Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to configure a specific IP to bypass SkyATP inspection

1

0
Article ID: KB32080 KB Last Updated: 31 Dec 2020Version: 2.0 Summary:

This article explains how to configure a specific IP to bypass SkyATP inspection.

Symptoms:

When SkyATP is configured on SRX, all traffic through security policy which is using SkyATP will be inspected. If the device downloaded malware or accessed C&C server, the device will be blocked. However, in certain cases, some devices or IPs need to be excluded from SkyATP inspection. The following scenarios explain how to exclude specific IP addresses:


Topology:

SkyATP is configured on SRX to check traffic between the Trust zone and Untrust zone. The security-intelligence policy (secintel_policy) and advanced-anti-malware policy (aamw-policy) are configured in security policy as shown below:

Configuration:
set security policies from-zone Trust to-zone Untrust policy Trust-Untrust match source-address any
set security policies from-zone Trust to-zone Untrust policy Trust-Untrust match destination-address any
set security policies from-zone Trust to-zone Untrust policy Trust-Untrust match application any

set security policies from-zone Trust to-zone Untrust policy Trust-Untrust then permit application-services security-intelligence-policy secintel-policy
set security policies from-zone Trust to-zone Untrust policy Trust-Untrust then permit application-services advanced-anti-malware-policy aamw-policy

Scenarios:

  1. Not adding PC2 to infected host list
    In case of PC2 block: When PC2 download malware or access C&C server by botnet infection, PC2 will be on the infected host list and not able to go through SRX.
    Configure SRX to not add PC2 to infected host list.


  2. Not adding PC1 ​to infected host list by accessing ServerB
    In case of PC1 block: When PC1 downloads malware from ServerB, PC1 will be on the infected host list and not able to go through SRX.
    Configure SRX to not add PC1 to the infected host list by accessing ServerB.

 

Solution:

Scenario 1: Not adding PC2 to the infected host list​

If PC2 needs to bypass SkyATP to not be on the Infected host list, this will be accomplished by the following CLI configuration:

>set security dynamic-address except-list 10.0.0.3 ip-end 10.0.0.3


Scenario 2 : Not to adding PC1 ​to the infected host-list by accessing ServerB​

If ServerB is trusted and needs to bypass advanced malware inspection, this will be accomplished by adding IP address or URL in the allow list from the Web UI.

Refer to the documentation on Allowlist and Blocklist Overview​

Modification History:
2020-12-31: updated doc link.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search