SRX Services Gateway
Highlighted
SRX Services Gateway

Configuring SkyATP and Advanced Threat Prevention by Security Director

‎05-15-2018 06:51 AM

Hi,

I've some problem, maybe some bug or think like that configuring SkyATP using Junos Security Director.

I'd like to understand if someone of you has got the same issue.

 

The problem is after I configured threat prevention policy on Security Director and try to push the policy receveing:

[Error] Configuration update failed. 

Severity : error 
           At : [edit services advanced-anti-malware] 
Message : Missing mandatory statement: 'match' 
  Details : policy SkyATP_DMZ 

 

After that then, I try to configure manually by cli the missing part about "match" -> "then" and commit using CLI is working correctly.

 

The problem is that any future configuration on the security directory, it's trying to remove every times:

##Security Firewall Policy : junos-host - contact##
delete security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1
##Advanced AntiMalware Policy Configurations##
delete services advanced-anti-malware policy SkyATP_DMZ match 
delete services advanced-anti-malware policy SkyATP_DMZ then 
delete services advanced-anti-malware policy SkyATP_DMZ inspection-profile 
delete services advanced-anti-malware policy SkyATP_DMZ default-notification 
delete services advanced-anti-malware policy SkyATP_DMZ whitelist-notification 
delete services advanced-anti-malware policy SkyATP_DMZ blacklist-notification 

 

 

Reaching at the end the same commit error due match then statement missing.

 

The curious thing is that security directory is applying the correct template (I read that from 15.x version match then statement is not any longer required), but in my vSRX if I try to configure following the guide line, I can't find the correct command as espressed.

Here my configuration:

 

connection {
    url https://srxapi.eu-west-1.sky.junipersecurity.net;
    authentication {
        tls-profile aamw-ssl;
    }
}
policy SkyATP_DMZ {
    match {
        application HTTP;
        verdict-threshold recommended;
    }
    then {
        action permit;
        notification {
            log;
        }
    }
    inspection-profile default_profile;
    fallback-options {
        action permit;
        notification {
            log;
        }
    }
    default-notification {
        log;
    }
    whitelist-notification {
        log;
    }
    blacklist-notification {
        log;
    }
}
root@vSRXdmzserver> show configuration services security-intelligence
url https://10.20.20.203:443/api/v1/manifest.xml;
url-parameter "$9$pXdQBhrKMXbYoxNz36C0OEhSyv824ZH.fRhx-bYoaZGDHm536CtuBoJ9tuBhcbwYgGjqm539pX7H.PQ6/X7Nb4JiH.f5zX7sgoZiHn69COIyrKWXNLxH.mf3nREcr8XVw2oZDz37dsYaJGUjiPT6/AIRc-VqP5z9C"; ## SECRET-DATA
authentication {
    auth-token GQ5A1SNB1T0TO29PJPXKPFGYZKKCWJUO;
}
profile SkyATP_DMZ_CC {
    category CC;
    rule Rule-1 {
        match {
            threat-level [ 1 2 3 4 ];
        }
        then {
            action {
                permit;
            }
            log;
        }
    }
    rule Rule-2 {
        match {
            threat-level [ 5 6 7 ];
        }
        then {
            action {
                permit;
            }
            log;
        }
    }
    rule Rule-3 {
        match {
            threat-level [ 8 9 10 ];
        }
        then {
            action {
                block {
                    drop;
                }
            }
            log;
        }
    }
}
profile SkyATP_DMZ_Infected-Hosts {
    category Infected-Hosts;
    rule Rule-1 {
        match {
            threat-level [ 1 2 3 4 5 6 ];
        }
        then {
            action {
                permit;
            }
            log;
        }
    }
    rule Rule-2 {
        match {
            threat-level [ 7 8 9 10 ];
        }
        then {
            action {
                block {
                    drop;
                }
            }
            log;
        }
    }
}
policy SkyATP_DMZ {
    CC {
        SkyATP_DMZ_CC;
    }
    Infected-Hosts {
        SkyATP_DMZ_Infected-Hosts;
    }
}

 

root@vSRXdmzserver> show services advanced-anti-malware statistics
Advanced-anti-malware session statistics:
  Session interested:    1014
  Session ignored:       691
  Session hit blacklist: 0
  Session hit whitelist: 0
                         Total         HTTP          HTTPS
  Session active:        0             0             0
  Session blocked:       0             0             0
  Session permitted:     322           322           0

Advanced-anti-malware file statistics:
                                Total         HTTP          HTTPS
  File submission success:      0             0             0
  File submission failure:      1             1             0
  File submission not needed:   823           823           0
  File verdict meets threshold: 0             0             0
  File verdict under threshold: 0             0             0
  File fallback blocked:        0             0             0
  File fallback permitted:      1             1             0
  File hit submission limit:    0             0             0

The above configuration has been perfromed by CLI due the problem with Security Directory.

 

Any suggestion?

 

Regards