AJSEC Lab4: Sky ATP
Jean-luc KRIKER
Owned by Jean-luc KRIKER
config Expand source
lab@vSRX-1> show configuration routing-options | display set set routing-options static route 0.0.0.0/0 next-hop 172.25.11.254 lab@vSRX-1> show configuration system name-server | display set set system name-server 8.8.8.8 set system name-server 8.8.4.4 rename interfaces fxp0 to ge-0/0/0 lab@vSRX-1> show configuration system ntp | display set set system ntp interval-range 0 set system ntp server 172.25.11.254 set system ntp threshold 600 set system ntp threshold action accept | |
| Part 2 | |
| Part 3 | |
| Part 4 |
part 4Â Expand source
Part 4: Adding the Sky ATP Realm within Security Director SD: Configure / Threat Prevention / Sky ATP Realms workspace SD: Devices / Security Devices workspace, >>> Delete vSRX1 ( because change fxp0 -> to ge-0/0/0) SD: Devices / Device Discovery workspace, >>> re-discover vSRX1 SD: Configure / Threat Prevention / Sky ATP Realms workspace >>> Enrolled/Add vSRX1 into Sky ATP Realms Check the vSRX has been Enrolled into the Sky APT SRX: show services advanced-anti-malware status SRX: show services advanced-anti-malware profile ( type of file sent tot sky ATP) SRX: show services advanced-anti-malware policy ( protocol, verdict,action for malware) |
| Part 5 |
part 5Â Expand source
Part5 : ------- Threat management policies ( advanced-anti-malware policy ) SD: Configure / Threat Prevention / Policies workspace. >> create a policy SRX: show configuration services SRX: show configuration services security-intelligence >>> rules for infected host ( match on threat level) Create an Firewall policy ( in SRX: security policy) SD: Configure / Firewall Policy / Policies workspace. >> Create Firewall Policy >> Add Rule to this Policy >> Update ( then Update and Puclish) SRX: show configuration security policies SRX: show services advanced-anti-malware policy SRX: show configuration services security-intelligence #Sky ATP >> security intelligence profile & policy ; infected host: match and then SRX: show security policies detail |
| Part 6 |
part 6Â Expand source
Part 6: ------- SD: Monitor / Threat Management / Hosts workspace SD: Monitor / Threat Management / File Scanning workspace ( remove level 4) (SD: Monitor / Threat Management / C&C Services workspace) SRX: Display stats of file and email scanned SRX: show services advanced-anti-malware statistics SRX: set services advanced-anti-malware connection SRX: show services security-intelligence statistics >>> show block session per policy/blacklist/whitelist |