Knowledge Search


×
 

How to configure Sophos anti-virus on SRX devices

  [KB21889] Show Article Properties


Summary:

This article provides information on how to configure the Sophos anti-virus feature by using the default anti-virus profile (junos-sophos-av-defaults).

Symptoms:

How to configure, verify, and troubleshoot Sophos anti-virus on a branch SRX device. This feature is supported from Junos 11.1 onwards. Sophos AV is an in-the-cloud anti-virus solution, which requires less system resources and provides better scaling and performance, as compared to other anti-virus engines.

  • Supported Protocols:

    HTTP, FTP, SMTP, IMAP and POP3

    Note: This feature will not block HTTPS traffic.

  • Supported File types:

    Exe, zip, rar, swf (shockwave flash), pdf, and ole2 (doc, xls).
Solution:

The Sophos AV solution uses the sophos-engine, which is different from the kaspersky-lab-engine and juniper-express-engine. Before configuring the Sophos AV on the device, check if the av_key_sophos_engine license is installed on it; to verify if the license is installed on the device, run the show system license usage command and look for the av_key_sophos_engine license.

Sample output:

root> show system license usage

Feature name
Licenses
   used
Licenses
installed
Licenses
  needed
Expiry
av_key_kaspersky_engine     1     0       1 29 days
anti_spam_key_sbl     1     0       1 29 days
wf_key_surfcontrol_cpa     1     0       1 29 days
ax411-wlan-ap     0     2       0 permanent
av_key_sophos_engine     1     0       1 29 days
logical-system     0     1       0 permanent

If the license is not installed, refer to KB14103 - SRX License Installation steps after registering product for auto license installation. You can also download the license file and add it by using the following command:
root>request system license add terminal
Configuration:

The configuration is similar to that of the other AV engines.

JWeb procedure:

Configure the express antivirus feature profile:

  1. Go to Configure > Security > UTM > Global options and click the Anti-Virus tab.
  2. In the Engine Type list, select Sophos and click OK.
  3. If the policy is successfully saved, you will receive a confirmation; click OK again. If the profile is not successfully saved, you can click Details in the displayed pop-up window to find out the reason

Configure a UTM policy for express antivirus:

  1. Go to Configure > Security > Policy > UTM Policies and click Add to configure a UTM policy; the Add Policy window is displayed.
  2. In the Main tab, next to Policy Name, type a unique name for the UTM policy (for example, sophos-utm-policy).
  3. Click the Anti-Virus profiles tab.
  4. Next to the HTTP profile, select junos-sophos-av-defaults and click OK.
  5. If the policy is successfully saved, you will receive a confirmation; click OK again. If the profile is not successfully saved, you can click Details in the displayed pop-up window to find out the reason.

Create a security policy and attach the UTM policy to it:

  1. Go to Configure > Security > Policy > FW Policies.
  2. From the Security Policy window, click Add to configure a security policy with UTM. The policy configuration window is displayed.
  3. In the Policy tab, type a name in the Policy Name text box.
  4. In Default Policy Action, select either Deny-All or Permit-All.
  5. In From Zone, select a zone from the list and in To Zone, select a zone from the list.
  6. Under Zone Direction, click Add a Policy.
  7. Select a Source Address.
  8. Select a Destination Address.
  9. Choose an application by selecting junos-protocol (for all protocols that support antivirus scanning) in the Application Sets list and clicking the right arrow key (—>) button to move it to the Matched box.
  10. In Policy Action, select Permit.
  11. Click the Application Services tab.
  12. In UTM Policy, select the appropriate policy from the list. This action attaches the UTM policy to the security policy.
  13. Click OK.
  14. If the policy is successfully saved, you will receive a confirmation; click OK again. If the profile is not successfully saved, you can click Details in the displayed window to find out the reason.

CLI procedure:

  1. Configuring the type of engine:
    set security utm feature-profile anti-virus type sophos-engine

    Note:  Beginning in 18.4R1, where to configure this feature has changed:

    set security utm default-configuration anti-virus type sophos-engine
  2. Configure the UTM policies for the desired protocols:
    set security utm utm-policy sophos-utm-policy anti-virus http-profile junos-sophos-av-defaults
    set security utm utm-policy sophos -utm-policy anti-virus ftp upload-profile junos-sophos-av-defaults
    set security utm utm-policy sophos -utm-policy anti-virus ftp download-profile junos-sophos-av-defaults
    set security utm utm-policy sophos -utm-policy anti-virus smtp-profile junos-sophos-av-defaults
  3. Apply this UTM policy in a security policy:
    set security policies from-zone trust to-zone untrust policy utm-security-policy match source-address any
    set security policies from-zone trust to-zone untrust policy utm-security-policy match destination-address any
    set security policies from-zone trust to-zone untrust policy utm-security-policy match application any
    set security policies from-zone trust to-zone untrust policy utm-security-policy then permit application-services utm-policy sophos-utm-policy

Troubleshooting:
  1. Check the status of the Sophos engine:
    root> show security utm anti-virus status

    utm anti-virus status:

    anti-virus key expire date: 29 days left (grace period)
    update server: http://update.juniper-updates.net/sav/
    interval: 1440 minutes
    pattern update status: next update in 1347 minutes
    last result: download version file failed
    anti-virus signature version: not loaded
    scan engine type: sophos-engine
    scan engine information: last action result: No error

  2. Check the Sophos AV statistics:
    root> show security utm anti-virus statistics
     
  3. Refer to a checklist of common errors here:

    KB25680 - UTM (Unified Threat Management) Troubleshooting Checklist
Modification History:

2019-10-02: Under CLI procedure, step 1, added a note on config change beginning in 18.4R1

Related Links: