Threat Enforcement Configuration - Juniper SRX
Overview
The MetaAccess NAC threat enforcement module allows for the ability to configure enforcement policies based on threats that are detected in a system external from MetaAccess NAC. These policies can then be used with any device type and do not require the use of an agent running on the end-user device.
Once configured policies can be set to either audit or quarantine. With any quarantine policy, end-users will receive a browser-based message informing them of the issue. These messages can be customized with instructions on how to remediate and how long they will need to wait before the quarantine will be re-evaluated.
Configure Juniper SRX
In the firewall, the following commands should be run from the cli to enable IDP event syslog.
Enable the IDP even logging to syslog
Note: The source-address should be an interface IP of the firewall. The syslog host will be the MetaAccess NAC appliance (In a cluster environment, this will be the manager IP).
Verify the configurations are in place
Configure Threat Enforcement Input
After the threat detection system is configured, open the MetaAccess NAC Configuration at https://portal.myweblogon.com:8443/manage (portal.myweblogon.com can be replaced by the manager IP or a branded URL) and choose “Configuration Manager > Threat Enforcement”.
Enable the webapi:
From the dropdown, choose Juniper SRX and click ‘Add’.
After choosing the Vendor, at least one source must be defined. A source is simply the IP address of the threat detection system. If the threat detection system has multiple interfaces, the IP specified must be the IP that appears as the source address of the alerts. The name can be any descriptive name that is needed.
After clicking ‘Submit’, the Threat Detection source will appear in the list.
Configure Threat Enforcement Policies
After at least one source has been defined, Threat Detection policies can now be created. To create a policy, click the ‘Add’ button.
The first section is used to define what alerts MetaAccess NAC will listen for. If alert details are not configured, MetaAccess NAC will ignore the alert. The following values are applicable for Juniper SRX and will be joined via 'AND' to find matching packets.
- Threat Severity: A textual value indicating LOW, MEDIUM or HIGH
- Attack Name: This field will always be a text value and also support regex matching. This field can be left blank to match all values.
- Policy Name: This field will always be a text value and also support regex matching. This field can be left blank to match all values.
The next section defines how MetaAccess NAC will react to the defined alert. Once configured, the policies will be available in the MetaAccess NAC Policy Manager.
- Policy Name: The name of the MetaAccess NAC Policy. This value will be used to represent this policy in the Policy Manager and in the Device Manager.
- Policy Duration: Defines how long MetaAccess NAC will enforce the policy when an alert is received. Once this time expires, the policy will no longer be enforced unless a follow-up alert is received for the device.
- Enforcement: Defines whether MetaAccess NAC will block a device or simply report on the alert.
- Web Message: The web message that will be displayed to blocked devices for the duration of the enforcement.
Once configured, click ‘Save’.
The resulting Threat Enforcement Policy will now appear in the list and will be available in the Policy Manger.
Add Policies to existing Policy Groups
After Threat Enforcement policies have been defined, they will be available in the Policy Manager. Threat Enforcement policies can be added to a Policy Container just like all other MetaAccess NAC policies.