Security Utm

8/10/2019 Security Utm

1/122

Junos OS

UTM Sophos Antivirus Protection for SecurityDevices

Release

12.1

Published: 2012-08-30

Copyright 2012, Juniper Networks, Inc.


2/122

Juniper Networks, Inc.1194North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net

Thisproduct includesthe Envoy SNMPEngine, developed by EpilogueTechnology,an IntegratedSystems Company.Copyright 1986-1997,Epilogue Technology Corporation.All rights reserved. This program and its documentation were developed at privateexpense, and no partof them is in thepublic domain.

This product includes memory allocation software developed by Mark Moraes,copyright 1988, 1989, 1993, University of Toronto.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentationand software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed throughrelease 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNsHELLO routing protocol. Development of Gated has beensupported in part by the National Science Foundation. Portions of the GateDsoftware copyright 1988, Regentsof theUniversityof California.All rights reserved. Portionsof theGateD software copyright 1991, D.L. S. Associates.

This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc.in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc.All othertrademarks, service marks, registered trademarks, or registered service marks are the property of theirrespective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Products made or sold byJuniper Networks or components thereof might be covered by oneor more of thefollowingpatents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440,6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518,6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Junos OS UTM Sophos Antivirus Protection for SecurityDevices12.1Copyright 2012, Juniper Networks, Inc.All rights reserved.

The informationin this document is currentas of thedateon thetitlepage.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However,the NTPapplicationis known to have some difficulty in theyear2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is thesubject of this technical documentationconsists of (or is intended for usewith)Juniper Networkssoftware. Useof such software is subject to theterms and conditions of theEnd User License Agreement (EULA) posted athttp://www.juniper.net/support/eula.html . By downloading, installing or using such software, you agree to theterms and conditionsof that EULA.

Copyright 2012, Juniper Networks, Inc.ii
http://www.juniper.net/support/eula.htmlhttp://www.juniper.net/support/eula.html


3/122

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixDocumentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixSupported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixUsing the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xMerging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xMerging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiDocumentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiDocumentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiiRequesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiiSelf-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiiOpening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Part 1 Overview

Chapter 1 Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Unified Threat Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2 Sophos Antivirus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Sophos Antivirus Protection Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Sophos Antivirus Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Understanding Sophos Antivirus Data File Update . . . . . . . . . . . . . . . . . . . . . . . . . 6Comparison of Sophos Antivirus to Kaspersky Antivirus . . . . . . . . . . . . . . . . . . . . . 7

Part 2 Configuration

Chapter 3 Sophos Antivirus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Sophos Antivirus Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Example: Configuring Sophos Antivirus Custom Objects . . . . . . . . . . . . . . . . . . . . 11Example: Configuring Sophos Antivirus Feature Profile . . . . . . . . . . . . . . . . . . . . . 15Example: Configuring Sophos Antivirus UTM Policies . . . . . . . . . . . . . . . . . . . . . . . 21Example: Configuring Sophos Antivirus Firewall Security Policies . . . . . . . . . . . . . 22

Chapter 4 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

[edit security utm] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25admin-email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32administrator-email (Security Fallback Block) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33administrator-email (Security Virus Detection) . . . . . . . . . . . . . . . . . . . . . . . . . . . 33allow-email (Security Fallback Block) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34allow-email (Security Virus Detection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34anti-virus (Security Feature Profile) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35application (Security Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39content-size (Security Antivirus Sophos Engine) . . . . . . . . . . . . . . . . . . . . . . . . . . 40

iiiCopyright 2012, Juniper Networks, Inc.


4/122

content-size-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41custom-message (Security Email Notify) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41custom-message (Security Fallback Block) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42custom-message (Security Fallback Non-Block) . . . . . . . . . . . . . . . . . . . . . . . . . 42custom-message (Security Virus Detection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43custom-message-subject (Security Email Notify) . . . . . . . . . . . . . . . . . . . . . . . . . 43custom-message-subject (Security Fallback Block) . . . . . . . . . . . . . . . . . . . . . . . 44custom-message-subject (Security Fallback Non-Block) . . . . . . . . . . . . . . . . . . 44custom-message-subject (Security Virus Detection) . . . . . . . . . . . . . . . . . . . . . . 45custom-url-category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46default (Security Antivirus Sophos Engine) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47display-host (Security Fallback Block) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47display-host (Security Virus Detection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48email-notify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48engine-not-ready (Security Antivirus Sophos Engine) . . . . . . . . . . . . . . . . . . . . . . 49fallback-block (Security Antivirus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

fallback-non-block (Security Antivirus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51fallback-options (Security Antivirus Sophos Engine) . . . . . . . . . . . . . . . . . . . . . . . 52feature-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53filename-extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59from-zone (Security Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60interval (Security Antivirus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62juniper-express-engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63mime-pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64mime-whitelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65no-autoupdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66no-notify-mail-recipient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67no-notify-mail-sender (Security Fallback Block) . . . . . . . . . . . . . . . . . . . . . . . . . . 67

no-notify-mail-sender (Security Virus Detection) . . . . . . . . . . . . . . . . . . . . . . . . . 68no-uri-check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68notification-options (Security Antivirus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69notify-mail-recipient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70notify-mail-sender (Security Fallback Block) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70notify-mail-sender (Security Virus Detection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71out-of-resources (Security Antivirus Sophos Engine) . . . . . . . . . . . . . . . . . . . . . . . 71password (Security Antivirus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72pattern-update (Security Antivirus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72port (Security Antivirus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73profile (Security Sophos Engine Antivirus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74protocol-command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75proxy (Security Antivirus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76scan-options (Security Antivirus Sophos Engine) . . . . . . . . . . . . . . . . . . . . . . . . . 76server (Security Antivirus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77sophos-engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78sxl-retry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79sxl-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80timeout (Security Antivirus Fallback Options Sophos Engine) . . . . . . . . . . . . . . . 80timeout (Security Antivirus Scan Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81to-zone (Security Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Copyright 2012, Juniper Networks, Inc.iv



5/122

too-many-requests (Security Antivirus Fallback Options Sophos Engine) . . . . . 84trickling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85type (Security Antivirus Feature Profile) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86type (Security Fallback Block) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86type (Security Virus Detection) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87url (Security Antivirus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87uri-check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88url-pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88username (Security Antivirus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89virus-detection (Security Antivirus) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Part 3 Administration

Chapter 5 Managing Sophos Antivirus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Managing Sophos Antivirus Data Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Chapter 6 Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

clear security utm antivirus statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96request security utm anti-virus sophos-engine . . . . . . . . . . . . . . . . . . . . . . . . . . . 97show security utm anti-virus statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98show security utm anti-virus status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Part 4 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

vCopyright 2012, Juniper Networks, Inc.

Table of Contents


6/122

Copyright 2012, Juniper Networks, Inc.vi



7/122

List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiTable 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Part 1 Overview

Chapter 1 Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Table 3: UTM Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

viiCopyright 2012, Juniper Networks, Inc.


8/122

Copyright 2012, Juniper Networks, Inc.viii



9/122

About the Documentation

Documentation and Release Notes on page ix

Supported Platforms on page ix

Using the Examples in This Manual on page x

Documentation Conventions on page xi

Documentation Feedback on page xiii

Requesting Technical Support on page xiii

Documentation and Release Notes

To obtain the most current version of all Juniper Networks technical documentation,

see the product documentation page on the Juniper Networks website athttp://www.juniper.net/techpubs/ .

If the information in the latest release notes differs from the information in thedocumentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject

matter experts. These books go beyond the technical documentation to explore thenuances of network architecture, deployment, and administration. The current list canbe viewed at http://www.juniper.net/books .

Supported Platforms

For the features described in this document, the following platforms are supported:

SRX220

SRX550

SRX110

SRX650 SRX100

SRX240

SRX210

ixCopyright 2012, Juniper Networks, Inc.
http://www.juniper.net/techpubs/http://www.juniper.net/bookshttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/SRX220/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/srx550/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/srx110/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/SRX650/HW/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/srx100/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/srx240/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/srx210/srx210.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/srx210/srx210.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/srx240/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/srx100/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/SRX650/HW/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/srx110/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/srx550/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/SRX220/index.htmlhttp://www.juniper.net/bookshttp://www.juniper.net/techpubs/


10/122

Using the Examples in This Manual

If you want touse the examples in this manual, you can use the load merge or the loadmerge relative command. These commands cause the software to merge the incomingconfiguration into the current candidate configuration. The example does not becomeactive until you commit the candidate configuration.

If the example configuration contains the top level of the hierarchy (or multiplehierarchies), the example is a full example . In this case, use the load merge command.

If the example configuration does not start at the top level of the hierarchy, the exampleis a snippet . In this case, use the load merge relative command. These procedures aredescribed in the following sections.

Merging a Full Example

To merge a full example, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration example into atext file, save the file with a name, and copy the file to a directory on your routingplatform.

Forexample, copy thefollowingconfiguration toa file andname thefile ex-script.conf .Copy the ex-script.conf file to the /var/tmp directory on your routing platform.

system {scripts {

commit {file ex-script.xsl;

}

}}interfaces {

fxp0 {disable;unit 0 {

family inet {address 10.0.0.1/24;

}}

}}

2. Merge the contents of the file into your routing platform configuration by issuing theload merge configuration mode command:

[edit]user@host# load merge /var/tmp/ex-script.confload complete

Copyright 2012, Juniper Networks, Inc.x



11/122

Merging a Snippet

To merge a snippet, follow these steps:

1. From the HTML or PDF version of the manual, copya configuration snippet into a textfile, savethe filewith a name, and copythe fileto a directory on your routing platform.

For example, copy the following snippet to a file and name the fileex-script-snippet.conf . Copy the ex-script-snippet.conf file to the /var/tmp directoryon your routing platform.

commit {file ex-script-snippet.xsl; }

2. Move to the hierarchy level that is relevant for this snippet by issuing the followingconfiguration mode command:

[edit]

user@host# edit system scripts[edit system scripts]

3. Merge the contents of the file into your routing platform configuration by issuing theload merge relative configuration mode command:

[edit system scripts]user@host# load merge relative /var/tmp/ex-script-snippet.confload complete

For more information about the load command, see the Junos OS CLI User Guide .

Documentation Conventions

Table 1 on page xi defines notice icons used in this guide.

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you tothe risk of personal injury or death.Warning

Alerts you tothe risk of personal injury from a laser.Laser warning

Table 2 on page xii defines the text and syntax conventions used in this guide.

xiCopyright 2012, Juniper Networks, Inc.

http://www.juniper.net/techpubs/en_US/junos12.2/information-products/pathway-pages/junos-cli/junos-cli.pdfhttp://www.juniper.net/techpubs/en_US/junos12.2/information-products/pathway-pages/junos-cli/junos-cli.pdf


12/122

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, typethe configure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

A policy term is a named structurethat defines match conditions andactions.

JunosOS SystemBasics ConfigurationGuide

RFC 1997, BGP Communities Attribute

Introduces or emphasizes importantnew terms.

Identifies book names. Identifies RFC and Internet draft titles.

Italic text like this

Configure the machines domain name:

[edit]root@# set system domain-name

domain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

To configure a stub area, include thestub statement at the [edit protocolsospf areaarea-id] hierarchy level.

Theconsole portis labeled CONSOLE .

Represents names of configurationstatements, commands, files, anddirectories;configuration hierarchylevels;or labels on routing platformcomponents.

Text like this

stub ;Enclose optional keywords or variables.< > (angle brackets)

broadcast | multicast

( string1 | string2 | string3 )

Indicates a choicebetween the mutuallyexclusive keywordsor variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Requiredfor dynamic MPLS onlyIndicates a comment specified on thesameline asthe configuration statementto which it applies.

# (pound sign)

communityname members[community-ids ]

Enclose a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]

routing-options {static {route default {

nexthop address ;retain;

}}

}

Identify a level in the configuration

hierarchy.

Indention and braces( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

J-Web GUI Conventions

Copyright 2012, Juniper Networks, Inc.xii



13/122

Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

In the Logical Interfaces box, selectAll Interfaces .

To cancel the configuration, clickCancel .

Represents J-Web graphical userinterface (GUI) items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf .

Separates levels in a hierarchy of J-Webselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we canimprove the documentation. You can send your comments [email protected] , or fill out the documentation feedback form athttps://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to includethe following information with your comments:

Document or topic name

URL or page number

Software release version (if applicable)

Requesting Technical Support

Technical product support is available through the Juniper Networks TechnicalAssistanceCenter (JTAC). If you are a customer with an active J-Care or JNASC support contract,or are covered under warranty, and need post-sales technical support, you can accessour tools and resources online or open a case with JTAC.

JTAC policiesFor a complete understanding of our JTAC procedures and policies,review the JTAC User Guide located athttp://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

Product warrantiesFor product warranty information, visithttp://www.juniper.net/support/warranty/ .

JTAC hours of operationThe JTAC centers have resources available 24 hours a day,7 daysa week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an onlineself-service portal called the Customer Support Center (CSC) that provides you with thefollowing features:

Find CSC offerings: http://www.juniper.net/customers/support/

Search for known bugs: http://www2.juniper.net/kb/

xiiiCopyright 2012, Juniper Networks, Inc.

mailto:[email protected]://www.juniper.net/cgi-bin/docbugreport/http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttp://www.juniper.net/support/warranty/http://www.juniper.net/customers/support/http://www2.juniper.net/kb/http://www2.juniper.net/kb/http://www.juniper.net/customers/support/http://www.juniper.net/support/warranty/http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttps://www.juniper.net/cgi-bin/docbugreport/mailto:[email protected]


14/122

Find product documentation: http://www.juniper.net/techpubs/

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

Download the latest versions of software and review release notes:http://www.juniper.net/customers/csc/software/

Search technical bulletins for relevant hardware and software notifications:https://www.juniper.net/alerts/

Join and participate in the Juniper Networks Community Forum:http://www.juniper.net/company/communities/

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlementby product serial number, use our Serial NumberEntitlement(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, seehttp://www.juniper.net/support/requesting-support.html .

Copyright 2012, Juniper Networks, Inc.xiv

http://www.juniper.net/techpubs/http://kb.juniper.net/http://www.juniper.net/customers/csc/software/https://www.juniper.net/alerts/http://www.juniper.net/company/communities/http://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/support/requesting-support.htmlhttp://www.juniper.net/support/requesting-support.htmlhttp://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/company/communities/https://www.juniper.net/alerts/http://www.juniper.net/customers/csc/software/http://kb.juniper.net/http://www.juniper.net/techpubs/


15/122

PART 1

Overview Supported Features on page 3

Sophos Antivirus Protection on page 5

1Copyright 2012, Juniper Networks, Inc.


16/122


17/122

CHAPTER 1

Supported Features

Unified Threat Management on page 3

Unified Threat Management

Unified ThreatManagement (UTM) is a term used to describe theconsolidation of severalsecurityfeatures intoone device,protecting againstmultiple threat types. Theadvantagesof UTM are streamlined installation and management of these multiple securitycapabilities.

Table 3 on page 3 lists the UTM features that are supported on SRX Series and J Seriesdevices.

Table 3: UTM Support

J Series

SRX1400SRX3400SRX3600SRX5600SRX5800

SRX550SRX650

SRX100SRX110SRX210SRX220SRX240Feature

YesNoYesYesAntispam

YesNoYesSRX210, SRX220, andSRX240 only.

Antivirus Express

YesNoYesYesAntivirus Full

NoNoYesYesAntivirus Sophos

NoNoYesSRX100, SRX210,SRX220, and SRX240only

Chassis cluster(active/active chassiscluster with the PacketForwarding Engineactive on both thecluster nodes [thePacket ForwardingEngineand theRoutingEngine active in thesame node])

YesNoYesYesContent filtering



18/122

Table 3: UTM Support (continued)

J Series

SRX1400SRX3400SRX3600SRX5600SRX5800

SRX550SRX650

SRX100SRX110SRX210SRX220SRX240Feature

NoNoYesYesEnhancedWebfiltering

YesNoYesYesWeb filtering

YesNoYesYesWELF support

RelatedDocumentation

Junos OS Security Configuration Guide

Copyright 2012, Juniper Networks, Inc.4



19/122

CHAPTER 2

Sophos Antivirus Protection

Sophos Antivirus Protection Overview on page 5

Sophos Antivirus Features on page 5

Understanding Sophos Antivirus Data File Update on page 6

Comparison of Sophos Antivirus to Kaspersky Antivirus on page 7

Sophos Antivirus Protection Overview

Sophos antivirus scanning is offered as a less CPU-intensive alternative to the fullfile-based antivirus feature. Sophos supports the same protocols as full antivirus andfunctions in much the same manner; however, it has a smaller memory footprint and iscompatible with lower end devices that have less memory.

Sophos antivirus is as an in-the-cloud antivirus solution. The virus pattern and malwaredatabase is located on external servers maintained by Sophos (Sophos Extensible List)servers, thus there is no need to download and maintain large pattern databases on the

Juniper device. The Sophos antivirus scanner also uses a local internal cache to maintainquery responses from the external list server to improve lookup performance.

Because a significantamount of traffic processed by Juniper Unified ThreatManagement(UTM) is HTTP based, Uniform Resource Identifier (URI) checking is used to effectivelyprevent malicious content from reaching the endpoint client or server. The followingchecks are performed for HTTP traffic: URI lookup, true file type detection, and filechecksum lookup. The following application layer protocols are supported: HTTP, FTP,SMTP, POP3 and IMAP.


Junos OS Feature Support Reference for SRX Series and J Series Devices

Sophos Antivirus Features on page 5

Sophos Antivirus Configuration Overview on page 11

Sophos Antivirus Features

Sophos Antivirus has the following main features:



20/122

Sophos Antivirus Expanded MIMEDecoding Support Sophos antivirus offers decodingsupport for HTTP, POP3, SMTP, and IMAP. MIME decoding support includes thefollowing for each supported protocol:

Multipart and nested header decoding Base64 decoding, printedquotedecoding, andencodedworddecoding in the subject

field

SophosAntivirusScan ResultHandling With Sophos antivirus, theTCP traffic is closedgracefully when a virus is found and the data content is dropped.

Thefollowing fail modeoptionsaresupported: content-size, default, engine-not-ready,out-of-resource, timeout, and too-many-requests. You can set the following actions:block, log-and-permit, and permit. Fail mode handling of supported options withSophos is much the same as with full antivirus.

Sophos Uniform Resource Identifier Checking Sophos provides Uniform Resource

Identifier (URI) checking, which is similar to anti-spam realtime blackhole list (RBL)lookups. URI checking is a way of analyzing URI content in HTTP traffic against theSophos database to identify malware or malicious content. Because malware ispredominantly static, a checksum mechanism is used to identify malware to improveperformance. Files that are capable of using a checksum include: .exe, .zip, .rar, .swf,.pdf, and .ole2 (doc and xls).

NOTE: If you have a Juniper device protecting an internal network that hasno HTTP traffic, or has Web servers that are not accessible to the outsideworld, you may want to turn off URI checking. If the Web servers are notaccessible to the outside world, it is unlikely that they contain URIinformation that is in the Sophos URI database. URI checking is on by

default.





Example: Configuring Sophos Antivirus Feature Profile on page 15

Understanding Sophos Antivirus Data File Update

Sophos antivirususes a small setof data files that need tobe updatedperiodically.Thesedata files only contain information on guiding scanning logic and do not contain the fullpattern database. The main pattern database, which includes protection against criticalviruses, URI checks, malware,worms, Trojans, and spyware, is located on remote SophosExtensible List servers maintained by Sophos.




21/122


22/122


23/122

PART 2

Configuration Sophos Antivirus Protection on page 11

Configuration Statements on page 25



24/122




25/122

CHAPTER 3

Sophos Antivirus Protection


Example: Configuring Sophos Antivirus Custom Objects on page 11


Example: Configuring Sophos Antivirus UTM Policies on page 21

Example: Configuring Sophos Antivirus Firewall Security Policies on page 22

Sophos Antivirus Configuration Overview

Sophos antivirus is part of the Unified Threat Management (UTM) feature set, so youfirst configure UTM options (custom objects), configure the Sophos Feature, then createa UTMpolicy anda security policy. Thesecuritypolicy controls all trafficthat is forwardedby the device, and the UTM policy specifies which parameters to use to scan traffic. TheUTM policy is also used to bind a set of protocols to one or more UTM feature profiles,including Sophos antivirus in this case.

You must complete the following tasks to configure Sophos antivirus:

1. Configure UTM custom objects and MIME lists. See Example: Configuring SophosAntivirus Custom Objects on page 11 ,

2. Configure the Sophos antivirus feature profile. See Example: Configuring SophosAntivirus Feature Profile on page 15 .

3. Configure a UTM policy. See Example: Configuring Sophos Antivirus UTM Policieson page 21

4. Configure a security policy. See Example: Configuring Sophos Antivirus FirewallSecurity Policies on page 22 .

Example: Configuring Sophos Antivirus Custom Objects

This example shows you how to create UTM global custom objects to be used withSophos antivirus.

Requirements on page 12

Overview on page 12



26/122

Configuration on page 12

Verification on page 14

Requirements

Before you begin, read about UTM custom objects. See Understanding UTM CustomObjects.

Overview

Configure MIME lists. This includes creating a MIME whitelist and a MIME exception listfor antivirus scanning. In this example, you bypass scanning of QuickTime videos, unlessif they contain the MIME type quicktime-inappropriate.

WARNING: When you configure the MIME whitelist feature, be aware that,because header information in HTTP traffic can be spoofed, you cannot

always trust HTTP headers to be legitimate. When a Web browser isdetermining the appropriate action fora given filetype, it detectsthe filetypewithout checking the MIME header contents. However, the MIME whitelistfeature does refer to the MIME encoding in the HTTP header. For thesereasons, it is possible in certain cases for a malicious website to provide aninvalid HTTP header. For example, a network administrator mightinadvertently add a malicious website to a MIME whitelist, and, because thesite is in the whitelist, it will not be blocked by Sophos even though Sophoshas identified the site as malicious in its database. Internal hosts would thenbe able to reach this site and could become infected.

ConfigurationGUI Step-by-Step

ProcedureTo configure a MIME list:

1. Click the Configure tab from the taskbar, and then select Security>UTM>CustomObjects .

2. Click the MIME Pattern List tab and then click Add

3. In the MIME Pattern Name box, type avmime2 .

4. In the MIME Pattern Value box, type video/quicktime , and click Add .

5. In the MIME Pattern Value box, type image/x-portable-anympa , and click Add .

6. In the MIME Pattern Value box, type x-world/x-vrml , and click Add .

To configure a MIME exception list:


2. Click the MIME Pattern List tab and then select Add

3. In the MIME Pattern Name box, type exception-avmime2 .

4. In the MIME Pattern Value box, type video/quicktime-inappropriate and click Add .




27/122

Configure a URL pattern list (whitelist) of URLs or addresses that will be bypassed byantivirus scanning. After you create the URL pattern list, you will create a custom URLcategory list and add the pattern list to it.

NOTE: Because you use URL pattern lists to create custom URL categorylists, youmust configure URLpattern listcustom objectsbefore youconfigurecustom URL category lists.

To configure a URL pattern whitelist:


2. Click the URL Pattern List tab, and then click Add

3. In the URL Pattern Name box, enter urlist2 .

4. In the URL Pattern Value box, enter http://juniper.net . (You can also us the IP addressof the server instead of the URL.)

Save your configuration:

1. Click OK to check your configuration and save it as a candidate configuration.

2. If you are done configuring the device, click Actions>Commit .

NOTE: URL pattern wildcard supportThe wildcard rule is as follows:

\*\.[]\?* and you must precede all wildcard URLs with http:// . You can use* onlyif it isat the beginning of the URL and is followedby a .. You canonly use ? at the end of the URL.

The following wildcard syntax is supported: http://* .juniper.net ,http://www.juniper.ne? , http://www.juniper.n?? . Thefollowingwildcardsyntaxis not supported: *.juniper.net , www.juniper.ne?, http://*juniper.net, http://*.

Step-by-StepProcedure

To configure antivirus protection using the CLI, you must create your custom objects inthe following order:

1. Create the MIME whitelist.

[edit security utm]user@host# set custom-objects mime-pattern avmime2 value [video/quicktime

image/x-portable-anymap x-world/x-vrml]

Create the MIME exception list.

[edit security utm]user@host# set custom-objects mime-pattern exception-avmime2 value

[video/quicktime-inappropriate]


Chapter 3: Sophos Antivirus Protection


28/122

2. Configure a URL pattern list (whitelist) of URLs or addresses that you want tobypass. After you create the URL pattern list, you create a custom URL category listand add the pattern list to it. Configure a URL pattern list custom object bycreatingthe list name and adding values to it as follows.

NOTE: Because youuseURLpatternlists tocreate customURLcategorylists, you must configure URL pattern list custom objects before youconfigure custom URL category lists.

[edit security utm]user@host# set custom-objects url-pattern urllist2 value [http://www.juniper.net

192.168.1.5]

NOTE: URL pattern wildcard supportThe wildcard rule is as follows:\*\.[]\?* and you must precede all wildcard URLs with http:// . You canonly use * if it is at the beginning of the URL and isfollowed by a ..You can only use ? at the end of the URL.

The following wildcard syntax is supported: http://* .juniper.net ,http://www.juniper.ne? , http://www.juniper.n?? . The following wildcardsyntax is not supported: *.juniper.net , www.juniper.ne?,http://*juniper.net, http://*.

3. Configure a custom URL category list custom object by using the URL pattern listurllist2 that you created earlier:

[edit security utm]user@host# set custom-objects custom-url-category custurl2 value urllist2

Verification

To verify the configuration, enter the show security utm custom-objects command.






Understanding UTM Custom Objects




29/122


30/122

c. Click OK and commit your changes.

d. Restart the device to enable Sophos as the antivirus engine.

2. Returnto the antivirusGlobal Options screenas youdid in step 1, andset the followingparameters:

a. In the MIME whitelist list, select exception-avmime2 .

b. In the URL whitelist list, select custurl2 .

c. In the Pattern update interval (sec) box, type 2880 .

d. In the box, type the e-mail address that will receive SophosAdmin email data fileupdate notifications. For example - [email protected].

e. In the Custom Message box, type The Sophos data fileupdate on the SRX240 hasbeencompleted . In theCustommessagesubjectbox, type SophosData FileUpdated .

f. Click OK to check your configuration and save it as a candidate configuration.

3. Configure a profile for the sophos-engine and set parameters.

a. Click the Configure tabfromthe taskbarandthen select Security>UTM>Anti-Virus .Click Add .

b. In the Add profile box, click the Main tab.

c. In the Profile name box, type sophos-prof1 .

d. In the Trickling timeout box, type 180 .

WARNING: When enabling the trickling option, its important tounderstand that trickling may send part of the file to the client duringthe antivirus scan. It is possible that some of the content could bereceived by the client and the client may become infected before thefile is fully scanned.

e. URI checking is on by default. To turn it off, clear yes in the URI check box.

f. In the Content size Limit box, type 20000 .

g. In the Scan engine timeout box, type 1800 .

4. Configure fallback settings by clicking the Fallback settings tab. In this example, allfallbackoptions are setto log andpermit.Click Logand permit forthe following items:Default action, Content size, Engine not ready, Timeout, Out of resource, Too manyrequests.




31/122


32/122


33/122

user@host# set fallback-options too-many-requests log-and-permit

8. Configure notification options. You can configure notifications for fallback blocking,fallback nonblocking actions, and virus detection.

In this step, configure a custom message for the fallback blocking action and senda notification for protocol-only actions to the administrator and the sender.

[edit security utm feature-profile anti-virus sophos-engine profile sophos-prof1]user@host# set notification-options fallback-block custom-message ***Fallback

block action occurred*** custom-message-subject Antivirus Fallback Alertnotify-mail-sender type protocol-only allow email [email protected]

9. Configure a notification for protocol-only virus detection, and send a notification.

[edit security utm feature-profile anti-virus sophos-engine profile sophos-prof1]user@host# set notification-options virus-detection type protocol-only

notify-mail-sender custom-message-subject ***Virus detected***custom-message Virus has been detected

10. Configure content size parameters.

NOTE: When you configure the content-size value, keep in mind that incertain cases, content size is available in the protocol headers, so themax-content-size fallback is applied before a scan request is sent.However, in many cases, content size is not provided in the protocolheaders. In thesecases, theTCPpayload is sent tothe antivirusscannerand accumulates until the end of the payload. If the accumulatedpayload exceeds the maximum content size value, thenmax-content-size fallback is applied. The default fallback action is log

and permit, so you may want to change this option to block, in whichcase such a packet is dropped anda block messageis sent to theclient.

In this example, if the content size exceeds 20 MB, the packet is dropped.

[edit security utm feature-profile anti-virus sophos-engine profile sophos-prof1]user@host# set scan-options content-size-limit 20000

11. URI checking is on by default. To turn off URI checking:

[edit security utm feature-profile anti-virus sophos-engine profile sophos-prof1]user@host# set scan-options no-uri-check

12. Configure the timeout setting for the scanning operation to 1800 seconds.

[edit security utm feature-profile anti-virus sophos-engine profile sophos-prof1]user@host# set scan-options timeout 1800

13. The Sophos Extensible List servers contain the virus and malware database forscanning operations. Set the response timeout for these servers to 3 seconds (thedefault is 2 seconds).

[edit security utm feature-profile anti-virus sophos-engine profile sophos-prof1]user@host# set scan-options sxl-timeout 3




34/122

14. Configure the Sophos Extensible List server retry option to 2 retries (the default is1).

[edit security utm feature-profile anti-virus sophos-engine profile sophos-prof1]user@host# set scan-options sxl-retry 2

15. Configure the trickling setting to 180 seconds. If you use trickling, you can also settimeout parameters. Trickling applies only to HTTP. HTTP trickling is a mechanismused to prevent the HTTP client or server from timing out during a file transfer orduring antivirus scanning.

WARNING: When you enable the trickling option, keep in mind thattrickling might send part of a file to the client during its antivirus scan.It is therefore possible that some of the content could be received bythe client before the file has been fully scanned.

[edit security utm feature-profile anti-virus]user@host# set sophos-engine profile sophos-prof1 trickling timeout 180

16. Configure the antivirus module to use MIME bypass lists and exception lists. Youcan use your own custom object lists, or you can use the default list that ships withthe device called junos-default-bypass-mime. In this example,you use the liststhatyou setup earlier.

[edit security utm feature-profile anti-virus]user@host# set mime-whitelist list avmime2[edit security utm feature-profile anti-virus]user@host# set mime-whitelist list exception-avmime2

17. Configure the antivirus module to use URL bypass lists. If you are using a URLwhitelist, this is a custom URL category you have previously configured as a customobject. URL whitelists are valid only for HTTP traffic. In this example you use thelists that you setup earlier.

[edit security utm feature-profile anti-virus]user@host# set url-whitelist custurl2

Verification

To verify your feature profile configuration, run the show security utm feature-profileanti-virus command.

Obtaining Information About the Current Antivirus Status

Action From operational mode, enter the show security utm anti-virus status command to viewthe antivirus status.

user@host> show security utm anti-virus status

Meaning Antivirus key expire dateThe license key expiration date.

Update serverURL for the data file update server.




35/122

IntervalThe time period, in minutes, when the device will update the data file fromthe update server.

Pattern update statusWhenthe data filewill be updatednext, displayed in minutes.

Last resultResult of the last update. If you already have the latest version, this willdisplay already have latest database .

Antivirus signature versionVersion of the current data file.

Scan engine typeThe antivirus engine type that is currently running.

Scan engine informationResult of the last action that occurred with the current scanengine.





Example: Configuring Sophos Antivirus UTM Policies

This example shows how to create a UTM policy for Sophos antivirus.


Overview on page 21



Requirements

Before you create the UTM policy, create custom objects and the Sophos feature profile.

1. Configure UTM custom objects and MIME lists. See Example: Configuring SophosAntivirus Custom Objects on page 11 .

2. Configure the Sophos antivirus feature profile. See Example: Configuring SophosAntivirus Feature Profile on page 15 .

Overview

After you have created an antivirus feature profile, you configure a UTM policy for an

antivirus scanning protocol and attach this policy to a feature profile. In this example,HTTP will be scanned for viruses, as indicated by the http-profile statement. You canscan other protocols as well by creating different profiles or adding other protocols tothe profile, such as: imap-profile, pop3-profile, and smtp-profile.




36/122

Configuration

GUI Step-by-StepProcedure

To configure a UTM policy for Sophos antivirus:

1. Click the Configure tab from the taskbar, and then select Security>Policy>UTMPolicies . Then click Add .

2. Click the Main tab. In the Policy name box, type utmp3 .

3. Click the Anti-Virus profiles tab. In the HTTP profile list, select sophos-prof1 .

4. Click OK to check your configuration and save it as a candidate configuration.

5. If you are done configuring the device, select Actions>Commit .


To configure a UTM policy for Sophos antivirus:

Go to the edit security utm hierarchy.1.

[edit]user@host# edit security utm

2. Create the UTM policy utmp3 and attach it to the http-profile sophos-prof1.

[edit security utm]user@host# set utm-policy utmp3 anti-virus http-profile sophos-prof1

NOTE: You can use the default Sophos feature profile settings byreplacing sophos-prof1 in the above statement withjunos-sophos-av-defaults.

Verification

To verify the configuration, enter the show security utm utm-policy utmp3 command.






Example: Configuring Sophos Antivirus Firewall Security Policies

This example shows how to create a security policy for Sophos antivirus.


Overview on page 23






37/122


38/122


To configure a security policy for Sophos antivirus:

Configure the untrust to trust policy to match any source-address.1.

[edit security]user@host# set policies from-zone untrust to-zone trust policy p3 match

source-address any

2. Configure the untrust to trust policy to match any destination-address.

[edit security]user@host# set policies from-zone untrust to-zone trust policy p3 match

destination-address any

3. Configure the untrust to trust policy to match any application type.

[edit security]user@host# setpolicies from-zoneuntrustto-zone trustpolicyp3 matchapplication

any

4. Attach the UTM policy named utmp3 to the firewall security policy. This will causematched traffic to be scanned by the Sophos antivirus feature.

[edit security]user@host# set policies from-zone untrust to-zone trust policy p3 then permit

application-services utm-policy utmp3

Verification

To verify the configuration, enter the show security policies command.









39/122

CHAPTER 4

Configuration Statements

[edit security utm] Hierarchy Level on page 25

[edit security utm] Hierarchy Level

security {utm {

application-proxy {traceoptions {

flag flag ;}

}custom-objects {

custom-url-category object-name {value [ value ];

}filename-extension object-name {

value [ value ];}mime-pattern object-name {

value [ value ];}protocol-command object-name {

value [ value ];}url-pattern object-name {

value [ value ];}

}feature-profile {

anti-spam {address-blacklist list-name ;address-whitelist list-name ;sbl {

profile profile-name {custom-tag-string [ string ];(no-sbl-default-server | sbl-default-server);spam-action (block | tag-header | tag-subject);

}}traceoptions {

flag flag ;



40/122

}}anti-virus {

juniper-express-engine {

pattern-update {email-notify {admin-email email-address ;custom-message message ;custom-message-subject message-subject ;

}interval value ;no-autoupdate;proxy {

password password-string ;port port-number ;server address-or-url ;username name ;

}

url url ;}profile profile-name {

fallback-options {content-size (block | log-and-permit);default (block | log-and-permit);engine-not-ready (block | log-and-permit);out-of-resources (block | (log-and-permit);timeout (block | log-and-permit);too-many-requests (block | log-and-permit);

}notification-options {

fallback-block {administrator-email email-address ;

allow-email;custom-message message ;custom-message-subject message-subject ;display-host;(no-notify-mail-sender | notify-mail-sender);type (message | protocol-only);

}fallback-non-block {

custom-message message ;custom-message-subject message-subject ;(no-notify-mail-recipient | notify-mail-recipient);

}virus-detection {

custom-message message ;

custom-message-subject message-subject ;(no-notify-mail-sender | notify-mail-sender);type (message | protocol-only);

}}scan-options {

content-size-limit value ;(intelligent-prescreening | no-intelligent-prescreening);timeout value ;

}




41/122

trickling {timeout value ;

}}

}kaspersky-lab-engine {pattern-update {

email-notify {admin-email email-address ;custom-message message ;custom-message-subject message-subject ;


password password-string ;port port-number ;server address-or-url ;

username name ;}url url ;

}profile profile-name {

fallback-options {content-size (block | log-and-permit);corrupt-file (block | log-and-permit);decompress-layer (block | log-and-permit);default (block | log-and-permit);engine-not-ready (block | log-and-permit);out-of-resources (block | (log-and-permit);password-file (block | (log-and-permit);timeout (block | log-and-permit);

too-many-requests (block | log-and-permit);}notification-options {

fallback-block {administrator-email email-address ;allow-email;custom-message message ;custom-message-subject message-subject ;display-host;(no-notify-mail-sender | notify-mail-sender);type (message | protocol-only);


custom-message message ;

custom-message-subject message-subject ;(no-notify-mail-recipient | notify-mail-recipient);

}virus-detection {

custom-message message ;custom-message-subject message-subject ;(no-notify-mail-sender | notify-mail-sender);type (message | protocol-only);

}}


Chapter4: Configuration Statements


42/122

scan-options {content-size-limit value ;decompress-layer-limit value ;(intelligent-prescreening | no-intelligent-prescreening);

scan-extension filename ;scan-mode (all | by-extension);timeout value ;

}trickling {

timeout value ;}

}}mime-whitelist {

exception listname ;list listname {

exception listname ;}

}sophos-engine {

pattern-update {email-notify {

admin-email email-address ;custom-message message ;custom-message-subject message-subject ;


password password-string ;port port-number ;server address-or-url ;

username name ;}url url ;

}profile {

fallback-options {content-size (block | log-and-permit | permit);default (block | log-and-permit | permit);engine-not-ready (block | log-and-permit | permit);out-of-resources (block | log-and-permit | permit);timeout (block | log-and-permit | permit);too-many-requests (block | log-and-permit | permit);







43/122


44/122

block-message {type {

custom-redirect-url;}

url url ;}category customurl-list name {

action (block | log-and-permit | permit);}custom-block-message value ;default (block | log-and-permit | permit);fallback-settings {

default (block | log-and-permit);server-connectivity (block | log-and-permit);timeout (block | log-and-permit);too-many-requests (block | log-and-permit);

}no-safe-search;

site-reputation-action {fairly-safe (block | log-and-permit | permit);harmful (block | log-and-permit | permit);moderately-safe (block | log-and-permit | permit);suspicious (block | log-and-permit | permit);very-safe (block | log-and-permit | permit);

}timeout value ;

}server {

host host-name ;port number ;

}}

juniper-local {profile profile-name {

custom-block-message value ;default (block | log-and-permit | permit);fallback-settings {


}timeout value ;

}}surf-control-integrated {

cache {size value ;timeout value ;


category customurl-list name {action (block | log-and-permit | permit);

}custom-block-message value ;default (block | log-and-permit | permit);




45/122

fallback-settings {default (block | log-and-permit);server-connectivity (block | log-and-permit);timeout (block | log-and-permit);

too-many-requests (block | log-and-permit);}timeout value ;

}server {

host host-name ;port number ;

}}traceoptions {

flag flag ;}type (juniper-enhanced | juniper-local | surf-control-integrated |

websense-redirect);

url-blacklist listname ;url-whitelist listname ;websense-redirect {

profile profile-name {account value ;custom-block-message value ;fallback-settings {


}server {

host host-name ;

port number ;}sockets value ;timeout value ;

}}

}}ipc {

traceoptions {flag flag ;}

}traceoptions {

flag flag ;}utm-policy policy-name {

anti-spam {smtp-profile profile-name ;

}anti-virus {

ftp {download-profile profile-name ;upload-profile profile-name ;




46/122

}http-profile profile-name ;imap-profile profile-name ;pop3-profile profile-name ;

smtp-profile profile-name ;}content-filtering {

ftp {download-profile profile-name ;upload-profile profile-name ;

}http-profile profile-name ;imap-profile profile-name ;pop3-profile profile-name ;smtp-profile profile-name ;

}traffic-options {

sessions-per-client {

limit value ;over-limit (block | log-and-permit);

}}web-filtering {

http-profile profile-name ;}

}}

}



admin-email

Syntax admin-email email-address ;

Hierarchy Level [edit security utm feature-profile anti-virus juniper-express-engine pattern-updateemail-notify]

[editsecurityutm feature-profileanti-virus kaspersky-lab-enginepattern-update email-notify][edit security utm feature-profile anti-virus sophos-engine pattern-update email-notify]

Release Information Statement introduced in Release 9.5 of Junos OS.

Description You can configure the device to notify a specified administrator when patterns areupdated. This is an email notification with a custom message and a custom subject line.

Required PrivilegeLevel

securityTo view this statement in the configuration.security-controlTo add this statement to the configuration.






47/122

administrator-email (Security Fallback Block)

Syntax administrator-email email-address ;

Hierarchy Level [edit security utm feature-profile anti-virus juniper-express-engine profile profile-namenotification-options fallback-block]

[edit security utm feature-profile anti-virus kaspersky-lab-engine profile profile-namenotification-options fallback-block]

[edit security utm feature-profile anti-virus sophos-engine profile profile-namenotification-options fallback-block]

Release Information Statement introduced in Release 9.5 of Junos OS. Support for Sophos engine added inRelease 11.1 of Junos OS.

Description Configure the administrator e-mail address that will be notified when a fallback-blockoccurs. This is an e-mail notification with a custom message and a custom subject line.





administrator-email (Security Virus Detection)

Syntax administrator-email email address ;

Hierarchy Level [edit security utm feature-profile anti-virus sophos-engine profile profile namenotification-options virus-detection]


Description Configure the administrator e-mail address that will be notified when a virus is detectedby Sophos antivirus. This is an e-mail notification with a custom message and a customsubject line.








48/122

allow-email (Security Fallback Block)

Syntax allow-email;





Description Enable e-mail notification to notify a specified administrator when a fallback-blockoccurs.





allow-email (Security Virus Detection)

Syntax allowemail;

Hierarchy Level [edit security utm feature-profile anti-virus profile notification-options virus-detect]


Description Enable e-mail notification to notify a specified administrator when a virus is detected.








49/122

anti-virus (Security Feature Profile)

Syntax anti-virus {

juniper-express-engine {pattern-update {

email-notify {admin-email email-address ;custom-message message ;custom-message-subject message-subject ;


password password-string ;port port-number ;server address-or-url ;username name ;

}url url ;


fallback-options {content-size (block | log-and-permit);default (block | log-and-permit);engine-not-ready (block | log-and-permit);out-of-resources (block | (log-and-permit);timeout (block | log-and-permit);too-many-requests (block | log-and-permit);




custom-message message ;custom-message-subject message-subject ;(no-notify-mail-recipient | notify-mail-recipient);

}virus-detection {


}}scan-options {

content-size-limit value ;(intelligent-prescreening | no-intelligent-prescreening);




50/122

timeout value ;}trickling {

timeout value ;

}}}kaspersky-lab-engine {




password password-string ;

port port-number ;server address-or-url ;username name ;

}url url ;


fallback-options {content-size (block | log-and-permit);corrupt-file (block | log-and-permit);decompress-layer (block | log-and-permit);default (block | log-and-permit);engine-not-ready (block | log-and-permit);out-of-resources (block | (log-and-permit);

password-file (block | (log-and-permit);timeout (block | log-and-permit);too-many-requests (block | log-and-permit);



}

fallback-non-block {custom-message message ;custom-message-subject message-subject ;(no-notify-mail-recipient | notify-mail-recipient);

}virus-detection {





51/122

}}scan-options {

content-size-limit value ;

decompress-layer-limit value ;(intelligent-prescreening | no-intelligent-prescreening);scan-extension filename ;scan-mode (all | by-extension);timeout value ;

}trickling {

timeout value ;}

}}mime-whitelist {

exception listname ;list listname {

exception listname ;}

}sophos-engine {




password password-string ;

port port-number ;server address-or-url ;username name ;

}url url ;

}profile {

fallback-options {content-size (block | log-and-permit | permit);default (block | log-and-permit | permit);engine-not-ready (block | log-and-permit | permit);out-of-resources (block | log-and-permit | permit);timeout (block | log-and-permit | permit);too-many-requests (block | log-and-permit | permit);






52/122


custom-message message ;custom-message-subject message-subject ;

(no-notify-mail-recipient | notify-mail-recipient);}virus-detection {


}}scan-options {

content-size-limit value ;(no-uri-check | uri-check);timeout value ;

}

trickling {timeout value ;

}}sxl-retry value;sxl-timeout seconds;

}traceoptions flag flag ;type (juniper-express-engine | kaspersky-lab-engine | sophos-engine);url-whitelist listname ;

}

Hierarchy Level [edit security utm feature-profile]


Description Configure UTM antivirus full and express features.

Options The remaining statements are explained separately.








53/122

application (Security Policies)

Syntax application {

[ application ];any;

}

Hierarchy Level [edit security policies from-zone zone-name to-zone zone-name policy policy-name match]


Description Specify the IP or remote procedure call (RPC) application or set of applications to beused as match criteria.

Options application-name-or-set Name of the application or application set used as matchcriteria.








54/122

content-size (Security Antivirus Sophos Engine)

Syntax content-size (block | log-and-permit | permit);

Hierarchy Level [edit security utm feature-profile anti-virus sophos-engine profile profile-namefallback-options]


Description If the content size exceeds a set limit, the content is either passed or blocked.

NOTE: When youconfigure thecontent-sizevalue,keep inmind that incertaincases, content size is available in the protocol headers, so themax-content-size fallback is applied before a scan request is sent. However,

in many cases, content size is not provided in the protocol headers. In thesecases, the TCP payload is sent to the antivirusscannerand accumulates untilthe end of the payload. If the accumulated payload exceeds the maximumcontent sizevalue, thenmax-content-sizefallbackis applied. Youmight wantto set the fallback action to block, in which case such a packet is droppedand a block message is sent to the client.

Options block Log the error and deny the traffic

log-and-permit Log the error and permit the traffic

permit Permit the traffic








55/122

content-size-limit

Syntax content-size-limit value ;

Hierarchy Level [edit security utm feature-profile anti-virus juniper-express-engine profile profile-namescan-options]

[edit security utm feature-profile anti-virus kaspersky-lab-engine profile profile-namescan-options]

[editsecurity utm feature-profileanti-virussophos-engine profile profile-name scan-options]


Description The content size check occurs before the scan request is sent. The content size refers toaccumulated TCP payload size.

Range: 20 through 20,000





custom-message (Security Email Notify)

Syntax custom-message message ;

Hierarchy Level [edit security utm feature-profile anti-virus juniper-express-engine pattern-update

email-notify][editsecurityutm feature-profileanti-virus kaspersky-lab-enginepattern-update email-notify][edit security utm feature-profile anti-virus sophos-engine pattern-update email-notify]


Description You can configure the device to notify a specified administrator when patterns areupdated. This is an email notification with a custom message.








56/122

custom-message (Security Fallback Block)






Description Custom message notifications are mainly used in file replacement or in a responsemessage when the antivirus scan result is to drop the file.





custom-message (Security Fallback Non-Block)


Hierarchy Level [edit security utm feature-profile anti-virus juniper-express-engine profile profile-namenotification-options fallback-non-block]

[edit security utm feature-profile anti-virus kaspersky-lab-engine profile profile-namenotification-options fallback-non-block]

[edit security utm feature-profile anti-virus sophos-engine profile profile-namenotification-options fallback-non-block]










57/122

custom-message (Security Virus Detection)


Hierarchy Level [edit security utm feature-profile anti-virus juniper-express-engine profile profile-namenotification-options virus-detection]

[edit security utm feature-profile anti-virus kaspersky-lab-engine profile profile-namenotification-options virus-detection]

[edit security utm feature-profile anti-virus sophos-engine profile profile-namenotification-options virus-detection]







custom-message-subject (Security Email Notify)

Syntax custom-message-subject message-subject ;

Hierarchy Level [edit security utm feature-profile anti-virus juniper-express-engine pattern-updateemail-notify]

[editsecurityutm feature-profileanti-virus kaspersky-lab-enginepattern-update email-notify][edit security utm feature-profile anti-virus sophos-engine pattern-update email-notify]


Description You can configure the device to notify a specified administrator when patterns areupdated. This is an email notification with a custom message and a custom subject line.

Security Utm

Documents

Transcript of Security Utm