Page tree

Contents

Overview

In an effort to further simplify setup, ThreatSTOP has revised our installation script for ThreatSTOP IP Firewall on Juniper Filter devices to allow all three Juniper device types to be setup from one simple script. TS-JunOS 4.01 allows for rapid setup of Juniper SRX, MX, and EX devices without the creation of multiple security groups. It also adds the advantage of only requiring one setup script to cover all filter devices, instead of unique scripts for each device.

The resulting install will still provide full ThreatSTOP protection to your devices, rules will be put in place, prefix_lists will be automatically updated, and logs will optionally be uploaded to us in order to complete the holistic approach to security our service provides.

The script can be downloaded here (ftp://ftp.threatstop.com/pub/ts-juniper.tar.gz), but you will likely find it easier to cut and paste the instructions listed in Installation from the device itself.

Prerequisites

To install ThreatSTOP's IP Firewall on a Juniper device the following requirements need to be met:

  • device must be a Juniper SRX, MX, or EX device
  • an active internet connection to the device must be provided
    This does not need to be a direct connection, but the device must be able to reach ThreatSTOP's DNS servers.
  • a terminal that can SSH into the Juniper device will be needed
  • root access to the device must be available

The scripts create a number of prefix lists and combine them to form a single filter called ThreatSTOP which can then be applied to the device interfaces. If you are already using firewall filters, please contact ThreatSTOP support about the best method to combine ThreatSTOP with your existing filters.

Preinstallation Setup

Before beginning the Installation process you will need to check that your device can communicate with the outside world. To do this:

  1. Open your SSH program.
  2. SSH into your Juniper device and login with root credentials.
  3. Issue a ping to ftp.threatstop.com:

    ping ftp.threatstop.com

  4. If the ping comes back successful then the rest of the installation should go smoothly. Next we'll create a backup of your existing setup as a fallback point.

Creating a backup

cli
configure
save prethreatstop
exit
exit

To create a backup of your Juniper device's current configuration:

  1. SSH into the device (if you are not currently SSH'ed in).

  2. Enter CLI mode by typing cli.
  3. Enter Configuration mode by typing configure.
  4. Save the current configuration with an explanatory name, e.g. prethreatstop, by entering save prethreatstop.
  5. Exit Configuration and CLI modes by entering exit twice.

Note:

We have discovered there can be a problem committing ThreatSTOP's configuration changes on smaller SRX devices, particularly in cluster mode, if the device has not been rebooted in a while. If the device is a three digit SRX (i.e., SRX-210 or, SRX-240) reboot the device before proceeding.

Automated Installation

Setup  can be performed semi-automatically through the command line via the following steps. A fully manual procedure is also available and detailed in the Manual Installation section.

  1. Setup your Juniper device in the ThreatSTOP portal. Detailed instructions can be located in Introduction, but a quick summary is:
    1. Log in to your ThreatSTOP account at https://www.threatstop.com
    2. Click on Devices
    3. Click on + Add Device
    4. Enter a Nickname for the device, then select Juniper and the model of your device, under the Manufacturer and Model fields respectively. Set the IP type to static, and provide the external network IP address for your device.

      Note:

      If you aren't certain of the external IP address for your device, visiting https://www.threatstop.com/cgi-bin/validip.pl will provide the correct IP address.

    5. Select a Policy name, and click Next. This will add your device to your account.
  2. SSH into the Juniper device.
  3. Enter CLI mode using the command cli.
  4. Copy and paste the following line into the SSH session.

    cd ~ && fetch -p ftp://ftp.threatstop.com/pub/ts-juniper.tar.gz && tar zxvf ts-juniper.tar.gz && cd ts-junos && /bin/sh ts-setup -a <allow list name>..threatstop.local -b <block list name>..threatstop.local -l <Device IP> -f filter -m 25000

    This will automatically download the ts-juniper filters software from ThreatSTOP's FTP service, extract it, and run the setup with your chosen settings.

  5. Press enter at all prompts to accept the default values, download the latest Threat Intelligence to your device and immediately add ThreatSTOP protection to your network.

    Note:

     If any values are omitted from the command string above, the device setup will require the missing data to be provided during the setup process.

  6. Jump to Applying the ThreatSTOP Configuration to complete device setup, and Cluster Setup for special notes about installing in Juniper cluster environments.

Applying the ThreatSTOP Configuration

cli
configure
set system syslog apply-groups ThreatSTOP
set policy-options apply-groups ThreatSTOP
set firewall apply-groups ThreatSTOP
commit

Since every firewall configuration is different, ThreatSTOP does not automatically apply the filter it has created. Normally the filter is applied on the input side to all interfaces that receive traffic from the Internet or may send traffic to the Internet. If you have grouped interfaces in a range it is simpler to apply the filter to the entire range at once. In the example to the right there is one external interface (ge-0/0/0.0)

To apply the configuration:

  1. SSH into your device.
  2. Enter CLI mode by typing cli.
  3. Enter Configuration mode by typing configure.
  4. Set the system's syslog policy to apply the group named ThreatSTOP set system syslog apply-groups ThreatSTOP.
  5. Set the system's policy options to apply the group named ThreatSTOP set policy options apply-groups ThreatSTOP.
  6. Set the system's firewall policy to apply the group named ThreatSTOP set firewall apply-groups ThreatSTOP.
  7. commit the changes.

Applying the Filter to the Interface

set interfaces ge-0/0/2 unit 0 family inet filter input ThreatSTOP
commit

The last step to enable ThreatSTOP IP Firewall is to enable the filter on your interface.

  1. Set the interfaces and unit to use the inet family and filter the input using the ThreatSTOP group. For example:
    set interfaces ge-0/0/2 unit 0 family inet filter input ThreatSTOP
  2. commit the change.

This last step will enable the Juniper device to use Juniper's archive site feature to upload syslogs via FTP to ThreatSTOP.

Cluster Setup

In a cluster environment, the script needs to be installed on all the cluster nodes. The scripts will only run on the primary node. Due to how SRX clusters work, the secondary nodes may not be able to access the internet, and it will be easier to copy the script from the primary node.

To copy the scripts to the secondary nodes, access the node with SSH and run:

scp root@IP_ADDRESS_OF_PRIMARY_NODE:~/ts-juniper.tar.gz

Replace "IP_ADDRESS_OF_PRIMARY_NODE" with the IP address of the primary node.

After the script is copied, extract it and run the 'tsinstall.sh' script:

tar zxvf ts-juniper.tar.gz && cd ts-junos && /bin/sh ts-setup -a <allow list name>..threatstop.local -b <block list name>..threatstop.local -l <Device IP> -f filter -m 25000

When the ts-setup script is run, it will automatically detect that it is not the primary node and will only create the cronjob that will run the ts-update script. This script will also detect that it is not the primary node and will not run. It will only run if the cluster failed over and the node becomes primary.

Is this being installed on a cluster?(y/n) [n]: y
This is the secondary node
Cron job to update the block lists is configured to run every 2 hours.

Manual Installation

Downloading and installing ThreatSTOP IP Firewall can be simplified by cutting and pasting the following commands. You will want to be SSH'ed into the device, and logged in with root permissions to successfully run these commands:

cd ~ && fetch -p ftp://ftp.threatstop.com/pub/ts-juniper.tar.gz && tar zxvf ts-juniper.tar.gz && cd ts-junos && /bin/sh ts-setup

This will automatically download the JunOS archive, extract it to ts-junos, then begin the device configuration.

ThreatSTOP IP Firewall Configuration

root@srx240% /bin/sh ts-setup
[WARN ] : No prior configuration found; starting with default values
[INFO ] : Defaulting the log association IP to 192.0.2.0
[INFO ] : Processing command-line arguments
=> Juniper srx240h2 version 12.1X44-D35.5
=> ThreatSTOP version 4.01
You are configuring ThreatSTOP address lists on this device.
After supplying and confirming the configuration, the
global ThreatSTOP group will be configured on the system.
Items in this group will be periodically updated and available for
application via the "apply-groups" directive.
Continue (yes/no)? (hit return for yes) :
Block policy domain (hit return for basic.threatstop.local) : <block list name>..threatstop.local
Allow policy domain (hit return for dns.threatstop.local) :  <allow list name>..threatstop.local
Enter maximum policy size (hit return for 25000) :
Enter the IP address with which logs should be associated (hit return for 206.71.168.3) :
Configuration review :
=> block policy zone : <block list name>..threatstop.local
=> allow policy zone : <allow list name>..threatstop.local
=> maximum policy size : 25000
=> log association IP : <Device IP>
=> firewall mode : filter
Continue with ThreatSTOP group update and cron installation (yes/no)? (hit return for yes) :
[INFO ] : Updating ThreatSTOP group configuration; this may take a few seconds...
[INFO ] : Installing periodic events
[INFO ] : Adding update of policy address lists to cron
crontab: no crontab for root
crontab: no crontab for root
[ERROR] : Couldn't remove cron
[INFO ] : Ensuring address list updates will happen after a reboot
[ERROR] : Couldn't install cron for periodic updates; proceeding with this update anyway
Load latest ThreatSTOP address lists now (yes/no)? (hit return for yes) :

The example to the right demonstrates device setup. And includes settings that you will need to copy and paste into your own setup.

Specifically the following data will need to be answered:

  • Block policy domain: <block list name>..threatstop.local.threatstop.local
    This is the name of the policy selected in the ThreatSTOP web interface, the block designator, and the account ID for your ThreatSTOP account.
  • Allow policy domain: <allow list name>..threatstop.local.threatstop.local
    This is the name of the policy selected in the ThreatSTOP web interface, the allow designator, and the account ID for your ThreatSTOP account.
  • Enter the Maximum policy size: This should be set to the largest policy size supported your device. For most devices Juniper suggests that this size is 80,000 entries for SRX and MX devices. EX devices may need smaller policy sizes due to the available disk space on the device and the script defaults to this smaller size to avoid the issue in rapid setups.

    Note:

    Devices that do have smaller policy sizes will still download the full Threat Intelligence list, and then parse out the first IPs up to the Max Policy Size limit. Both files can be located in /ts-junos/lists

  • Enter the IP Address with which logs should be associated: This is the external IP address for your device as established by https://www.threatstop.com/cgi-bin/validip.pl and incorporated into the script. This is the address we recommend be applied to the device, however it may be changed if the external address is known to be different from the one supplied.

Step-by-step

To run through a full setup of ts-setup:

  1. Login to the Juniper device.
  2. Enter cli to switch to CLI mode.
  3. Download and run the installation script:

    cd ~ && fetch -p ftp://ftp.threatstop.com/pub/ts-juniper.tar.gz && tar zxvf ts-juniper.tar.gz && cd ts-junos && /bin/sh ts-setup

    This will download, extract, and start the ts-setup script.

  4. Tap ENTER to continue the process after reading the preamble.
  5. At the Block policy domain (hit return for basic.threatstop.local) prompt enter:
    <block list name>..threatstop.local.threatstop.local.
  6. At the Allow policy domain (hit return for dns.threatstop.local) prompt enter:
    <allow list name>..threatstop.local.threatstop.local.
  7. Press ENTER to accept the default policy size, or adjust as needed for your configuration.
  8. Press ENTER to accept the provided IP address, or enter another external IP address.

    Note:

    The IP address provided is the same as the one provided by https://www.threatstop.com/cgi-bin/validip.pl and is the address we recommend be applied to the device.

  9. To finish setup, press ENTER at the Continue with ThreatSTOP group update and cron installation (yes/no)? (hit return for yes): prompt.

  10. Setup will begin.
    All ThreatSTOP configurations are setup under the ThreatSTOP Group. This group can be viewed with the following command:

    show configuration groups ThreatSTOP

    The Firewall mode will always be set to filter.
    The setup script also creates a cron entry for updates.

Once setup is complete we can move onto Applying the Filter.

Manually Updating the Threat Intelligence Lists

ts-update
Load latest ThreatSTOP address lists now (yes/no)? (hit return for yes) :
[INFO ] : Loading latest address lists
[INFO ] : Loading configuration
[INFO ] : Making sure no one else is configuring the device
[INFO ] : Confirming configuration
[INFO ] : Confirming permissions to query ThreatSTOP servers
[INFO ] : ...confirmed
[INFO ] : Updating allow list from policy : <allow list name>..threatstop.local
[INFO ] : Updating block list from policy : <block list name>..threatstop.local
[INFO ] : Confirming lists
[INFO ] : Final sanity checks...
[INFO ] : Checking if ThreatSTOP group needs updating
[INFO ] : Loading lists into ThreatSTOP group
[INFO ] : Initiating "load update" on the new allow list
[INFO ] : Initiating "load update" on the new block list

For diagnostic purposes, it may become necessary to manually update the lists used by your device. The following steps demonstrating this assume that your device has already undergone the setup process.

  1. Enter /bin/sh ts-update.
  2. Press the ENTER key when prompted to Load the Latest ThreatSTOP address lists now (yes/no)?

This will load the latest lists into the device.

Troubleshooting

A guide to troubleshooting some common problems. If you are confused or if these steps do not help, then please contact ThreatSTOP support.

  • ThreatSTOP rules do not appear to download anything
    The most likely reason is that you have not correctly entered the firewall's IP address in the ThreatSTOP device definition page. You can verify whether the address the firewall uses is in our database by visiting the this URL - http://www.threatstop.com/cgi-bin/validip.pl - using the fetch command from the CLI:

    fetch -qo - http://threatstop.com/cgi-bin/validip.pl

    Alternatively you can visit it in a browser that is NATed through the firewall.

    You should see a simple result stating the device's IP address and whether it is in the database or not. Database updates are not instantaneous but take place every 15 minutes; so, if you have recently added/modified the firewall IP details, you may wish to wait about half an hour before checking this. If there is no response at all then verify by using the ping command that the firewall can reach threatstop.com and, if not, that it can reach other places such as google.com. If you have no connectivity to ThreatSTOP but do have connectivity elsewhere please contact ThreatSTOP support for further information about the status of the ThreatSTOP infrastructure.

    If the address is valid but there are still problems you should manually run the blocklist retrieval procedure in debug mode and then examine the output. To download the blocklists do the following at the command prompt (SSH or console):

    /bin/sh ts-junos/tsupdate.sh DEBUG

    The output should report what the script is doing. You may find it useful to 'tee' the output to a file so that it can be emailed to ThreatSTOP support.

  • Not all traffic is being blocked / everything is being blocked
    The most likely reason is that you have not correctly applied the ThreatSTOP filter (see "Applying the Filter" above). If you need help with verifying the filter configuration please contact ThreatSTOP support.
  • ThreatSTOP blocks access to places it shouldn't

    Although ThreatSTOP tries very hard to ensure that we have zero false positives in our standard lists, we do occasionally miss something. If you are a community user or are using ThreatSTOP in standard mode on your firewall then please report the offending domain and IP address to ThreatSTOP support. Please check in the log file (/var/log/ <Device IP>.log) that the IP address is indeed being blocked by the ThreatSTOP rules before contacting us.

    You can also add the IP address to a custom allow list. Once you have created the allow list and added it to this device in the "Edit device" page. If you did not use an allow list when you created the device, then the first time one is added you should run the following command on the SRX command prompt to enable it on the device:

    echo "allow_list=<allow list name>..threatstop.local" >> ~/ts-junos/threatstop.conf

    Note:

    Our Advanced lists are not so well checked for false positives as we believe that it is up to each expert Advanced user to make his or her decision about the suitability of certain feeds and some feeds - e.g. the "Parasites" feed - are known to block ip addresses that are not considered harmful by everyone. Do consider a custom allow list (see above) as a first step and do please contact ThreatSTOP support to verify that the feeds you have chosen are appropriate to your situation.

  • Other firewall rules do not appear to work
    The most common reason for this is the same as 2) above, namely that the ThreatSTOP filter has been incorrectly set up. If you had additional filters then you may have replaced them with the ThreatSTOP filter if you apply it using the "... filter input ThreatSTOP" command. As noted above, if you already have one of more filter on the interface you should use the 'input-list' alternative and put the ThreatSTOP filter before your other filters.
  • No Logs Uploaded

    In many cases logging issues are related to issue 1) above. If running the "validip" test described above is successful then you should verify that "log enable" is set appropriately in the current configuration (all ThreatSTOP firewall drop policies should include a log command in them).

    You should also confirm that the file /var/log/<Device IP>.log exists. If it does not please contact ThreatSTOP support. Finally check that the syslog handling part of the configuration is set to upload the <Device IP>.log file to ftp://logs.threatstop.com/logs

    system {
        syslog {
            file <Device IP>.log {
                firewall any;
                archive size 10 m archive - sites {
                    "ftp://ftp@logs.threatstop.com/logs"
                }
                structured - data {
                    brief;
                }
            }
        }

    The logs are transferred to ThreatSTOP using FTP.

    Note:

    To allow the device to FTP the logs to us on SRX devices, the FTP Application Layer Gateway (ALG) may or may not need to be enabled. By default, the FTP ALG is enabled. To see the status of the FTP ALG, run:

    show security alg

    If it is not listed, then it is disabled. If it is listed, you can disable it by running:

    delete security alg ftp
    commit

    Note:

    The easiest way to test if a log can successfully reach us is to attempt to access ftp.threatstop.com from the device while it is in an active setup. If the FTP request succeeds then the FTP ALG setting is fine, otherwise place in its opposite state and try again.

Uninstallation

Removing ThreatSTOP can take a few pathways depending on your needs:

Non-destructively removing ThreatSTOP

cli
configure
delete interfaces ge-0/0/2 unit 0 family inet filter input ThreatSTOP
delete system syslog apply-groups ThreatSTOP
delete policy-options apply-groups ThreatSTOP
delete firewall apply-groups ThreatSTOP
commit

ThreatSTOP can be removed in a non-destructive manner by simply removing the ThreatSTOP Group, and uninstalling the files. To do this:

  1. SSH into the device.
  2. Enter CLI mode by entering cli.
  3. Enter Configuration mode by entering configure.
  4. Delete the ThreatSTOP filter from the interface.
    delete interfaces ge-0/0/2 unit 0 family inet filter input ThreatSTOP
  5. Delete the ThreatSTOP syslog entry.
    delete system syslog apply-groups ThreatSTOP
  6. Delete the association between the policy and the ThreatSTOP group.
    delete policy-options apply-groups ThreatSTOP
  7. Delete the firewall configuration's reference to the ThreatSTOP group.
    delete firewall apply-groups ThreatSTOP
  8. commit the changes.

This will remove ThreatSTOP from the network device. You may then run /bin/sh ts-uninstall from the CLI mode. This will remove the ThreatSTOP group and everything underneath.

Destructively Removing ThreatSTOP:

In addition to the steps taken in the Non-destructive removal process, you can also manually delete the directory structure after ts-uninstall is complete.

Rolling Back a ThreatSTOP Installation

cli
configure
load override presthreatstop
save
exit
exit

If you have run our install script, applied the policy changes and wish to return to the pre-ThreatSTOP configuration then you should perform the following actions.

To restore the original configuration you should enter the commands to the right in the console.

Note:

This will also undo any other changes made to the configuration since ThreatSTOP was installed.

To uninstall the ThreatSTOP scripts enter:

/bin/sh ~/ts-junos/ts-uninstall

Appendix

Command Line Switches

The following command line switches are available to help speed up the setup process:

  • -a <Allow list> the allow list name including the Account ID

  • -b <Block list> the block list name including the Account ID

  • -l <Log association IP> this is the external IP associated with the device. This will usually match the one provided by https://www.threatstop.com/cgi-bin/validip.pl

  • -f filter This will always need to be set to filter

  • -m <Max policy size> This should be set to match the Maximum Policy Size supported by your device

  • -h provides definitions of this list in the terminal

The Files

ThreatSTOP IP Firewall is distributed via FTP as a pre-packaged tar.gz file. The files can be downloaded from here (ftp://ftp.threatstop.com/pub/ts-juniper.tar.gz), or you can use the command in Installation to automate the download and install process. After extraction the files will be located in a subfolder of the current working folder ~/ts-junos from a fresh login), the following files and directories will be installed:

  • audit

  • lists

  • threatstop.conf.template

  • ts-common.sh

  • ts-dns.sh

  • ts-junos.sh

  • ts-policy.sh

  • ts-prompt.sh

  • ts-setup

  • ts-uninstall

  • ts-update

  • ts-upgrade

Note:

Two additional files will be created after setup has been completed successfully:

  • threatstop.conf
  • threatstop.conf.bak

Additionally, the two sub-directories (audit, and lists) contain information that can be used for Troubleshooting and will not normally need to be accessed.

  • /audit contains log files for support. The logs files contained are both the current log file, as well as the immediately previous log file.
  • /lists By default, contains the full allow and prefix_lists created by the policy used in the ThreatSTOP web interface. If the Max Policy Size is smaller than the size of the full list, an additional file will be generated that contains the list uploaded to the device.

There is no content with the specified labels