal to the
global threat level threshold you assign in the global configuration (Configure > Global
Configuration).
Sky ATP blocks that host from communicating with the C&C server and can allow the
host to communicate with other servers that are not on the C&C list depending on your
configuration settings. The C&C threat level is calculated using a proprietary algorithm.
You can also use the show services security-intelligence statistics or show services
security-intelligence statistics profile profile-name CLI commands to view C&C statistics.
You can also use the show services security-intelligence category detail category-name
category-name feed-name feed-name count number start number CLI command to view
more information about the C&C servers and their threat level.
NOTE: Set both count and start to 0 to display all C&C servers.
For example:
...
The cloud feed URL for C&C is set up automatically for you when you run the op script
to configure your SRX Series device. See “Downloading and Running the Sky Advanced
Threat Prevention Script” on page 23.
Configuring the SRX Series Device to Block Outbound Requests to a C&C Host
The C&C feed lists devices that attempt to contact a C&C host. If an outbound request
to a C&C host is attempted, the request is blocked and logged or just logged, depending
on the configuration. Currently, you configure C&C through CLI commands and not through
the Web interface.
1. Configure the C&C profile. In this example the profile name is cc_profile and threat
levels 8 and above are blocked.
2. Verify your profile is correct using the show services security-intelligence CLI command.
Your output should look similar to this.
3. Configure your C&C policy to point to the profile created in Step 1. In this example, the
C&C policy name is cc_policy.
4. Verify your policy is correct using the show services security-intelligence CLI command.
Your output should look similar to this.
[edit]
5. Configure the firewall policy to include the C&C policy. This example sets the
trust-to-untrust zone.
6. Verify your command using the show security policies CLI command. It should look
similar to this:
Infected hosts are systems where there is a high confidence that attackers have gained
unauthorized access. When a host is compromised, the attacker can do several things
to the computer, such as:
• Send junk or spam e-mail to attack other systems or distribute illegal software.
In Sky ATP, infected hosts are listed as data feeds (also called information sources). The
feed lists the IP address or IP subnet of the host along with a threat level, for example,
xxx.xxx.xxx.133 and threat level 5. Once identified, Sky ATP recommends an action and
you can create security policies to take enforcement actions on the inbound and outbound
traffic on these infected hosts. Sky ATP uses multiple indicators, such as a client
attempting to contact a C&C server or a client attempting to download malware, and a
proprietary algorithm to determine the infected host threat level.
The data feed URL is set up automatically for you when you run the op script to configure
your SRX Series device. See “Downloading and Running the Sky Advanced Threat
Prevention Script” on page 23.
Figure 19 on page 70 shows one example of how devices are labelled as infected hosts
by downloading malware.
Step Description
1 A client with IP address 10.1.1.1 is located behind an SRX Series device and requests a
file to be downloaded from the Internet.
2 The SRX Series device receives the file from the Internet and checks its security policies
to see if any action needs to be taken before sending the file to the client.
3 The SRX Series device has a Sky ATP policy that requires files of the same type that was
just downloaded to be sent to the cloud for inspection.
This file is not cached in the cloud, meaning this is the first time this specific file has been
sent to the cloud for inspection, so the SRX Series device sends the file to the client while
the cloud performs an exhaustive inspection.
4 In this example, the cloud analysis determines the file has a threat level greater than the
threshold indicating that the file is malware, and sends this information back to the SRX
Series device.
The client remains on the infected host list until an administrator performs further analysis
and determines it is safe.
You can also use the show services security-intelligence statistics CLI command to view
a quick report.
An email can configured in the Configure > Global Configuration tab to alert users when
a host’s threat level is at or above a specified threshold.
A malware and host status event syslog message is created in /var/log/messages. Junos
OS supports forwarding logs using stream mode and event mode. For information on
JSA and QRadar SIEM support, see Sky ATP Supported Platforms Guide.
NOTE: To use syslog, you must configure system logging for all SRX Series
device within the same realm. For example, if REALM1 contains SRX1 and
SRX2, both SRX1 and SRX2 must have system logging enabled. For more
information on configuring system logging, see SRX Getting Started - System
Logging.
Field Description
infected_host_status Infected host status. It can be one of the following: Added, Cleared, Present, Absent.
reason Reason for the log entry. It can be one of the following: Malware, CC, Manual.
details Brief description of the entry reason, for example: malware analysis detected host
downloaded a malicious_file with score 9, sha256 abc123
You can configure either block drop or block close. If you choose block drop, then the
SRX Series device silently drops the session’s packet and the session eventually times
out. If block close is configured, the SRX Series devices sends a TCP RST packet to the
client and server and the session is dropped immediately.
You can use block close, for example, to protect the resource of your client or server. It
releases the client and server sockets immediately. If client or server resources is not a
concern or you don’t want anyone to know there is a firewall located in the network, you
can use block drop.
Block close is valid only for TCP traffic. Non-TCP traffic uses block drop even if you
configure it block close. For example, if you configure infected hosts to block close:
...
set services security-intelligence profile pr2 rule r2 then action block close
...
when you send icmp traffic through the device, it is block dropped.
For more information on setting block drop and block close, see “Configuring the SRX
Series Devices to Block Infected Hosts” on page 75.
Host Details
Click the host IP address on the hosts main page to view detailed information about
current threats to the selected host by time frame. From the details page, you can also
change the investigation status and the blocked status of the host. For more information
on the host details, see the web UI tooltips and online help.
You can also use the show security dynamic-address category-name Infected-Hosts CLI
command to view the infected host list.
An Infected-Host feed lists the hosts that have been compromised and need to be
quarantined from communicating with other devices. The feed is in the format of IP
addresses and a threat level, for example xxx.xxx.xxx.133 with threat level 5. You can
configure security policies to take enforcement actions on the inbound and outbound
traffic to and from a host whose IP address is listed in the feed. The Infected-Host feed
is downloaded to the SRX Series device only when the infected host profile is configured
and enabled in a firewall policy.
To create the infected host profile and policy and firewall policy:
1. Define a profile for both the infected host and CC. In this example, the infected host
profile is named ih-profile and the action is block drop anything with a threat level
higher than 5. The CC host profile is named cc-profile and is based on outbound
requests to a C&C host, so add C&C rules to the profile (threat levels 8 and above are
blocked.)
root@host#
set services security-intelligence profile ih-profile category Infected-Hosts
rule if-rule match threat-level [5 6 7 8 9 10]
root@host# set services security-intelligence profile ih-profile category
Infected-Hosts rule if-rule then action block drop
root@host# set services security-intelligence profile ih-profile category
Infected-Hosts rule if-rule then log
2. Verify your command using the show services security-intelligence CLI command. It
should look similar to this:
3. Configure the security intelligence policy to include both profiles created in Step 1. In
this example, the policy is named infected-host-cc-policy.
4. Configure the firewall policy to include the security intelligence policy. This example
sets the trust-to-untrust zone.
5. Verify your command using the show security policies CLI command. It should look
similar to this:
Sky ATP profiles let you define which files to send to the cloud for inspection. You can
create Sky ATP profiles only with the cloud graphical interface; you cannot create the
profile using CLI commands. You can, however, use CLI commands to view the profile
on the SRX Series device to make sure it matches the one in the cloud.
Instead of having to list every single type of file you want to scan, Sky ATP lets you pick
file categories to send to the cloud. See Table 17 on page 77.
Code Source code .c, .cc, .cpp, .cxx, .h, .htt, .java
Document All document types except PDFs .chm, .doc, .docx, .dotx, .hta, .html, .pot, .ppa,
.pps, .ppt, .pptsm, .pptx, .ps, .rtf, .rtf, .txt, .xlsx,
.xml, .xsl, .xslt
Executable Executable binaries .bin, .com, .dat, .exe, .msi, .msm, .mst
Java Java applications, archives and libraries .class, .ear, .jar, .war
Library Dynamic and static libraries and kernel modules .a, .dll, .kext, .ko, .o, .so, ocx
Script Scripting files .bat, .js, .pl, .ps1, .py, .sct .sh, .tcl, .vbs, plsm, pyc,
pyo
Portable document PDF, e-mail and MBOX files .email, .mbox, .pdf, .pdfa
NOTE: If you are using the free model of Sky ATP, you are limited to just the
executable file category.
You can also define the maximum file size requirement per each category to send to the
cloud. If a file falls outside of the maximum file size limit, use the Sky ATP policy fallback
option to either allow or deny the file to be downloaded. For more information, see “Sky
Advanced Threat Prevention Policy Overview” on page 79.
For more information on creating Sky ATP profiles, see the Web UI infotips and online
help.
Sky ATP periodically polls for new and updated content and automatically downloads
it to your SRX Series device. There is no need to manually push your profile.
To verify your updates are on your SRX Series devices, enter the following CLI command:
You can compare the version numbers or the contents to verify your profile is current.
If you do not see your updates, wait a few minutes and try the command again. You might
be outside the Sky ATP polling period.
Once the profile is created, use the set services advanced-anti-malware policy CLI
command to associate the Sky ATP profile with the Sky ATP policy.
The connection to the Sky ATP cloud is launched on-demand. It is established only when
a condition is met and a file or URL must be sent to the cloud. The cloud inspects the file
and returns a verdict number (1 through 10). A verdict number is a score or threat level.
The higher the number, the higher the malware threat. The SRX Series device compares
this verdict number to the Sky ATP policy settings and either permits or denies the session.
If the session is denied, a reset packet is sent to the client and the packets are dropped
from the server.
Sky ATP policies are an extension to the Junos OS security policies. Table 18 on page 80
shows the additions.
Action and notification Defines the threshold value and what to do when the verdict number is greater than or equal to
based on the verdict number the threshold. For example, if the threshold is 7 (the recommended value) and Sky ATP returns
and threshold a verdict number of 8 for a file, then that file is blocked from being downloaded and a log entry
is created.
Default action and Defines what to do when the verdict number is less than the threshold. For example, if the
notification threshold is 7 and Sky ATP returns a verdict number of 3 for a file, then that file is downloaded
and a log file is created.
Name of the inspection Name of the Sky ATP profile that defines the types of file to scan.
profile
set services advanced-anti-malware policy aamwpolicy1 http
inspection-profile default_profile
Fallback options Defines what to do when error conditions occur or when there is a lack of resources. The following
fallback options are available:
NOTE: The above actions assume a valid session is present. If no valid session is present, Sky
ATP permits the file, regardless of whether you set the fallback option to block.
Blacklist notification Defines whether to create a log entry when attempting to download a file from a site listed in
the blacklist file.
Whitelist notification Defines whether to create a log entry when attempting to download a file from a site listed in
the whitelist file.
Name of smtp inspection Name of the inspection profile for SMTP email attachments. The “actions to take” are defined
profile in the Web UI and not through CLI commands.
Use the show services advanced-anti-malware policy CLI command to view your Sky ATP
policy settings.
Use the show security policies CLI command to view your firewall policy settings.
For more examples, see “Example: Configuring a Sky Advanced Threat Prevention Policy
using CLI” on page 83.
If you have not already done so, you need to configure ssl-inspect-ca which is used for
ssl forward proxy and for detecting malware in HTTPs. Shown below is just one example
for configuring ssl forward proxy. For complete information, see Configuring SSL Proxy.
1. From operational mode, generate a PKI public/private key pair for a local digital
certificate.
user@host > request security pki generate-key-pair certificate-id certificate-id size size type
type
For example:
user@host > request security pki generate-key-pair certificate-id ssl-inspect-ca size 2048
type rsa
Once done, you can configure the SSL forward proxy to inspect HTTPs traffic. For example:
For a more complete example, see “Example: Configuring a Sky Advanced Threat
Prevention Policy using CLI” on page 83.
Related • Example: Configuring a Sky Advanced Threat Prevention Policy using CLI on page 83
Documentation
Example: Configuring a Sky Advanced Threat Prevention Policy Using the CLI
This example shows how to create a Sky ATP policy using the CLI. It assumes you
understand configuring security zones and security policies. See Example: Creating Security
Zones.
• Requirements on page 83
• Overview on page 83
• Configuration on page 84
• Verification on page 86
Requirements
This example uses the following hardware and software components:
Overview
This example creates a Sky ATP policy that has the following properties:
• Block any file if its returned verdict is greater than or equal to 7 and create a log entry.
• When there is an error condition, allow files to be downloaded and create a log entry.
• Create a log entry when attempting to download a file from a site listed in the blacklist
or whitelist files.
Configuration
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode
in the Junos OS CLI User Guide.
• Set the policy name to aamwpolicy1 and block any file if its returned verdict is
greater than or equal to 7.
• Block any file if its returned verdict is greater than or equal to 7 and create a log
entry.
• When there is an error condition, allow files to be downloaded and create a log
entry.
• Create a log entry when attempting to download a file from a site listed in the
blacklist or whitelist files.
• For smtp, you only need to specify the profile name. The user-defined
action-to-take is defined in the Sky ATP cloud portal.
Note that this command assumes you have already configured ssl-inspect-ca which
is used for ssl forward proxy. If you have not already done so, an error occurs when
you commit this configuration. See “Enabling Sky ATP for Encrypted HTTPS
Connections” on page 82 for more information on configuring ssl-inspect-ca.
user@host# set security policies from-zone trust to-zone untrust policy
firewall-policy1 then permit application-services ssl-proxy profile-name
ssl-inspect-profile
Verification
Action First, verify that your SRX Series device is connected to the cloud.
After some traffic has passed through your SRX Series device, check the statistics to see
how many sessions were permitted, blocked, and so forth according to your profile and
policy settings.
Sky ATP keeps a record of all file metadata sent to the cloud for inspection. You can view
the files sent from your network by selecting Monitor > File Scanning in the Web UI. See
Figure 21 on page 89. Your firewall policy determines what to do if a file is suspected of
being malware. For example, block that file from being downloaded to the client.
By default, threat levels 4 and above are shown. Click the file’s signature to view more
information, such as file details, what other malware scanners say about this file, and a
complete list of hosts that downloaded this file. See Figure 22 on page 90.
For more information on the file scan details page, see the Web UI tooltips and online
help.
If you suspect a file is suspicious, you can manually upload it for scanning and evaluation.
Click Monitor > File Scanning > Manual Upload to browse to the file you want to upload.
The file can be up to 32 MB.
There is a limit to the number of files administrators can upload for manual scanning.
File uploads are limited by realm (across all users in a realm) in a 24-hour period. You
can upload two files per each active device enrolled and 10 files per each
premium-licensed device in your account. For example, if you have two Sky ATP
premium-licensed SRX Series devices and one other SRX Series device, Sky ATP will
allow a maximum of 22 files to be allowed in a 24-hour window.
For more information on scanning files, see the Web UI infotips and online help.
Viewing Reports
• C&C server and malware source locations (available only if you purchased the premium
license. For more information, see “Sky Advanced Threat Prevention License Types”
on page 11.)
These reports are available as widgets that you drag and drop to the dashboard. See
Figure 23 on page 92. All reports are specific to your realm; no report currently covers
trends derived from the Sky ATP worldwide database. Data reported from files uploaded
from your SRX Series devices and other features make up the reports shown in your
dashboard.
Drag a report widget to the dashboard to view its details. See Figure 24 on page 92. Note
that the report widget itself remains in the Select Widgets section, you are just dragging
a copy to the dashboard.
The number in the lower corner of the widget tells how many of those reports are displayed
in the dashboard.
To move a report within the dashboard, place your cursor in the report heading and drag
it to the new location.
For more information on Sky ATP reports, see the Web UI infotips and online help.
Troubleshooting
This topic provides a general guide to troubleshooting some typical problems you may
encounter on Sky ATP.
SRX device can’t communicate See “Troubleshooting Sky Advanced Threat Prevention: Checking DNS and Routing
with cloud Configurations” on page 96
See “Troubleshooting Sky Advanced Threat Prevention: Checking the Routing Engine
Status” on page 99
Files not being sent to cloud See “Troubleshooting Sky Advanced Threat Prevention: Checking DNS and Routing
Configurations” on page 96
See “Troubleshooting Sky Advanced Threat Prevention: Checking the Routing Engine
Status” on page 99
Viewing system log messages See “Viewing Sky Advanced Threat Prevention System Log Messages” on page 106
Dashboard reports not displaying See “Sky Advanced Threat Prevention Dashboard Reports Not Displaying” on page 110
any data
Domain name system (DNS) servers are used for resolving hostnames to IP addresses.
For redundancy, it is a best practice to configure access to multiple DNS servers. You can
configure a maximum of three DNS servers. The approach is similar to the way Web
browsers resolve the names of a Web site to its network address. Additionally, Junos OS
enables you configure one or more domain names, which it uses to resolve hostnames
that are not fully qualified (in other words, the domain name is missing). This is convenient
because you can use a hostname in configuring and operating Junos OS without the need
to reference the full domain name. After adding DNS server addresses and domain names
to your Junos OS configuration, you can use DNS resolvable hostnames in your
configuration and commands instead of IP addresses.
DNS servers are site-specific. The following presents examples of how to check your
settings. Your results will be different than those shown here.
Use ping to verify the SRX Series device can communication with the cloud server. First
use the show services advanced-anti-malware status CLI command to get the cloud server
hostname.
Now ping the server. Note that the cloud server will not respond to ping, but you can use
this command to check that the hostname can be resolved to the IP address.
user@host>ping xxx.xxx.xxx.com
If you do not get a ping: cannot resolve hostname: Unknown host message, then the
hostname can be resolved.
You can also use telnet to verify the SRX Series device can communicate to the cloud
server. First, check the routing table to find the external route interface. In the following
example, it is ge-0/0/3.0.
If telnet is successful, then your SRX Series device can communicate with the cloud
server.
Use the show security pki local-certificate CLI command to check your local certificates.
Ensure that you are within the certificate’s valid dates. The ssl-inspect-ca certificate is
used for SSL proxy. Show below are some examples. Your output may look different as
these are dependent on your setup and location.
Use the show security pki ca-certificate command to check your CA certificates. The
argon-ca certificate is the client certificate’s CA while the argon-secintel-ca is the server
certificate’s CA. Ensure that you are within the certificate’s valid dates.
= [email protected]
Validity:
Not before: 05-19-2015 03:22 UTC
Not after: 05-16-2045 03:22 UTC
Public key algorithm: rsaEncryption(2048 bits)
When you enroll an SRX Series device, the ops script installs two CA certificates: one for
the client and one for the server. Client-side CA certificates are associated with serial
numbers. Use the show security pki local-certificate detail CLI command to get your
device’s certificate details and serial number.
Then use the show security pki crl detail CLI command to make sure your serial number
is not in the Certificate Revocation List (CRL). If your serial number is listed in the CRL
then that SRX Series device cannot connect to the cloud server.
Troubleshooting Sky Advanced Threat Prevention: Checking the Routing Engine Status
Use the show services advanced-anti-malware status CLI command to show the
connection status from the control plane or routing engine.
Control Plane:
Connection Time: 2015-12-01 08:58:02 UTC
Connection Status: Connected
Service Plane:
fpc0
Connection Active Number: 0
Connection Failures: 0
If the connection fails, the CLI command will display the reason in the Connection Status
field. Valid options are:
• Not connected
• Initializing
• Connecting
• Connected
• Disconnected
• Connect failed
Description Tests the connection between the SRX Series device and the Sky ATP cloud by initiating
a websocket connection and then sending data payloads of a given size. The SRX Series
device must already be enrolled with Sky ATP before running this command.
Run this command when the show services advanced-anti-malware statistics CLI
command shows that several files failed to be sent to the cloud (see the “File Send to
Cloud Failed” result.)
Options start <0-32768>—Start the data connection test and specify the packet payload size
in bytes.
status—Returns the result of the data connection test. See Table 20 on page 101.
List of Sample Output request services advanced-anti-malware data-connection test start on page 102
request services advanced-anti-malware data-connection test status on page 102
request services advanced-anti-malware data-connection test status on page 102
Output Fields This CLI command returns a single line that indicates the data connection results.
Table 20 on page 101 lists the possible results.
Test not started. You cannot view the status without first running the data connection test.
Run the request services advanced-anti-malware data-connection test start
CLI command and then check the status again.
Test in progress. The data connection test has not finished. Wait a few seconds and try the
command again.
Test failed. The data connection test failed and indicates where it failed. Possible
failures are:
Sample Output
Release Information Command introduced in Junos OS Release 15.1X49-D60. The interface name to cloud
check, MTU warning, and client and server clock check added in Junos OS Release
15.1X49-D90. routing-instance option added in Junos OS Release 15.1X49-D100.
Description Use this command before you enroll your SRX Series device with Sky Advanced Threat
Prevention to verify your Internet connection to the cloud. If you already enrolled your
SRX Series device, you can still use this command and the request services aamw
data-connection CLI command to check and troubleshoot your connection to the cloud.
• DNS lookup—Performs a forward DNS lookup of the cloud hostname to verify it returns
an IP address. The examining process is aborted if it cannot get an interface name to
the cloud. This issue may be caused by a connection error. Please check your network
connection.
• Whether server is live—Uses the telnet and ping commands to verify connection with
the cloud.
• Outgoing interface—Checks that both the Routing Engine (RE) and the Packet
Forwarding Engine (PFE) can connect to the Internet.
• IP path MTU—Determines the maximum transmission unit (MTU) size on the network
path between the SRX Series device and the cloud server. The examining process is
aborted if the outgoing interface MTU is less than 1414. As a workaround, set the
outgoing interface MTU to the default value or to a value greater than 1414.
A warning message appears if the path MTU is less than the outgoing interface MTU.
This is a minor issue and you can ignore the message. A higher path MTU is
recommended but a low path MTU will work.
• SSL configuration consistency—Verifies that the SSL profile, client certificate and CA
exists in both the RE and the PFE.
• Client and server clock check—When you run this CLI command, it first checks the
difference between the server time and the local time. The time difference is expected
to be less than one minute. If the time difference is more than one minute, an error
message is displayed. See Table 21 on page 104.
pre-detection url—(optional) Pre-detection mode where you can test your connection
to the cloud server prior to actually enrolling your SRX Series device.
To use this option, in the Web UI, click Devices and then click Enroll. You will receive
an ops script similar to this:
op url https://abc.def.junipersecurity.net/bootstrap/enroll/AaBbCc/DdEeFf.slax
Use the root URL from the ops script as the url for the pre-detection option. For
example, using the above ops script run the command as:
Additional Information Table 21 on page 104 lists the error conditions detected by this CLI command.
URL unreachable is detected, please make sure URL Could not access the cloud server.
url port port is reachable.
SSL profile ssl profile name is inconsistent between The SSL profile exists in the RE but does not exist in the PFE.
PFE and RE.
SSL profile ssl profile name is empty. The SSL profile has neither trusted CA nor client certificate configured.
SSL local certificate local certificate is inconsistent The SSL client certificate does not exist in PFE.
between PFE and RE.
SSL CA ca name is inconsistent between PFE and RE. The SSL CA exists in the RE but does not exist in the PFE.
DNS lookup failure is detected, please check your DNS The IP address of the cloud server could not be found.
configuration.
If this test fails, check to make sure your Internet connection is working
properly and your DNS server is configured and has an entry for the
cloud URL.
To-SKYATP connection through management The test detected that the Internet connection to the cloud server is
interface is detected. Please make sure to-SKYATP through the management interface. This may result in your PFE
connection is through packet forwarding plane. connection to the cloud server failing.
Unable to get server time. Could not retrieve the server time.
Time difference is too large between server and this The difference between the server time and the local SRX Series
device. device’s time is more than a minute.
To correct this, ensure that the clock on the local SRX device is set
correctly. Also, verify that you are using the correct NTP server.
Unable to perform IP path MTU check since ICMP Unable to connect to the Sky ATP cloud server.
service is down.
Required ICMP session not found. Unable to establish an ICMP session with the specified URL. Check
that you have specified a valid URL.
Sample Output
If you are using an SRX1500 Series device, you must have a have a valid
application-identification license installed. Use the show services application-identification
version CLI command to verify the applications packages have been installed. You must
have version 2540 or later installed. For example:
If you do not see the package or the package version is incorrect, use the request services
application-identification download CLI command to download the latest application
package for Junos OS application identification. For example:
Then use the request services application-identification install CLI command to install
the downloaded application signature package.
Use the show services application-identification application version CLI command again
to verify the applications packages is installed.
The Junos OS generates system log messages (also called syslog messages) to record
events that occur on the SRX Series device. Each system log message identifies the
process that generated the message and briefly describes the operation or error that
occurred. Sky ATP logs are identified with a SRX_AAWM_ACTION_LOG or SRX AAMWD
entry.
show log
Configuring traceoptions
In most cases, policy logging of the traffic being permitted and denied is sufficient to
verify what Sky ATP is doing with the SRX Series device data. However, in some cases
you may need more information. In these instances, you can use traceoptions to monitor
traffic flow into and out of the SRX Series device.
Using trace options are the equivalent of debugging tools. To debug packets as they
traverse the SRX Series device, you need to configure traceoptions and flag basic-datapath.
This will trace packets as they enter the SRX Series device until they exit, giving you
details of the different actions the SRX Series device is taking along the way.
A minimum traceoptions configuration must include both a target file and a flag. The
target file determines where the trace output is recorded. The flag defines what type of
data is collected. For more information on using traceoptions, see the documentation
for your SRX Series device.
To set the trace output file, use the file filename option. The following example defines
the trace output file as srx_aamw.log:
where flag defines what data to collect and can be one of the following values:
• all—Trace everything.
The following example traces connections to the SRX device and the advanced
anti-malware policy:
...
You can also configure public key infrastructure (PKI) trace options. For example:
Debug tracing on both the Routing Engine and the Packet Forwarding Engine can be
enabled for SSL proxy by setting the following configuration:
You can enable logs in the SSL proxy profile to get to the root cause for the drop. The
following errors are some of the most common:
Set flow trace options to troubleshoot traffic flowing through your SRX Series device:
Once you commit the configuration, traceoptions starts populating the log file with data.
Use the show log CLI command to view the log file. For example:
Use match, last and trim commands to make the output more readable. For more
information on using these commands, see Configuring Traceoptions for Debugging and
Trimming Output.
The first way is to use the deactivate command. This is a good option if you need to
activate the trace in the future. Use the activate command to start capturing again.
The second way is to remove traceoptions from the configuration file using the delete
command.
You can remove the traceoptions log file with the file delete filename CLI command or
clear the contents of the file with the clear log filename CLI command.
Sky ATP dashboard reports require the Sky ATP premium license for the C&C Server &
Malware report. If you do not see any data in this dashboard report, make sure that you
have purchased a premium license.
NOTE: Sky ATP does not require you to install a license key onto your SRX
Series device. Instead, your entitlement for a specific serial number is
automatically transferred to the cloud server. It may take up to 24 hours for
your activation to be updated in the Sky Advanced Threat cloud server. For
more information, see Obtaining the Sky Advanced Threat Prevention License.
All reports are specific to your realm; no report currently covers trends derived from the
Sky ATP worldwide database. Data reported from files uploaded from your SRX Series
devices and other features make up the reports shown in your dashboard.
If you did purchase a premium license and followed the configuration steps (Quick Start
or “Sky Advanced Threat Prevention Configuration Overview” on page 31) and are still
not seeing data in the dashboard reports, contact Juniper Networks Technical Support.
Once you transfer your license keys to the new device, it may take up to 24 hours for the
new serial number to be registered with Sky ATP cloud service.
You must enroll your replacement unit as a new device. See “Enrolling an SRX Series
Device With Sky Advanced Threat Prevention” on page 41. Sky ATP does not have an
“RMA state”, and does not see these as replacement devices from a configuration or
registration point of view. Meaning, data is not automatically transferred to the
replacement SRX Series device from the old device.