🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Juniper SRX Firewall Integration Guide

integrations network juniper


Juniper SRX Series Services Gateway firewalls must be configured to send logs via syslog to the Taegis™ XDR Collector. Firewall logs are filtered and correlated in real time for various security event observations, including correlation of denied traffic logs, port scanning, broad scanning, internal network outbreaks, peer-to-peer file sharing activity, and outbound traffic to known malicious IP addresses, including known Advanced Persistent Threat (APT) target endpoints being monitored by the Secureworks Counter Threat Unit.

Follow the instructions below to configure the SRX logging and enable monitoring by Secureworks.

Firewall Requirements

Source Destination Port/Protocol
Firewall_mgmt_interface Taegis™ XDR Collector (mgmt IP) UDP/514

Data Provided from Integration

  Antivirus Auth DHCP DNS Email Encrypt File HTTP Management Netflow NIDS Process Thirdparty
Juniper SRX Firewall   D         Y D   D V    

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Logging Configuration Instructions

Command Line Instructions

Use a Command Line Interface (CLI) to run the following commands that enable Juniper SRX Series logging, depending on the firewall set-up.

Code Example Variables

Variables in the code examples below are indicated with angle brackets ( <xxx> ). These must be replaced with the information specific to your implementation.

Some of the variables in the following code samples are:

For more information on configuration commit commands for Juniper SRX, see Setting the System to Stream Security Logs in the Juno OS documentations.

Stanadlone Firewall

set system syslog host <TDR_DC_IP> any any
set system syslog source-address <MANAGEMENT_INTERFACE_IP>
set security log mode stream
set security log utc-timestamp
set security log source-address <MANAGEMENT_INTERFACE_IP>
set security log stream TDR-FWLOGS format syslog
set security log stream TDR-FWLOGS category all
set security log stream TDR-FWLOGS host <TDR_DC_IP> any any
set security log stream TDR-FWLOGS host port 514
commit check
commit

set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file default-log-messages any any
set system syslog file default-log-messages match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES|(AIS_DATA_AVAILABLE)"
set system syslog file RTFLOW match RT_FLOW
set system syslog time-format

HA Firewall Pair

HA syslog format
set groups node0 system syslog file default-log-messages any info
set groups node0 system syslog file default-log-messages match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES|(AIS_DATA_AVAILABLE)"
set system syslog host <TDR_DC_IP> any any
set security log mode stream
set security log source-address <RETH_INTERFACE_IP>
set security log stream TDR-FWLOGS format syslog
set security log stream TDR-FWLOGS host <TDR_DC_IP> any any
set groups node0 system host-name <HOSTNAME1>
set groups node1 system host-name <HOSTNAME2>
set groups node0 system backup-router <GATEWAY_IP> destination <TDR_DC_IP>
set groups node1 system backup-router <GATEWAY_IP> destination <TDR_DC_IP>
set groups node0 system syslog source-address <FXP0 INTERFACE_IP>
set groups node1 system syslog source-address <FXP0_INTERFACE_IP>
commit check
commit

Enable Logging on Security Policies

Logging is configured on a per-policy basis. You can specify that traffic logs are generated when a session closes (session-close) and when a session starts (session-init). Secureworks recommends generating traffic logs both when a session starts and a session closes to gather as much information as possible for analysis.

The following includes an example of enabling logging for a security policy named default-permit.

To enable logging for a security policy:

  1. Specify that traffic logs are generated when a session closes.
user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-close
  1. Specify that traffic logs are generated when a session starts.
user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-init
  1. Repeat steps 1 and 2 for all policies, in order to obtain all security logs.

  2. Update your Implementation Ticket and notify your Provisioning Engineer when you have completed the logging configuration.

Configuration Commit Commands

This section illustrates some basic CLI commands that are required to save your configurations.

Commit Check

After making your changes, you can proceed to check them with the commit check and then apply with a commit.

root@juniper1# commit check
configuration check succeeds
root@SRX100LAB# commit
commit complete

Commit Confirmed

The commit confirmed command commits a candidate configuration for 10 minutes. If you don’t then follow up with a second commit command, the device automatically rolls back to the previous configuration. You can use the commit confirmed command anytime you want a safety net against potential configuration problems. This command is very useful for configuring remote devices.

[edit]
root@juniper1# commit confirmed
commit confirmed will be automatically rolled back in 10 minutes
unless confirmed
commit complete

If everything passes your review, then you need to commit the new configuration a second time for the configuration to become permanent.

[edit]
root@juniper1# commit
commit complete

If you do not confirm the configuration by entering a second commit command, the CLI will roll back the device to the previous active configuration after 10 minutes. A message is displayed when the rollback is automatically completed:

Broadcast Message from root@juniper1
 (no tty) at 08:10:17 UTC
Commit was not confirmed; automatic rollback complete

 

On this page: