Juniper SRX Firewall Integration Guide
Juniper SRX Series Services Gateway firewalls must be configured to send logs via syslog to the Taegis™ XDR Collector. Firewall logs are filtered and correlated in real time for various security event observations, including correlation of denied traffic logs, port scanning, broad scanning, internal network outbreaks, peer-to-peer file sharing activity, and outbound traffic to known malicious IP addresses, including known Advanced Persistent Threat (APT) target endpoints being monitored by the Secureworks Counter Threat Unit.
Follow the instructions below to configure the SRX logging and enable monitoring by Secureworks.
Firewall Requirements ⫘
Source | Destination | Port/Protocol |
---|---|---|
Firewall_mgmt_interface | XDR Collector (mgmt IP) | UDP/514 |
Data Provided from Integration ⫘
Antivirus | Auth | DHCP | DNS | Encrypt | File | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Juniper SRX Firewall | D | Y | D | D | V |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Logging Configuration Instructions ⫘
Command Line Instructions ⫘
Use a Command Line Interface (CLI) to run the following commands that enable Juniper SRX Series logging, depending on the firewall set-up.
Code Example Variables ⫘
Variables in the code examples below are indicated with angle brackets ( <xxx> ). These must be replaced with the information specific to your implementation.
Some of the variables in the following code samples are:
<TDR_DC_IP>
— The IP of the destination.TDR-FWLOGS
— A streamname variable.
For more information on configuration commit commands for Juniper SRX, see Setting the System to Stream Security Logs in the Juno OS documentations.
Stanadlone Firewall ⫘
set system syslog host <TDR_DC_IP> any any
set system syslog source-address <MANAGEMENT_INTERFACE_IP>
set security log mode stream
set security log utc-timestamp
set security log source-address <MANAGEMENT_INTERFACE_IP>
set security log stream TDR-FWLOGS format syslog
set security log stream TDR-FWLOGS category all
set security log stream TDR-FWLOGS host <TDR_DC_IP> any any
set security log stream TDR-FWLOGS host port 514
commit check
commit
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file default-log-messages any any
set system syslog file default-log-messages match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES|(AIS_DATA_AVAILABLE)"
set system syslog file RTFLOW match RT_FLOW
set system syslog time-format
HA Firewall Pair ⫘
HA syslog format
set groups node0 system syslog file default-log-messages any info
set groups node0 system syslog file default-log-messages match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES|(AIS_DATA_AVAILABLE)"
set system syslog host <TDR_DC_IP> any any
set security log mode stream
set security log source-address <RETH_INTERFACE_IP>
set security log stream TDR-FWLOGS format syslog
set security log stream TDR-FWLOGS host <TDR_DC_IP> any any
set groups node0 system host-name <HOSTNAME1>
set groups node1 system host-name <HOSTNAME2>
set groups node0 system backup-router <GATEWAY_IP> destination <TDR_DC_IP>
set groups node1 system backup-router <GATEWAY_IP> destination <TDR_DC_IP>
set groups node0 system syslog source-address <FXP0 INTERFACE_IP>
set groups node1 system syslog source-address <FXP0_INTERFACE_IP>
commit check
commit
Enable Logging on Security Policies ⫘
Logging is configured on a per-policy basis. You can specify that traffic logs are generated when a session closes (session-close
) and when a session starts (session-init
). Secureworks recommends generating traffic logs both when a session starts and a session closes to gather as much information as possible for analysis.
The following includes an example of enabling logging for a security policy named default-permit
.
To enable logging for a security policy:
- Specify that traffic logs are generated when a session closes.
user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-close
- Specify that traffic logs are generated when a session starts.
user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-init
-
Repeat steps 1 and 2 for all policies, in order to obtain all security logs.
-
Update your Implementation Ticket and notify your Provisioning Engineer when you have completed the logging configuration.
Configuration Commit Commands ⫘
This section illustrates some basic CLI commands that are required to save your configurations.
Commit Check ⫘
After making your changes, you can proceed to check them with the commit check
and then apply with a commit
.
root@juniper1# commit check
configuration check succeeds
root@SRX100LAB# commit
commit complete
Commit Confirmed ⫘
The commit confirmed
command commits a candidate configuration for 10 minutes. If you don’t then follow up with a second commit command, the device automatically rolls back to the previous configuration. You can use the commit confirmed
command anytime you want a safety net against potential configuration problems. This command is very useful for configuring remote devices.
[edit]
root@juniper1# commit confirmed
commit confirmed will be automatically rolled back in 10 minutes
unless confirmed
commit complete
If everything passes your review, then you need to commit the new configuration a second time for the configuration to become permanent.
[edit]
root@juniper1# commit
commit complete
If you do not confirm the configuration by entering a second commit command, the CLI will roll back the device to the previous active configuration after 10 minutes. A message is displayed when the rollback is automatically completed:
Broadcast Message from root@juniper1
(no tty) at 08:10:17 UTC
Commit was not confirmed; automatic rollback complete