SRX Services Gateway
SRX Services Gateway

Problem with Kaspersky Engine UTM

‎03-25-2014 02:45 AM

Hi all.

 

I'm deploying UTM features on SRX550 (anti-virus UTM). I'm using both of Sohpos Engine and Kaspersky-Engine, and I have a problem with Kaspersky Engine.

 

Here is my configuration

 

--------------

feature-profile {
anti-virus {
url-whitelist URL-WHITELIST;
type kaspersky-lab-engine;
traceoptions {
flag all;
flag engine;
}
kaspersky-lab-engine {
pattern-update {
interval 40;
}
profile KAS-AV {
fallback-options {
default log-and-permit;
too-many-requests log-and-permit;
}
scan-options {
no-intelligent-prescreening;
scan-mode all;
}# Kaspersky-Engine scan
}
}
sophos-engine {
pattern-update {
interval 30;
}
profile SOPHOS-AV {
fallback-options {
default log-and-permit;
}
scan-options {
timeout 300;#Sohpos Scan
}
}
}
}
}

 

I've applied two profiles for two policies from Inside to Outside as following

 

 

set security policies from-zone Inside to-zone Outside policy ONLY-29 match source-address HOST-29
set security policies from-zone Inside to-zone Outside policy ONLY-29 match destination-address any
set security policies from-zone Inside to-zone Outside policy ONLY-29 match application any
set security policies from-zone Inside to-zone Outside policy ONLY-29 then permit application-services utm-policy UTM-IN-OUT
set security policies from-zone Inside to-zone Outside policy ONLY-134 match source-address HOST-134
set security policies from-zone Inside to-zone Outside policy ONLY-134 match destination-address any
set security policies from-zone Inside to-zone Outside policy ONLY-134 match application any
set security policies from-zone Inside to-zone Outside policy ONLY-134 then permit application-services utm-policy UTM-KAS_TEST

 

And the problem is, with HOST-29, it can access Internet normally, but with HOST-134, many web-site cannot be accessed (for example cisco.com), but juniper.net is ok Smiley Happy. This host will be scanned by Kaspersky Engine, but HOST-129 can access Cisco.com normally (scanned by Sophos Engine).

 

Please help me to explain it.

3 REPLIES 3
SRX Services Gateway

Re: Problem with Kaspersky Engine UTM

‎03-25-2014 04:10 AM

Hi

 

You can't use Sophos and KAV simultaneously. In your config you have "type kaspersky-lab-engine" so only KAV actually works now. See also "show security utm anti-virus status". Can you leave only one engine in your config and try again? Also turn off traceoptions because they can cause a performance hit. Also please use "insert code" feature to paste configs.

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
Twitter: @JuniperTrain
GitHub: https://github.com/pklimai
[Juniper Authorized Education & Support in Russia]
SRX Services Gateway

Re: Problem with Kaspersky Engine UTM

‎03-25-2014 05:11 AM

Thanks for your reply, so in your opinion, what scan engine will be used to scan for traffic from ONLY-134 ? This host is unable to access some website, but the host 29 is normal.

SRX Services Gateway

Re: Problem with Kaspersky Engine UTM

‎03-25-2014 07:18 AM

Hi

 

I didn't see your UTM policy but only KAV should be active on your device, so if

it is scanned by AV, it should be Kaspersky. Can you post your full config?

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
Twitter: @JuniperTrain
GitHub: https://github.com/pklimai
[Juniper Authorized Education & Support in Russia]