Security Utm Overview

JunosOS

UTMOverview Feature Guide for Security Devices

Release

12.1X46-D10

Published: 2013-11-19

Copyright 2013, Juniper Networks, Inc.

Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

JunosOS UTMOverview Feature Guide for Security Devices12.1X46-D10Copyright 2013, Juniper Networks, Inc.All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (EULA) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.

Copyright 2013, Juniper Networks, Inc.ii

Table of ContentsAbout the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiSupported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiUsing the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiMerging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixDocumentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiRequesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiOpening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Part 1 OverviewChapter 1 UTM Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Unified Threat Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Understanding UTM Custom Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Chapter 2 UTM Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Understanding UTM Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 3 WELF Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Understanding WELF Logging for UTM Features . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 4 Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Understanding UTM Support for Active/Active Chassis Cluster . . . . . . . . . . . . . . . 11Understanding Chassis Cluster support for UTM Modules . . . . . . . . . . . . . . . . . . . 13

Part 2 ConfigurationChapter 5 UTM Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Updating UTM Licenses (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 6 WELF Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Example: Configuring WELF Logging for UTM Features . . . . . . . . . . . . . . . . . . . . . 21

Chapter 7 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Security Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25[edit security utm] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26application-proxy (Security UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34log (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35format (Security Log Stream) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37category (Security Logging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

iiiCopyright 2013, Juniper Networks, Inc.

content-filtering (Security UTM Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39limit (UTM Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39ipc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40sessions-per-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41smtp-profile (Security UTM Policy Antispam) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41traffic-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42traceoptions (Security Application Proxy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43traceoptions (Security UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44utm-policy (Application Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Part 3 AdministrationChapter 8 Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

clear security utm session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50request system license update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51show configuration smtp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52show security utm status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53show security log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Part 4 IndexIndex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Copyright 2013, Juniper Networks, Inc.iv


List of TablesAbout the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixTable 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Part 1 OverviewChapter 2 UTM Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Table 3: UTM Feature Subscription Service License Requirements . . . . . . . . . . . . . 7

Chapter 4 Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Table 4: Web Filtering Mechanisms for Chassis Cluster Support . . . . . . . . . . . . . . 14

Part 3 AdministrationChapter 8 Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Table 5: show configuration smtp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Table 6: show security log Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

vCopyright 2013, Juniper Networks, Inc.

About the Documentation

Documentation and Release Notes on page vii

Supported Platforms on page vii

Using the Examples in This Manual on page viii

Documentation Conventions on page ix

Documentation Feedback on page xi

Requesting Technical Support on page xi

Documentation and Release Notes

To obtain the most current version of all Juniper Networks technical documentation,see the product documentation page on the Juniper Networks website athttp://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in thedocumentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subjectmatter experts. These books go beyond the technical documentation to explore thenuances of network architecture, deployment, and administration. The current list canbe viewed at http://www.juniper.net/books.

Supported Platforms

For the features described in this document, the following platforms are supported:

J Series

SRX100

SRX110

SRX210

SRX220

SRX240

SRX550

SRX650

viiCopyright 2013, Juniper Networks, Inc.

Using the Examples in This Manual

If you want to use the examples in this manual, you can use the loadmerge or the loadmerge relative command. These commands cause the software to merge the incomingconfiguration into the current candidate configuration. The example does not becomeactive until you commit the candidate configuration.

If the example configuration contains the top level of the hierarchy (or multiplehierarchies), the example is a full example. In this case, use the loadmerge command.

If the example configuration does not start at the top level of the hierarchy, the exampleis a snippet. In this case, use the loadmerge relative command. These procedures aredescribed in the following sections.

Merging a Full Example

Tomerge a full example, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration example into atext file, save the file with a name, and copy the file to a directory on your routingplatform.

For example, copy the following configuration toa file andname the file ex-script.conf.Copy the ex-script.conf file to the /var/tmp directory on your routing platform.

system {scripts {commit {file ex-script.xsl;

}}

}interfaces {fxp0 {disable;unit 0 {family inet {address 10.0.0.1/24;

}}

}}

2. Merge the contents of the file into your routing platform configuration by issuing theloadmerge configuration mode command:

[edit]user@host# loadmerge /var/tmp/ex-script.confload complete

Copyright 2013, Juniper Networks, Inc.viii


Merging a Snippet

Tomerge a snippet, follow these steps:

1. From the HTML or PDF version of themanual, copy a configuration snippet into a textfile, save the file with a name, and copy the file to a directory on your routing platform.

For example, copy the following snippet to a file and name the fileex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directoryon your routing platform.

commit {file ex-script-snippet.xsl; }

2. Move to the hierarchy level that is relevant for this snippet by issuing the followingconfiguration mode command:

[edit]user@host# edit system scripts[edit system scripts]

3. Merge the contents of the file into your routing platform configuration by issuing theloadmerge relative configuration mode command:

[edit system scripts]user@host# loadmerge relative /var/tmp/ex-script-snippet.confload complete

For more information about the load command, see the CLI User Guide.

Documentation Conventions

Table 1 on page ix defines notice icons used in this guide.

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Table 2 on page x defines the text and syntax conventions used in this guide.

ixCopyright 2013, Juniper Networks, Inc.


Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type theconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

A policy term is a named structurethat defines match conditions andactions.

Junos OS CLI User Guide

RFC 1997,BGPCommunities Attribute

Introduces or emphasizes importantnew terms.

Identifies guide names.

Identifies RFC and Internet draft titles.

Italic text like this

Configure themachines domain name:

[edit]root@# set system domain-namedomain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.

Theconsoleport is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.

Text like this

stub ;Encloses optional keywords or variables.< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.

# (pound sign)

community namemembers [community-ids ]

Encloses a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identifies a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

GUI Conventions

Copyright 2013, Juniper Networks, Inc.x


Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

In the Logical Interfaces box, selectAll Interfaces.

To cancel the configuration, clickCancel.

Representsgraphicaluser interface(GUI)items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of menuselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we canimprove the documentation. You can send your comments [email protected], or fill out the documentation feedback form athttps://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to includethe following information with your comments:

Document or topic name

URL or page number

Software release version (if applicable)

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistanceCenter (JTAC). If you are a customer with an active J-Care or JNASC support contract,or are covered under warranty, and need post-sales technical support, you can accessour tools and resources online or open a case with JTAC.

JTAC policiesFor a complete understanding of our JTAC procedures and policies,review the JTAC User Guide located athttp://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

Product warrantiesFor product warranty information, visithttp://www.juniper.net/support/warranty/.

JTAC hours of operationThe JTAC centers have resources available 24 hours a day,7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an onlineself-service portal called the Customer Support Center (CSC) that provides youwith thefollowing features:

Find CSC offerings: http://www.juniper.net/customers/support/

Search for known bugs: http://www2.juniper.net/kb/

xiCopyright 2013, Juniper Networks, Inc.


Find product documentation: http://www.juniper.net/techpubs/

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

Download the latest versions of software and review release notes:http://www.juniper.net/customers/csc/software/

Search technical bulletins for relevant hardware and software notifications:https://www.juniper.net/alerts/

Join and participate in the Juniper Networks Community Forum:http://www.juniper.net/company/communities/

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, seehttp://www.juniper.net/support/requesting-support.html.

Copyright 2013, Juniper Networks, Inc.xii


PART 1

Overview UTM Basics on page 3

UTM Licensing on page 7

WELF Logging on page 9

Chassis Cluster on page 11

1Copyright 2013, Juniper Networks, Inc.

CHAPTER 1

UTM Basics

Unified Threat Management Overview on page 3

Understanding UTM CustomObjects on page 5

Unified Threat Management Overview

Supported Platforms J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650

UnifiedThreatManagement (UTM) isa termused todescribe theconsolidationof severalsecurity features intoonedevice, protectingagainstmultiple threat types. TheadvantageofUTM isstreamlined installationandmanagementof thesemultiple security capabilities.

The security features provided as part of the UTM solution are:

AntispamFilteringE-mail spam consists of unwanted e-mailmessages, usually sentby commercial, malicious, or fraudulent entities. The antispam feature examinestransmitted e-mail messages to identify e-mail spam.When the device detects ane-mail message deemed to be spam, it either drops themessage or tags themessageheader or subject field with a preprogrammed string. The antispam feature uses aconstantlyupdatedspamblock list (SBL).Sophosupdatesandmaintains the IP-basedSBL. The antispam feature is a separately licensed subscription service.

Content FilteringContent filtering blocks or permits certain types of traffic based ontheMIME type, file extension, protocol command, and embedded object type. Contentfiltering does not require a separate license.

Web FilteringWeb filtering lets youmanage Internet usage by preventing access toinappropriateWeb content. There are three types ofWeb filtering solutions. In the caseof the integratedWeb filtering solution, the decision-making for blocking or permittingWeb access is done on the device after it identifies the category for a URL either fromuser-definedcategoriesor fromacategoryserver (Websenseprovides theCPAServer).The integratedWeb filtering feature is a separately licensed subscription service. Theredirect Web filtering solution intercepts HTTP requests and forwards the server URLto an external URL filtering server provided byWebsense to determine whether toblock or permit the requestedWeb access. Redirect Web filtering does not require aseparate license. With Juniper Local Web Filtering, the decision-making for blockingor permittingWebaccess is done on the device after it identifies the category for aURLfrom user-defined categories stored on the device. With Local filtering, there is noadditional Juniper license or remote category server required.


Full File-Based AntivirusA virus is executable code that infects or attaches itself toother executable code to reproduce itself. Somemalicious viruses erase files or lockup systems.Other virusesmerely infect files and overwhelm the target host or networkwith bogus data. The full file-based antivirus feature provides file-based scanning onspecificApplicationLayer traffic checking for virusesagainst a virus signaturedatabase.It collects the received data packets until it has reconstructed the original applicationcontent, such as an e-mail file attachment, and then scans this content. KasperskyLab provides the internal scan engine. The full file-based antivirus scanning feature isa separately licensed subscription service.

Express AntivirusExpress antivirus scanning is offered as a less CPU intensivealternative to the full file-based antivirus feature. The express antivirus feature, likethe full antivirus feature, scans specific Application Layer traffic for viruses against avirus signature database. However, unlike full antivirus, express antivirus does notreconstruct theoriginal application content. Rather, it just sends (streams) the receiveddata packets, as is, to the scan engine. With express antivirus, the virus scanning isexecuted by a hardware pattern matching engine. This improves performance whilescanning is occurring, but the level of security provided is lessened. Juniper Networksprovides the scanengine. Theexpressantivirus scanning feature is a separately licensedsubscription service.

Sophos AntivirusSophos antivirus scanning is offered as a less CPU-intensivealternative to the full file-based antivirus feature. Sophos supports the sameprotocolsas full antivirus and functions in much the samemanner; however, it has a smallermemory footprint and is compatible with lower end devices that have less memory.Sophosantivirus is asan in-the-cloudantivirus solution.Theviruspatternandmalwaredatabase is located on external servers maintained by Sophos (Sophos ExtensibleList) servers, thus there is no need to download andmaintain large pattern databaseson the Juniper device. The Sophos antivirus scanner also uses a local internal cacheto maintain query responses from the external list server to improve lookupperformance.

NOTE: The sessions-per-client limit CLI command, which imposes a sessionthrottle to prevent amalicious user from generating large amounts of trafficsimultaneously, supports the antispam, content filtering, and antivirus UTMfeatures. It does not supportWeb filtering.

RelatedDocumentation

Junos OS UTM Library for Security Devices


Understanding UTM Licensing on page 7

Updating UTM Licenses (CLI Procedure) on page 19

UnderstandingWELF Logging for UTM Features on page 9

Example: ConfiguringWELF Logging for UTM Features on page 21



Understanding UTMCustomObjects


Before youcanconfiguremostUTMfeatures, youmust first configure the customobjectsfor the feature in question. Custom objects are global parameters for UTM features. Thismeans that configured custom objects can be applied to all UTM policies whereapplicable, rather than only to individual policies.

The following UTM features make use of certain custom objects:

Anti-Virus (see Full Antivirus Pattern Update Configuration Overview)

Web Filtering (see Example: Configuring IntegratedWeb Filtering)

Anti-Spam (see Server-Based Antispam Filtering Configuration Overview)

Content Filtering (see Content Filtering Configuration Overview)









Chapter 1: UTM Basics

CHAPTER 2

UTM Licensing


Understanding UTM Licensing


Themajority of UTM features function as a subscription service requiring a license. Youcan redeem this license once you have purchased your subscription license SKUs. Youredeem your license by entering your authorization code and chassis serial number intothe Customer Service LMS interface. Once your entitlement is generated, you can usethe CLI from your device to send a license update request to the LMS server. The LMSserver then sends your subscription license directly to the device.

NOTE: UTM requires 1 GB of memory. If your J2320, J2350, or J4350 devicehas only 512 MB ofmemory, youmust upgrade thememory to 1 GB to runUTM.

Table 3: UTM Feature Subscription Service License Requirements

Requires LicenseUTM Feature

YesAntispam

YesAntivirus: full

YesAntivirus: express

NoContent Filtering

YesWeb Filtering: integrated

NoWeb Filtering: redirect

NoWeb Filtering: local




CHAPTER 3

WELF Logging


UnderstandingWELF Logging for UTM Features


UTM features support theWELF standard. TheWELF Reference defines theWebTrendsindustry standard log fileexchange format.Anysystemlogging to this format is compatiblewith Firewall Suite 2.0 and later, Firewall Reporting Center 1.0 and later, and SecurityReporting Center 2.0 and later.

AWELF log file is composed of records. Each record is a single line in the file. Recordsare always in chronological order. The earliest record is the first record in the file; themost recent record is the last record in the file. WELF places no restrictions on logfilenames or log file rotation policies.

NOTE: EachWELF record is composed of fields. The record identifier field(id=)mustbe the first field ina record.All other fields canappear inanyorder.

The following is a sampleWELF record:

id=firewall time="2000-2-4 12:01:01" fw=192.168.0.238 pri=6 rule=3 proto=httpsrc=192.168.0.23 dst=6.1.0.36 rg=www.webtrends.com/index.html op=GET result=0rcvd=1426

The fields from the exampleWELF record include the following required elements (allother fields are optional):

id (Record identifier)

time (Date/time)

fw (Firewall IP address or name)

pri (Priority of the record)





CHAPTER 4

Chassis Cluster

Understanding UTM Support for Active/Active Chassis Cluster on page 11

Understanding Chassis Cluster support for UTMModules on page 13

Understanding UTMSupport for Active/Active Chassis Cluster

Supported Platforms SRX100, SRX210, SRX220, SRX240, SRX550, SRX650

A chassis cluster environment supports UTMwith:

Packet Forwarding Engine in active/backup chassis cluster configurations with thePacket Forwarding Engine and the Routing Engine being active in the same node (OnSRX Series devices.

On SRX100, SRX210, SRX220, SRX240, SRX550, and SRX650 devices, the UTMfunctionality is supported in both active/active and active/backup chassis clusterconfigurations where the Packet Forwarding Engine can be active on both the clusternodes and the Routing Engine and the Packet Forwarding Engine can be active indifferent nodes.

NOTE: No separate license for UTM in chassis cluster is required. The usualUTM licenses required for UTM features are required. Licenses should beavailable in both the nodes.

UTM supports stateless (that is, no state regarding UTM is synchronized between theclusternodes) thePacketForwardingEngineactive/activechassis cluster configurations.All theUTMsessions anchoredon the redundancy groupbeing failedoverwill be abortedand new sessions are set up with the new primary redundancy group.

Stateful active/active cluster mode is not supported. Stateful objects like UTM sessionswill notbesynchronized; that is, noUTMmodule runtimeobjects (RTOs)are synchronizedbetween the cluster nodes. You need to install UTM licenses in both the nodesindependently.


UTM is supported in the following chassis cluster modes:

Active/activemodeIn this mode, the redundancy groups can be active on both ofthe cluster nodes. The transit traffic can be processed by both nodes. Any trafficbetween nodes transits through the fabric link.

The transit traffic includes:

Traffic forwarded between interfaces for redundancy groups 1 and up across nodes

Traffic forwarded between interfaces for redundancy groups 1 and up that are partof the same node but have one or more redundancy groups active on both of thenodes

Traffic forwarded between RG0-controlled interfaces across devices (traffic fromthesecondaryRG0 is sent to theprimaryRG0over the fabric link for routingdecisions)

Active/backupmodeIn thismode,all the redundancygroupsareactive inoneclusternode. All the transit traffic is processed by this single node.

The transit traffic includes:

Traffic forwarded between interfaces for redundancy groups 1 and up that are partof the same node

Traffic forwarded between RG0-controlled interfaces for redundancy groups 1 andup that are in the same node

UTM is supported for the following chassis cluster failover types:

Manual failoverSupports manual failover through the set chassis cluster failovercommand.BothRG0and redundancygroups 1andupcan fail overusing this command.

RG0 automatic failoverThis failover is supported through control link failure,monitoringobjects (IPaddress, interfacemonitoring), or preempt/priority configuration.

Redundancy groups 1 and up automatic failoverThis failover is supported throughmonitoringobjects (IPaddress, interfacemonitoring)or preempt/priority configuration.This failover leads to active link changes and can result in active/active mode.

Failover through rebootA primary node can be changed to a secondary node byrebooting the node. All redundancy groups in the node that's is rebootedwill no longerbe primary nodes.

Failover through flowd restartRedundancy groups 1 and up will be changed tosecondary nodes when the flowd restarts.

The following UTM features are supported in chassis cluster:

Content filtering

URL (Web) filtering

Antispam filtering

Express antivirus scanning



Full file-based antivirus scanning

Sophos antivirus scanning

All the UTM configurations are either maintained in the Routing Engine or pushed to thePacket Forwarding Engine from the Routing Engine. The configuration synchronizationbetween the two nodes is taken care of by the chassis cluster infrastructure. This holdstrue for all the UTMmodules too. You can configure UTM either from the primary orsecondary node, and the same configurationwill be reflected in the other node once youcommit the first configuration.

There is a dependency on ACL support on control links. The time taken to spawn theprocesses depends on the device. There will be a small delay for the Unified ThreatManagement daemon (utmd) to come up operationally, even though utmd daemon isrunning in the secondary Routing Engine, because there can be a startup delay for all thedependant daemons.


Chassis Cluster Overview

Understanding Chassis Cluster Formation

Understanding Chassis Cluster Redundancy Groups

Understanding Chassis Cluster Redundant Ethernet Interfaces


Understanding Chassis Cluster support for UTMModules on page 13


Understanding Chassis Cluster support for UTMModules

Supported Platforms SRX100, SRX210, SRX220, SRX240, SRX550, SRX650

Content filteringContent filtering blocks or permits certain types of traffic based onthe MIME type, file extension, and protocol command. The content filter controls filetransfers across the gateway by checking traffic against configured filter lists.

In content filtering, the user configuration(mime-pattern/filename-extension/protocol-command/content-type) is pushedfrom the Routing Engine to the Packet Forwarding Engine real-time (PFE-RT). Thefiltering decision is entirely based on the user configuration and is done on the PacketForwarding Engine real-time (PFE-RT) side. For the transit traffic, the configurationlookup (for the block/permit decision) and the entire UTM processing occurs in thePacket Forwarding Engine itself and does not go to the Routing Engine (that is thecomplete UTM session resides in the Packet Forwarding Engine.

URL (Web) filteringWeb filtering lookups takes place in the primary Routing Engineandboth thePacketForwardingEnginessend the lookup request to theprimaryRoutingEngine.

Four kinds ofWeb filtering mechanisms supported on SRX100, SRX210, SRX220,SRX240, and SRX650 devices are described in Table 4 on page 14.


Chapter 4: Chassis Cluster

Table 4:Web FilteringMechanisms for Chassis Cluster Support

DescriptionWeb Filtering Type

Decision (allow/deny) is always made by an external Websense server

TCP connections are set up from the utmd daemon to theWebsense server

Any request to theWebsense server is sent using one of these TCP connections.

Redirect Web filtering

The local URL Filtering cachemaintained on the RT side is updatedwith the URL to categorymappings received from the SurfControl content portal authority (SC-CPA) server for URLlookup requests sent to it.

RT side also maintains a list of categories received from the SC-CPA server.

You can configure actions for various categories received from the SC-CPA server. Thisconfiguration is maintained in RT side.

You candefine your own categories that contain a list of URLs and IP addresses. A predefinedprofile (ns-profile) can be used too. This configuration is also maintained on the RT side.

URL lookups are made against the URL Filtering cache and the user-defined categories.

If thecategory for theURL isnot found in the localURLFilteringcache, categorization requestsare sent to the utmd daemon and subsequently forwarded to the external SC-CPA Serverfor response.

IntegratedWeb filtering

EnhancedWeb Filtering is similar to integratedWeb filtering. It maintains the URL Filteringcache, a list of categories from the server, and a list of user-defined categories. It performs thelookup and categorization similar to integratedWeb filtering. It is similar in mechanism butdiffers in the server functionality to determine URL categories.

EnhancedWeb Filtering

You can configure URL whitelists or blacklists for the URL lookups. This configuration ismaintained on the real-time side of the Packet Forwarding Engine.

Juniper local URL filtering

Antispam filteringAntispam filtering pushes the user configuration (whitelist andblacklist) from the Routing Engine to the PFE-RT.

Express antivirus scanningIn express antivirus scanning, the antivirus detectionfunctionality is performed by the Pattern Matching Engine (PME) in the PacketForwarding Engine of the node where the UTM traffic is anchored. The signaturedatabase is downloaded by the primary Routing Engine and synchronized to thesecondary Routing Engine to be loaded in its local PME. If configured, the primaryRouting Engine does the periodic signature database updates and synchronizes themto the secondary Routing Engine.

Full file-basedantivirusscanningIn full antivirus scanning, theKaspersky Labengineis responsible for scanning all the data it receives. The signature database isdownloaded from external Kaspersky Lab servers and used by the scan engine in theRouting Engine. Full AV antivirus scanning is done in the Routing Engine of each nodewhere the UTM traffic is anchored. The signature database files are downloaded bythe primary Routing Engine and synchronized to the secondary Routing Engine. Ifconfigured, the primary Routing Engine performs the periodic signature databaseupdate and synchronizes it to the secondary Routing Engine.



Apart from the signature database lookup, full antivirus scanning uses the followingconfiguration that is maintained in the RT side to determine if full antivirus scanningneeds to be performed:

Mime whitelistA hit bypasses antivirus scanning

Mime exception listAn exception to the whitelist

URL whitelista hit bypasses antivirus scanning

Filename extensionOnly these extensions are sent for antivirus scanning

The packet processing in full antivirus scanning might occur within RT side based onthe result of the user-configured lists. Otherwise, the UTM session spans across RTand RE side if full virus scanning needs to be performed.


Chassis Cluster Overview

Understanding Chassis Cluster Formation

Understanding Chassis Cluster Redundancy Groups

Understanding Chassis Cluster Redundant Ethernet Interfaces


Understanding UTM Support for Active/Active Chassis Cluster on page 11



Chapter 4: Chassis Cluster

PART 2

Configuration UTM Licensing on page 19

WELF Logging on page 21

Configuration Statements on page 25


CHAPTER 5

UTM Licensing


Updating UTM Licenses (CLI Procedure)


To apply your UTM subscription license to the device, use the following CLI command:

user@host> request system license update









CHAPTER 6

WELF Logging


Example: ConfiguringWELF Logging for UTM Features


This example shows how to configureWELF logging for UTM features.

Requirements on page 21

Overview on page 21

Configuration on page 21

Verification on page 23

Requirements

Before you begin, review the fields used to create aWELF log file and record. SeeUnderstandingWELF Logging for UTM Features on page 9.

Overview

AWELF log file is composed of records. Each record is a single line in the file. Recordsare always in chronological order. The earliest record is the first record in the file; themost recent record is the last record in the file. WELF places no restrictions on logfilenames or log file rotation policies. In this example, the severity level is emergency andthe name of the security log stream is utm-welf.

Configuration

CLI QuickConfiguration

To quickly configure this example, copy the following commands, paste them into a textfile, remove any line breaks, change any details necessary to match your networkconfiguration, and then copy andpaste the commands into theCLI at the [edit]hierarchylevel.

set security log source-address 1.2.3.4 stream utm-welfset security log source-address 1.2.3.4 stream utm-welf format welfset security log source-address 1.2.3.4 stream utm-welf format welf categorycontent-security

set security log source-address 1.2.3.4 stream utm-welf format welf categorycontent-security severity emergency


set security log source-address 1.2.3.4 stream utm-welf format welf categorycontent-security severity emergency host 5.6.7.8

Step-by-StepProcedure

The following example requires you to navigate various levels in the configurationhierarchy. For instructions on how to do that, see Using the CLI Editor in ConfigurationMode.

To configureWELF logging for UTM features:

1. Set the security log source IP address.

[edit security log]user@host# set source-address 1.2.3.4

NOTE: Youmust save theWELF loggingmessages to a dedicatedWebTrends server.

2. Name the security log stream.

[edit security log]user@host# set source-address 1.2.3.4 stream utm-welf

3. Set the format for the log messages.

[edit security log]user@host# set source-address 1.2.3.4 stream utm-welf format welf

4. Set the category of log messages that are sent.

[edit security log]user@host# set source-address 1.2.3.4 stream utm-welf format welf categorycontent-security

5. Set the severity level of log messages that are sent.

[edit security log]user@host# set source-address 1.2.3.4 stream utm-welf format welf categorycontent-security severity emergency

6. Enter thehostaddressof thededicatedWebTrendsserver towhich the logmessagesare to be sent.

[edit security log]user@host# set source-address 1.2.3.4 stream utm-welf format welf categorycontent-security severity emergency host 5.6.7.8

Results From configuration mode, confirm your configuration by entering the show security logcommand. If the output does not display the intended configuration, repeat theconfiguration instructions in this example to correct it.

[edit]user@host# show security logstream utm-welf { severity emergency; format welf; category contentsecurity;



host { 5.6.7.8; }}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the Security Log on page 23

Verifying the Security Log

Purpose Verify that theWELF log for UTM features is complete.

Action Fromoperationalmode, enter the showsecurityutmstatus command to verify if theUTMservice is running or not.








Chapter 6: WELF Logging

CHAPTER 7

Configuration Statements

Security Configuration Statement Hierarchy on page 25

[edit security utm] Hierarchy Level on page 26

Security Configuration Statement Hierarchy

Supported Platforms J Series, LN Series, SRX Series

Use thestatements in the securityconfigurationhierarchy toconfigureactions, certificates,dynamicvirtualprivatenetworks (VPNs), firewall authentication, flow, forwardingoptions,group VPNs, Intrusion Detection Prevention (IDP), Internet Key Exchange (IKE), InternetProtocol Security (IPsec), logging, Network Address Translation (NAT), public keyinfrastructure (PKI), policies, resourcemanager, rules, screens, secure shell knownhosts,trace options, user identification, Unified Threat Management (UTM), and zones.Statements that are exclusive to the J Series and SRX Series devices running Junos OSare described in this section.

Each of the following topics lists the statements at a sub-hierarchy of the [edit security]hierarchy.

[edit security address-book] Hierarchy Level

[edit security alarms] Hierarchy Level

[edit security alg] Hierarchy Level

[edit security analysis] Hierarchy Level

[edit security application-firewall] Hierarchy Level

[edit security application-tracking] Hierarchy Level

[edit security certificates] Hierarchy Level

[edit security datapath-debug] Hierarchy Level

[edit security dynamic-vpn] Hierarchy Level

[edit security firewall-authentication] Hierarchy Level

[edit security flow] Hierarchy Level

[edit security forwarding-options] Hierarchy Level

[edit security forwarding-process] Hierarchy Level


[edit security gprs] Hierarchy Level

[edit security group-vpn] Hierarchy Level

[edit security idp] Hierarchy Level

[edit security ike] Hierarchy Level

[edit security ipsec] Hierarchy Level

[edit security log] Hierarchy Level

[edit security nat] Hierarchy Level

[edit security pki] Hierarchy Level

[edit security policies] Hierarchy Level

[edit security resource-manager] Hierarchy Level

[edit security screen] Hierarchy Level

[edit security softwires] Hierarchy Level

[edit security ssh-known-hosts] Hierarchy Level

[edit security traceoptions] Hierarchy Level

[edit security user-identification] Hierarchy Level

[edit security utm] Hierarchy Level on page 26

[edit security zones] Hierarchy Level


Master Administrator for Logical Systems Feature Guide for Security Devices

CLI User Guide

[edit security utm] Hierarchy Level

Supported Platforms J Series, SRX Series

security {utm {application-proxy {traceoptions {flag flag;

}}custom-objects {custom-url-category object-name {value [value];

}filename-extension object-name {value [value];

}mime-pattern object-name {value [value];

}



protocol-command object-name {value [value];

}url-pattern object-name {value [value];

}}feature-profile {anti-spam {address-blacklist list-name;address-whitelist list-name;sbl {profile profile-name {custom-tag-string [string];(sbl-default-server | no-sbl-default-server);spam-action (block | tag-header | tag-subject);

}}traceoptions {flag flag;

}}anti-virus {juniper-express-engine {pattern-update {email-notify {admin-email email-address;custom-messagemessage;custom-message-subjectmessage-subject;

}interval value;no-autoupdate;proxy {password password-string;port port-number;server address-or-url;username name;

}url url;

}profile profile-name {fallback-options {content-size (block | log-and-permit);default (block | log-and-permit);engine-not-ready (block | log-and-permit);out-of-resources (block | (log-and-permit);timeout (block | log-and-permit);too-many-requests (block | log-and-permit);

}notification-options {fallback-block {administrator-email email-address;allow-email;custom-messagemessage;custom-message-subjectmessage-subject;display-host;


Chapter 7: Configuration Statements

(notify-mail-sender | no-notify-mail-sender);type (message | protocol-only);

}fallback-non-block {custom-messagemessage;custom-message-subjectmessage-subject;(notify-mail-recipient | no-notify-mail-recipient);

}virus-detection {custom-messagemessage;custom-message-subjectmessage-subject;(notify-mail-sender | no-notify-mail-sender);type (message | protocol-only);

}}scan-options {content-size-limit value;(intelligent-prescreening | no-intelligent-prescreening);timeout value;

}trickling {timeout value;

}}

}kaspersky-lab-engine {pattern-update {email-notify {admin-email email-address;custom-messagemessage;custom-message-subjectmessage-subject;


}url url;

}profile profile-name {fallback-options {content-size (block | log-and-permit);corrupt-file (block | log-and-permit);decompress-layer (block | log-and-permit);default (block | log-and-permit);engine-not-ready (block | log-and-permit);out-of-resources (block | (log-and-permit);password-file (block | (log-and-permit);timeout (block | log-and-permit);too-many-requests (block | log-and-permit);

}notification-options {fallback-block {



administrator-email email-address;allow-email;custom-messagemessage;custom-message-subjectmessage-subject;display-host;(notify-mail-sender | no-notify-mail-sender);type (message | protocol-only);



}}scan-options {content-size-limit value;decompress-layer-limit value;(intelligent-prescreening | no-intelligent-prescreening);scan-extension filename;scan-mode (all | by-extension);timeout value;


}}

}mime-whitelist {exception listname;list listname {exception listname;

}}sophos-engine {pattern-update {email-notify {admin-email email-address;custom-messagemessage;custom-message-subjectmessage-subject;


}url url;

}



profile {fallback-options {content-size (block | log-and-permit | permit);default (block | log-and-permit | permit);engine-not-ready (block | log-and-permit | permit);out-of-resources (block | log-and-permit | permit);timeout (block | log-and-permit | permit);too-many-requests (block | log-and-permit | permit);

}notification-options {fallback-block {administrator-email email-address;allow-email;custom-messagemessage;custom-message-subjectmessage-subject;display-host;(notify-mail-sender | no-notify-mail-sender);type (message | protocol-only);



}}scan-options {content-size-limit value;(no-uri-check | uri-check);timeout value;


}}sxl-retry value;sxl-timeout seconds;

}traceoptions {flag flag;

}type (juniper-express-engine | kaspersky-lab-engine | sophos-engine);url-whitelist listname;

}content-filtering {profile profile-name {block-command protocol-command-list;block-content-type (activex | exe | http-cookie | java-applet | zip);block-extension extension-list;block-mime {exception list-name;



list list-name;}notification-options {custom-messagemessage;(notify-mail-sender | no-notify-mail-sender);type (message | protocol-only);

}permit-command protocol-command-list;


}}web-filtering {juniper-enhanced {cache {size value;timeout value;

}profile profile-name {block-message {type {custom-redirect-url;

}url url;

}quarantine-message {type {custom-redirect-url;

}url url;

}category customurl-list name {action (block | log-and-permit | permit | quarantine);

}custom-block-message value;custom-quarantine-message value;default (block | log-and-permit | permit | quarantine);fallback-settings {default (block | log-and-permit);server-connectivity (block | log-and-permit);timeout (block | log-and-permit);too-many-requests (block | log-and-permit);

}no-safe-search;site-reputation-action {fairly-safe (block | log-and-permit | permit | quarantine);harmful (block | log-and-permit | permit | quarantine);moderately-safe (block | log-and-permit | permit | quarantine);suspicious (block | log-and-permit | permit | quarantine);very-safe (block | log-and-permit | permit |quarantine);

}timeout value;

}server {host host-name;



port number;}

}juniper-local {profile profile-name {custom-block-message value;default (block | log-and-permit | permit);fallback-settings {default (block | log-and-permit);server-connectivity (block | log-and-permit);timeout (block | log-and-permit);too-many-requests (block | log-and-permit);

}timeout value;

}}surf-control-integrated {cache {size value;timeout value;

}profile profile-name {category customurl-list name {action (block | log-and-permit | permit);

}custom-block-message value;default (block | log-and-permit | permit);fallback-settings {default (block | log-and-permit);server-connectivity (block | log-and-permit);timeout (block | log-and-permit);too-many-requests (block | log-and-permit);

}timeout value;

}server {host host-name;port number;

}}traceoptions {flag flag;

}type (juniper-enhanced | juniper-local | surf-control-integrated |websense-redirect);

url-blacklist listname;url-whitelist listname;websense-redirect {profile profile-name {account value;custom-block-message value;fallback-settings {default (block | log-and-permit);server-connectivity (block | log-and-permit);timeout (block | log-and-permit);too-many-requests (block | log-and-permit);



}server {host host-name;port number;

}sockets value;timeout value;

}}

}}ipc {traceoptions flag flag;


}utm-policy policy-name {anti-spam {smtp-profile profile-name;

}anti-virus {ftp {download-profile profile-name;upload-profile profile-name;

}http-profile profile-name;imap-profile profile-name;pop3-profile profile-name;smtp-profile profile-name;

}content-filtering {ftp {download-profile profile-name;upload-profile profile-name;


}traffic-options {sessions-per-client {limit value;over-limit (block | log-and-permit);

}}web-filtering {http-profile profile-name;

}}

}}




Security Configuration Statement Hierarchy on page 25


application-proxy (Security UTM)


Syntax application-proxy {traceoptions {flag flag;

}}

Hierarchy Level [edit security utm]

Release Information Statement introduced in Junos OS Release 9.5.

Description Configure trace options for the application proxy.

Options The remaining statements are explained separately.

Required PrivilegeLevel

securityTo view this statement in the configuration.security-controlTo add this statement to the configuration.





log (Security)


Syntax log {cache {exclude exclude-name {destination-address destination-address;destination-port destination-port;event-id event-id;failure;interface-name interface-name;policy-name policy-name;process process-name;protocol protocol;source-address source-address;source-port source-port;success;user-name user-name;

}limit value;

}disable;event-rate rate;file {filesmax-file-number;name file-name;path binary-log-file-path;sizemaximum-file-size;

}format (binary | sd-syslog | syslog);mode (event | stream);rate-cap rate-cap-value;source-address source-address;stream stream-name {category (all | content-security);format (binary | sd-syslog | syslog | welf);host {ip-address;port port-number;

}severity (alert | critical | debug | emergency | error | info | notice | warning);

}traceoptions {file {filename;files number;match regular-expression;sizemaximum-file-size;(world-readable | no-world-readable);

}flag flag;no-remote-trace;

}utc-time-stamp;



}Hierarchy Level [edit security]


Description You can set the mode of logging (event for traditional system logging or stream forstreaming security logs through a revenue port to a server). You can also specify all theother parameters for security logging.

Options disableDisable the security logging for the device.

event-rate rateLimits the rate (0 through 1500) at which logs will be streamed persecond.

rate-cap rate-cap-valueLimits the rate (0 through 5000) at which data plane logswill be generated per second.

source-address source-addressSpecify a source IP address or IP address used whenexporting security logs.

utc-time-stampSpecify to use UTC time for security log timestamps.

The remaining statements are explained separately.




Application Tracking Feature Guide for Security Devices




format (Security Log Stream)


Syntax format (binary | sd-syslog | syslog | welf)

Hierarchy Level [edit security log stream stream-name]

Release Information Statement introduced in Release 10.0 of Junos OS. Updated in Release 12.1 of Junos OS.

Description Set the format for remote security message logging to binary, syslog (system log),sd-syslog (structured system log), orwelf. Note that for theWELF format, the categorymust be set to content-security (see category (Security Logging)).

Options binaryBinary encoded text to conserve resources.

sd-syslogStructured system log file.

syslogTraditional system log file.

welfWeb Trends Extended Log Format.








category (Security Logging)


Syntax category (all | content-security)

Hierarchy Level [edit security log stream stream-name]

Release Information Statement introduced in Release 10.0 of Junos OS.

Description Set the category of logging to all or content-security. Note that for theWELF format, thecategory must be set to content-security.

NOTE: On SRX3400, SRX3600, SRX5600, and SRX 5800 devices, if thestream configuration does not specify a destination port, the defaultdestinationportwill be the syslogport. If you specify a destinationport in thestream configuration, then that port will be used instead.

Options allAll events are logged.

content-securityOnly content security events are logged.








content-filtering (Security UTMPolicy)


Syntax content-filtering {ftp {download-profile profile-name;upload-profile profile-name;


}

Hierarchy Level [edit security utm utm-policy policy-name]


Description Configure a UTM policy for the content-filtering protocols and attach this policy to asecurity profile to implement it.





UTM Content Filtering Feature Guide for Security Devices

limit (UTMPolicy)


Syntax limit value;

Hierarchy Level [edit security utm utm-policy policy-name traffic-options sessions-per-client]


Description In an attempt to consume all available resources and hinder the ability of the device, amalicious user might generate a large amount of traffic all at once. To prevent suchactivity from succeeding, you can impose a session throttle to limit sessions.








ipc


Syntax ipc {traceoptions flag flag;

}



Description Configure trace options for IPC.

Options flagTrace operation to perform. To specify more than one trace operation, includemultiple flag statements.

allEnable trace for all IPC trace options.

basicTrace basic IPC related information.

connection-managerTrace IPC connection manager information.

connection-statusTrace IPC connection status information.

detailTrace IPC related detailed information.

pfeTrace communication with PFE.

utm-realtimeTrace IPC realtime-thread information.







sessions-per-client


Syntax sessions-per-client {limit value;over-limit (block | log-and-permit);

}

Hierarchy Level [edit security utm utm-policy policy-name traffic-options]


Description In an attempt to consume all available resources and hinder the ability of the device, amalicious user might generate a large amount of traffic all at once. To prevent suchactivity from succeeding, you can impose a session throttle.

NOTE: Thesessions-per-client limitcommandsupports theantispam,contentfiltering, and antivirus UTM features. It does not supportWeb filtering.






smtp-profile (Security UTMPolicy Antispam)


Syntax smtp-profile profile-name;

Hierarchy Level [edit security utm utm-policy policy-name anti-spam]


Description Configure a UTM policy for the antispam SMTP protocol and attach this policy to asecurity profile to implement it.







traffic-options


Syntax traffic-options {sessions-per-client {limit value;over-limit (block | log-and-permit);

}}

Hierarchy Level [edit security utm utm-policy policy-name]


Description In an attempt to consume all available resources and hinder the ability of the device, amalicious user might generate a large amount of traffic all at once. To prevent suchactivity from succeeding, you can impose a session throttle.








traceoptions (Security Application Proxy)


Syntax traceoptions {flag flag;

}

Hierarchy Level [edit security utm application-proxy]


Description Configure tracing options for application proxy.


abortTrace aborted sessions for application proxy.

allTrace with all flags enabled.

anti-virusTrace anti-virus information.

application-objectsTrace application-proxy objects information.

basicTrace application-proxy related basic information.

bufferTrace application-proxy data buffer information.

connection-ratingTrace connection rating information.

detailTrace application-proxy related detailed information.

express-anti-virusTrace anti-virus express engine information.

ftp-controlTrace FTP control connection information.

ftp-dataTrace FTP data connection information.

httpTrace HTTP protocol information.

imapTrace IMAP protocol information.

memoryTracememory usage.

mimeTrace MIME parser information.

parserTrace protocol parser information.

pfeTrace communication with PFE.

pop3Trace POP3 protocol information.

queueTrace queue information.

regex-engineTrace Pattern Match Engine (PME) information.

smtpTrace SMTP protocol information.

sophos-anti-virusTrace anti-virus sophos engine information.



tcpTrace TCP level information.

timerTrace timer processing.

utm-realtimeTrace application-proxy realtime-thread information


traceTo view this statement in the configuration.trace-controlTo add this statement to the configuration.



traceoptions (Security UTM)


Syntax traceoptions flag flag;



Description Define tracing operations for UTM features.


allEnable trace for all UTM trace options.

cliTrace CLI configuration activity and command changes.

daemonTrace daemon information.

ipcTrace communication events with Packet Forwarding Engine (PFE).

pfeTrace PFE information.


traceTo view this statement in the configuration.trace-controlTo add this statement to the configuration.





utm-policy (Application Services)


Syntax utm-policy policy-name;

Hierarchy Level [edit security policies from-zone zone-name to-zone zone-name policy policy-name thenpermit application-services]


Description Configure aUTMpolicy for application services and attach this policy to a security profileto implement it.

Options policy-nameSpecify the name of the UTM policy.







PART 3

Administration Operational Commands on page 49


CHAPTER 8

Operational Commands


clear security utm session


Syntax clear security utm session

Release Information Command introduced in Junos OS Release 9.5.Support for UTM in chassis cluster added in Junos OS Release 11.4.

Description Clear UTM session information. With chassis cluster support for UTM, sessions on boththe nodes are cleared.


clear


show security utm session

show security utm status on page 53


Output Fields This command produces no output.

Sample Output

clear security utm session

user@host> clear security utm session



request system license update

Supported Platforms J Series, LN Series, SRX Series

Syntax request system license update

Release Information Command introduced in Junos OS Release 9.5.

Description Start autoupdating license keys from the LMS server.

Options trialStarts autoupdating trial license keys from the LMS server.


maintenance


Administration Guide for Security Devices


Installation and Upgrade Guide for Security Devices

List of Sample Output request system license update on page 51request system license update trial on page 51

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

request system license update

user@host> request system license update

Request to automatically update license keys from https://ae1.juniper.net has been sent, use show system license to check status.

request system license update trial

user@host> request system license update trial

Request to automatically update trial license keys from https://ae1.juniper.net has been sent, use show system license to check status.


Chapter 8: Operational Commands

show configuration smtp


Syntax show configuration smtp

Release Information Command introduced in Release 10.0 of Junos OS.

Description Display complete SMTP information.

Options apply-groupsGroups fromwhich SMTP inherits configuration data.

apply-groups-exceptGroups fromwhichSMTP restricts inheriting configurationdata.


view



List of Sample Output show configuration smtp on page 52

Output Fields Table5onpage52describes theoutput fields for the showconfigurationsmtpcommand.

Table 5: show configuration smtp

Level of OutputField DescriptionField Name

All levelsSMTP server's IPv4 addressaddress

All levelsConfigure a mail sender account to the serverlogin

All levelsDefault sender password for user authenticationpassword

Sample Output

show configuration smtp

user@host> show configuration smtpprimary-server { address 218.102.48.213; login "[email protected]" { password "$9$YhgoZ.PQ6CuTQlKMLN-qmP"; ## SECRET-DATA }}



show security utm status


Syntax show security utm status

Release Information Command introduced in Junos OS Release 9.5.Support for UTM in chassis cluster added in Junos OS Release 11.4.

Description Displaywhether theUTM service is running or not and status of both the nodes (with fullchassis cluster support for UTM).


view


clear security utm session on page 50

show security utm session


Output Fields show security utm status

Output fields are listed in the approximate order in which they appear.

show security utm status

user@host> show security utm statusUTM service status: Running



show security log


Syntax showsecurity log {all|destination-address|destination-port|event-id| failure|interface-name|newer-than| older-than| process| protocol| severity| sort-by| source-address| source-port|success| user}

Release Information Command introduced in Release 11.2 of Junos OS.

Description Display security event logs. This command continuously displays security events on thescreen. To stop the display, press Ctrl+c.

Options allDisplays all audit event logs stored in the device memory.

destination-addressDisplays audit event logs with the specified destination address.

destination-portDisplays audit event logs with the specified destination port.

event-idDisplays audit event logs with the specified event identification number.

failureDisplays failed audit event logs.

interface-nameDisplays audit event logs with the specified interface.

newer-thanDisplays audit event logs newer than the specified date and time.

older-thanDisplays audit event logs older than the specified date and time.

processDisplays audit event logs with the specified process that generated the event.

protocolDisplays audit event logs generated through the specified protocol.

severityDisplays audit event logs generated with the specified severity.

sort-byDisplays audit event logs generated sorted with the specified options.

source-addressDisplays audit event logs with the specified source address.

source-portDisplays audit event logs with the specified source port.

successDisplays successful audit event logs.

usernameDisplays audit event logs generated for the specified user.


view


exclude (Security Log)

clear security log

List of Sample Output show security log on page 55



Output Fields Table 6 on page 55 lists the output fields for the show security log command. Outputfields are listed in the approximate order in which they appear.

Table 6: show security log Output Fields

Field DescriptionField Name

The timestamp of the events received.

On SRXSeries devices, security logswere always timestamped using the UTC time zoneby running set system time-zone utc and set security log utc-timestamp CLI commands.Now, time zone can be defined using the local time zone by running the set systemtime-zone time-zone command to specify the local time zone that the system shoulduse when timestamping the security logs.

Event time

Security events are listed.Message

Sample Output

show security log

user@host> show security logEvent time Message2010-10-22 13:28:37 CST session created 1.1.1.2/1->2.2.2.2/1308 icmp 1.1.1.2/1->2.2.2.2/1308 None None 1 policy1 trustZone untrustZone 52 N/A(N/A) ge-0/0/1.02010-10-22 13:28:38 CST session created 1.1.1.2/2->2.2.2.2/1308 icmp 1.1.1.2/2->2.2.2.2/1308 None None 1 policy1 trustZone untrustZone 54 N/A(N/A) ge-0/0/1.0

...

2010-10-22 13:36:12 CST session denied 1.1.1.2/1->2.2.2.2/54812 icmp 1(8) policy1 trustZone untrustZone N/A(N/A) ge-0/0/1.02010-10-22 13:36:14 CST session denied 1.1.1.2/2->2.2.2.2/54812 icmp 1(8) policy1 trustZone untrustZone N/A(N/A) ge-0/0/1.0

...

2010-10-27 15:50:11 CST IP spoofing! source: 2.2.2.20, destination: 2.2.2.2, protocol-id: 17, zone name: trustZone, interface name: ge-0/0/1.0, action: drop2010-10-27 15:50:11 CST IP spoofing! source: 2.2.2.20, destination: 2.2.2.2, protocol-id: 17, zone name: trustZone, interface name: ge-0/0/1.0, action: drop

...

2011-02-18 15:53:34 CST PKID_PV_OBJECT_READ: A PKI object was read into memory from /var/db/certs/common/certification-authority/ca-profile1-ca1.cert2011-02-18 15:53:35 CST PKID_PV_OBJECT_READ: A PKI object was read into memory from /var/db/certs/common/crl/ca-profile1.crl2011-02-18 15:53:35 CST PKID_PV_OBJECT_READ: A PKI object was read into memory from /var/db/certs/system-key-pair/system-generated.priv2011-02-18 15:53:35 CST PKID_PV_OBJECT_READ: A PKI object was read into memory from /var/db/certs/system-cert/system-generated.cert2011-02-18 15:53:35 CST PKID_PV_OBJECT_READ: A PKI object was read into memory from /var/db/certs/common/key-pair/cert1.priv2011-02-18 15:53:42 CST PKID_PV_OBJECT_READ: A PKI object was read into memory from /var/db/certs/common/key-pair/test2.priv

...



2011-03-14 23:00:40 PDT IDP_COMMIT_COMPLETED: IDP policy commit is complete. IDP_POLICY_LOAD_FAILED: IDP policy loading failed ;policy[/var/db/idpd/bins/.bin.gz.v], detector[/usr/libdata/libidp-detector.so.tgz.v]

,failure detail[Policy loading failed :: Policy file not found2011-03-14 23:00:58 PDT ] IDP_POLICY_LOAD_FAILED: IDP policy loading failed ;policy[/var/db/idpd/bins/.bin.gz.v], detector[/usr/libdata/libidp-detector.so.tgz.v]

,failure detail[Policy loading failed :: Policy file not found2011-03-14 23:00:58 PDT ] IDP_POLICY_LOAD_FAILED: IDP policy loading failed ;policy[/var/db/idpd/bins/.bin.gz.v], detector[/usr/libdata/libidp-detector.so.tgz.v]

,failure detail[Policy loading failed :: Policy file not found2011-03-14 23:00:58 PDT ]

...

Event time Message2011-03-21 14:21:49 CST UI_CMDLINE_READ_LINE: User 'root', command 'set date ntp 9.9.9.1 source-address 6.6.6.1 '2011-03-21 14:23:01 CST UI_CMDLINE_READ_LINE: User 'root', command 'set date ntp 9.9.9.1 source-address 6.6.6.1 '2011-03-21 14:23:05 CST KMD_PM_SA_ESTABLISHED: Local gateway: 7.7.7.1, Remote gateway: 8.8.8.1, Local ID: ipv4(any:0,[0..3]=6.6.6.1), Remote ID: ipv4(any:0,[0..3]=9.9.9.1), Direction: inbound, SPI: 37a2a179, AUX-SPI: 0, Mode: tunnel, Type: dynamic 2011-03-21 14:23:05 CST KMD_PM_SA_ESTABLISHED: Local gateway: 7.7.7.1, Remote gateway: 8.8.8.1, Local ID: ipv4(any:0,[0..3]=6.6.6.1), Remote ID: ipv4(any:0,[0..3]=9.9.9.1), Direction: outbound, SPI: b2231c1f, AUX-SPI: 0, Mode: tunnel, Type: dynamic 2011-03-21 14:23:08 CST UI_CMDLINE_READ_LINE: User 'root', command 'set date ntp 9.9.9.1 source-address 6.6.6.1 '2011-03-21 14:23:13 CST UI_CMDLINE_READ_LINE: User 'root', command 'show security log '



PART 4

Index Index on page 59


Index

Symbols#, comments in configuration statements......................x( ), in syntax descriptions........................................................x< >, in syntax descriptions......................................................x[ ], in configuration statements............................................x{ }, in configuration statements...........................................x| (pipe), in syntax descriptions.............................................x

Aapplication-proxy statement

utm......................................................................................34

Bbraces, in configuration statements...................................xbrackets

angle, in syntax descriptions.........................................xsquare, in configuration statements..........................x

Ccategory statement

(Security Logging).........................................................38clear security utm session...................................................50comments, in configuration statements..........................xcontent-filtering (utm-policy)...........................................39conventions

text and syntax..................................................................ixcurly braces, in configuration statements........................xcustomer support.....................................................................xi

contacting JTAC................................................................xi

Ddocumentation

comments on....................................................................xi

Ffont conventions.......................................................................ixformat statement, second use...........................................37

Iipc.................................................................................................40

Llimit..............................................................................................39log statement

(Security Logging).........................................................35

Mmanuals

comments on....................................................................xi

Pparentheses, in syntax descriptions...................................x

Rrequest system license update command.....................51

SSecurity Configuration Statement Hierarchy...............25sessions-per-client.................................................................41show configuration smtp ....................................................52show security log command..............................................54show security utm status.....................................................53smtp-profile (antispam utm-policy)...............................41support, technical See technical supportsyntax conventions..................................................................ix

Ttechnical support

contacting JTAC......................................................

Security Utm Overview

Documents

Transcript of Security Utm Overview