Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 1 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 1 of 183
`
`
`
`
`
`EXHIBIT 17
`EXHIBIT 17
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 1 of 183
`
`
`
`
`
`EXHIBIT 17
`EXHIBIT 17
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 2 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 2 of 183
`
`JUNIPCLNETWORKS
`
`
`
`Sky ATP
`
`Sky Advanced Threat Prevention Administration
`Guide
`
`
`
`Modified: 2018-01-25
`
`FINJAN-JN 044887
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 3 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 3 of 183
`
`Juniper Networks,Inc,
`1133 Innovation Way
`Sunnyvale, California 94089
`USA
`408-745-2000
`wwwjunipernnet
`
`Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks,Inc. and/orits affiliates in
`the United States and other countries. All other trademarks may be property of their respective owners.
`
`Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
`transfer, or otherwise revise this publication without notice,
`
`Sky ATP Sky Agvanced Threat Prevention Administration Guide
`Copyright © 2018 Juniper Networks,Inc, All rights reserved.
`
`The information in this document is current as of the date on the title page.
`
`YEAR 2000 NOTICE
`
`Juniper Networks hardware and software products are Year 2000 compliant, Junos OS has no known time-related limitations through the
`year 2038. However, the NTP application is known to have somedifficulty In the year 2036.
`
`END USER LICENSE AGREEMENT
`
`The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
`software. Use of such software is subject to the terms and conditions of the End User License Agreement ("EULA") posted at
`hitte: “/wew, juniper met/Ssuppert/eula/, By downloading, installing or using such software, you agree to the terms and conditions of that
`EULA.
`
`FINJAN-JN 044888
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 4 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 4 of 183
`
`Table of Contents
`
`ABOUE THE DOGWIBMTAEGM 5:55.40 sf ede k peek 2b a RG daetsb@iee d epee deed Ada wd eed xi
`Documentation and Release Notes. .... 2... 0. cc eee eee teen eee xi
`DeEUMBEAt Gt GMVERTERAS ¢. asrmne saver ache serge gee pari here aaa rere g xi
`
`Decumentation Feedback... csis sais dade cee a ead deed wee ew ee xili
`
`REQuesting TEcChinical SUPBGU: cis. .icc. dane areas sie da ids ia Gewis Eee Re ee xiv
`Self-Help Online Tools and Resources. . 1... 0... eee eee xiv
`Openiipa Case withITAG «i 6 8i% iis cman gab a Riko pe deme gag a xiv
`
`Part 1
`
`Overview and Installation
`
`Chapter 1
`
`Sky Advanced Threat Prevention Overview ......... 00.00 cc eee e ene e aes 3
`
`Juniper Networks Sky Advanced Threat Prevention.............000ceeee eens 3
`SHIT PRCUREc are chica oti EE Ba ayerapb ge Sante ob wee eae ded meta Suaie ob aan 4
`How the SRX Series Device Remediates Traffic....... 0.0.0.0 0.2 e eee eee 6
`
`SRE See AE A 258s Mii bind 2 WEARS a eye ROAD ae beat 7
`How is Malware Analyzed and Detected? ........ 2. cee ee ees 8
`Cache LOOKUR « asicaccs cweiaeaa ace hee saeidsawadayeaaaeaed sau ata ae 9
`PMRNS) SRST S eclfins, AREA. EAM fol @ eee Nae Sal wun SEALE ADS ASS 9
`
`Seed PeaSS oe as Shs este Wid aa ee i de RE BE ees, 10
`Dynamile AnalySIS' 22 i:accctecseseasotaneuriiseaeag shee nenaneaheues 10
`MaChIFeskearnlie AGNI 02085 20 SASS wa SERA SS6 Ban he ROS 10
`WRMAWES sc antes haltsi aa coetratt Pie Miah dah dg att dts bow eid adp ed Bara atest ed 1
`
`Sky Advanced Threat Prevention License Types... 0.20... cece eee 1
`Additional License Requirements .. 0... 0. ccc cee eee eee ees 12
`About Polley: Enforcer: ai isdcscns ata viedtiede aiaumecraw Pa@uinen Gaba aa o a
`
`Chapter 2
`
`Install Sky Advanced Threat Prevention..............000 cece cece eres 15
`
`Sky Advanced Threat Prevention Installation Overview..................085 15
`Managing the Sky Advanced Threat Prevention License................. 000 15
`Obtaining the Premium License Key... .....0. 0.0.00 cece cee ee eee 16
`License Management and SRX Series Devices... 2.2... eee 16
`Sky ATP Premium Evaluation License for VSRX..... 0. ce eee ce eee 7
`License Management and vSRX DeploymentS...... 0.60.00 ee eee ee ee eee ile
`PARE VI EMTAP.,
`«.
`3 cea deg pa
`anc AperapdearSe Ro ae gadng Red Ace snctearioangedrh diva pug Ba arblayentes 18
`Registering a Sky Advanced Threat Prevention Account..............--2045 19
`Downloading and Running the Sky Advanced Threat Prevention Script........ 23
`
`
`ii
`
`FINJAN-JN 044889
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 5 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 5 of 183
`
`Sky Advanced Threat Prevention Administration Guide
`
`Part 2
`
`The WebPortal and Enrolling SRX Series Devices
`
`Chapter 3
`
`The Sky ATP Web Portal... . 0... 00. c ccc cece eee eee eee eee eenaee 31
`
`Sky Advanced Threat Prevention Configuration Overview ... 2.2.2.0... ..020005 3]
`Sky Advanced Threat Prevention Web Ul Overview... . 0.0... 0... eee eee 33
`ACCBRS ie Me WWer els: o5 a nateig afb ne Sar aats wititina heen aalaa ted Melilnees 34
`ASSTGSTS! OVERNOI re vn sitter ghorccey ceatanecrpecew Patan prwteterceararate EGE WI ETE us erare 36
`FRBSOt’ SSSc shais Feiee cas
`[avaaveth. Pease sy Gua Seah atathcetatone Do Abele bag eee A ade 37
`
`Chapter 4
`
`Brel Sk Seles! Devices: scis eer etek ivan ses eee ee tare ns fee 39
`
`Enrolling an SRX Series Device With Sky Advanced Threat Prevention........ 39
`Removing an SRX Series Device From Sky Advanced Threat Prevention....... 4]
`Searching for SRX Series Devices Within Sky Advanced Threat Prevention... .. 42
`Sky Advanced Threat Prevention RMA ProcesS.........0.00c0ecee rere eens 45
`PIBVICSe TORT eatOOhs.
`3, 2.35 = ated PRE EAA A GS od Polen SAY EAA AL a hb dave lee A RATE 45
`
`Cloud Feeds for Sky Advanced Threat Prevention: More Information.......... 46
`
`Part 3
`
`Configure
`
`Chapter 5
`
`WIthiSstsand! Blackistsy sss nec. tea oe We atbhateheewsbtes MAG ined 49
`
`Sky Advanced Threat Prevention Whitelist and Blacklist Overview........... 49
`Creating Whitelists and Blacklists 5.0.02 00s ccc eeed er iedweeeviaiener 51
`
`Chapter 6
`
`Ermall Searle SKATE .6 duced stew adele tep bidder 53
`
`Email Management Overview ..... 0.0.0... ccc eee eee eee teens 53
`SMTP Quarantine Overview: Blocked Emails............ 0.2.2.0 e eee eee 55
`Email Management: Configure SMTP... 0... eee eee eee 56
`IN AP BibervErvBie 20.5. ceedings ees. ohare TON PENA ie ane o oie 59
`
`Email Management: Configure IMAP ...... 0... 0c eee cee eee eee eee 60
`Email Management: Configure Blacklists and Whitelists.................00. 62
`
`Chapter 7
`
`Email Scanning: SRX Series Device. .... 0... 0.00 cece eee eee tees 63
`
`Configuring the SMTP Email Management Policy on the SRX Series Device... . 63
`Configuring the IMAP Email ManagementPolicy on the SRX Series Device..... 68
`Configuring Reverse Proxy on the SRX Series Device... . 6... eee eee 74
`
`Chapter 8
`
`File Inspection Profiles ... 0.0... 0. cee cc ec ccc e eee eee neta eee ae
`
`File Inspection Profiles Overview... 2... cece eee nee eee Vi
`Creating File Inspection Profiles. ......055.0ccc0c cece seus eeeseueseueuues 79
`
`Chapter 9
`
`External Threat Feeds... 0. cece ee eee eee ee eae ne ee nee eke BI
`
`Enabling External Threat Feeds... ecco. caw een ecb ee bea pate wap eee 81
`
`Chapter 10
`
`Global Configuratlonsss:iiccs ic scicika denen daa aa ni aweaee dewas erie 85
`
`GlobalAlert Configuration Overview... . 0... cc ee ee ee ee eens 85
`Creating and Editing the Global Alert Configuration .............. 0.25200 ee 85
`Configuring Threat Intelligence Sharing... . 0... 6. ce eee ee 86
`Configuring Trusted Proxy ServerS .. 0... ccc ee ee eee eee eee eee 88
`
`
`
`
`
`FINJAN-JN 044890
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 6 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 6 of 183
`
`Table of Contents
`
`Part 4
`
`Monitor and Take Action
`
`
`
`Chapter 11 Caaa 91
`Pests OVERVIBWE sod se Opes aoe atl Tens Oy fo ee Tadd Lee ROWS pe aed’ 9]
`FAS PRISCA S 23 ids .2cect
`nes“ gugntuattng sta Sea sens ig g.a Feeds edd debi
`aoe Anuerd a die dises aS 93
`
`Chapter 12
`
`ldentif¥ing Infected HOStS asic sicaac casis acacas av awe oa Sabemew daw ovtwaws 95
`
`Chapter 13
`
`Compromised Hosts: More Information ..........00 cee see tne eee e eens 95
`AbouT'Block Drop arid! BIbekK Close: wc cae 0 MA Geos was PERE IGAS Be EGG 99
`PIGS PETES card acct o's avatincral ath ia dninineliand pin, bg sad eae d doa Heeb 99
`
`Configuring the SRX Series Devices to Block Infected Hosts...............- 101
`
`Command and Control Servers ....... 00.00 ccc cece ence ee ence eeeuees 103
`Command and Control Servers Overview ......... 0. cece eee eee 103
`Command and Control Server DetailS.. 0... ccc ee cece ee eee 104
`
`Chapter 14
`
`Identify Hosts Communicating with Command and Control Servers ....107
`Command and Control Servers: More Information.......... 0.00.00. eee ee 107
`
`Chapter 15
`
`Configuring the SRX Series Device to Block Outbound Requests toa C&C
`HOSE ccc ceeded ne het aGaae sd bia he waar deddindakearereaddns 109
`
`PilerSeantine old al ord sGebee ol mew tbialekiin du cite adisniertiadkes mm
`HTTP File Download Overview ......0:6cecceceasaee en enceneaetsaaaenens 1
`HiTe File Bewnload Details» s. caipsay os idicicibae oon he oe ete ialace rae SEE ee 112
`
`Wy ba ayentahester uaaruda path datemdsamtrattercine t-5 6G 113
`v pphaity
`Pete SUITING, oF nw be endta |e ouatas
`HilTN PIBBWhIGAGS 5.5-.5:45 244272364 5 Oi heed dade bbb rdanedeeala-dae 114
`
`SAMO ST PAGO st O5 25 Gh Sa dnedsiod ad betel Ga deb are ba Adee Oana ee 15
`Manual Seannlig QveniOws.. tous a nauageg weeaciboe acegr ene eaaud aie ap 15
`Fite Searining MAES i: 50h cmee4eg eas 4Gids pew ead ea aaa eb ue pewesa Gaa8 6
`
`Chapter 16
`
`Emall SCannlg vices avrses ancient cee arcs dnaisaaeaaeee ener waae 19
`
`Email Attachments Scanning Overview... . 0... cc eee tee eee 119
`Eriall Attachments Scannliig Derails i ccccsca ce aseinargtsin an sacacn ca ava ara aileryt aes 120
`PUL SUSI PTA i cates ce
`tabs, id a duaeaeacted sta ctaceca aos Soataracecied aiaeeate nae eon asaya 121
`
`Part 5
`
`Policies on the SRX Series Device
`
`Chapter 17
`
`Configure Sky ATP Policies on the SRX Series Device ................5 125
`
`Sky Advanced Threat Prevention Policy Overview ..........00 cece eee eee 125
`Enabling Sky ATP for Encrypted HTTPS Connections..................--. 128
`Example: Configuring a Sky Advanced Threat Prevention Policy Using the CLI. . 129
`
`Chapter 18
`
`Configure |IP-Based Geolocations on the SRX Series Device............ 133
`
`Geolocation IPs and Sky Advanced Threat Prevention...............000005 133
`Configuring Sky Advanced Threat Prevention With Geolocation IP........... 134
`
`Part 6
`
`Administration
`
`Chapter 19
`
`Sky: ATP AGMINIStrAHBN i4cciddacs cece iSeasanen eases He awe Rea Ra A 139
`
`Ble ieee: Baty reales ot «cay cca tas rates tend dee an, ayeo ele dk dim Oe SRR oe te 139
`Creating and Ealting Weer! Pronles ss i ais os nates i aretentraeae an ggg Se atigeld « 140
`ABLESEE TOWERS VGRINBW 022. 2.o:52 FO aocta 5 pce
`ractcsck date goedeaeoevgerg we Se 141
`
`
`Vv
`
`FINJAN-JN 044891
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 7 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 7 of 183
`
`Sky Advanced Threat Prevention Administration Guide
`
`Creatihe Applicator: TOKGMS a sac :casista horas a eee Raided hee RE REE Ede 141
`
`Part 7
`
`Troubleshoot
`
`Chapter 20
`
`TOUBLESNOStha TOpIGS is vs ate Fak Os Sra Ebel BOE ena woos 145
`
`Sky Advanced Threat Prevention Troubleshooting Overview..............0. 145
`Troubleshooting Sky Advanced Threat Prevention: Checking DNS and Routing
`CaF Lee cee[aies eripethcg SP SEs dy B.S arin alias ects SON ON Se
`od
`ay hea aA AS: Hane 146
`Troubleshooting Sky Advanced Threat Prevention: Checking Certificates..... 148
`Troubleshooting Sky Advanced Threat Prevention: Checking the Routing Engine
`SMUT VAS SF Sala gyn Sap Graaaos Save lalinin’e GS Bemades Ad gio aun Gi aceeges ip Hale 149
`
`request services advanced-anti-malware data-connection...............05 151
`request services advanced-anti-malware diagnostic... 0.0... cece eee eee 133
`Troubleshooting Sky Advanced Threat Prevention: Checking the
`application-identification License ... 2... ce ee eee 156
`Viewing Sky Advanced Threat Prevention System Log Messages............ 156
`COPMTRULSteCOOME Ohad ve, Me SWANS Fe Sivas oA NS PBs eG Se ip?
`Viewing the traceoptions Log File... 0... cece eee eees 159
`TREAINEVSTE PEECOBHENS 4: 2:5 sciaeese.cb thes Unease me abe eeetn a aeR gon 159
`Sky Advanced Threat Prevention Dashboard Reports Not Displaying.....,... 160
`Sky Advanced Threat Prevention RMA Process. .... 0.0.0.0 eee eee eee 160
`
`Part 8
`
`More Documentation
`
`Chapter 21
`
`Sky ATP Tech Library Page Links .......... 0.00. ccc eee eee eee eee 165
`
`Links to Documentation on Juniper.net...........0000 eee reece eee eee 165
`
`
`
`FINJAN-JN 044892
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 8 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 8 of 183
`
`List of Figures
`
`Part 1
`
`Overview and Installation
`
`Chapter 1
`
`Sky Advanced Threat Prevention Overview ...........0200cceeeeeeeeeee 3
`
`Figure 1: SkyATIP OVeWilew:. occ sc. ccces tea eck a areca dee aesaaeeaua denned 3
`Asti 22 Shy ATPm COmpOneALS vase ses iree cow e een onan eregee EE Ys 5
`Figure 3: Inspecting Inbound Files for Malware... 1. ee ee ee 7
`Figure 4: Skw ATP Use Cases. sci ccaicsiananaseeacas ooabtmeareeaearannns 8
`Figure 5: Example Sky ATP Pipeline Approach for Analyzing Malware.......... 9
`Figure 6: Comparing Traditional SRX Customers to Policy Enforcer
`CUSIOMES .s.cscmraccags sae reie SRE G ade PEER EMag ae aE OEE ES 14
`
`Chapter 2
`
`Install Sky Advanced Threat Prevention .......... 0.00000 cceeu eee eeees 15
`
`PieSHAG CORI a dere che SAS ADA Leesa rege eee ae eeee Blade 19
`Figure 8: Creating Your Sky ATP Realm Name...... 0.0.2.0 cece eee ee eee 20
`Figure 9: Entering Your Sky ATP Contact Information............ 0.200000 0 ee 2)
`Figure 10: Creating Your Sky ATP Credentials. ....... 0.2.0... ccc cece eee 22
`Figure 11: Enrolling Your SRX Series Device... 2... ee eee 24
`Figure 12: Example Enrolled SRX Series Device... eee ee 23
`
`The WebPortal and Enrolling SRX Series Devices
`
`The Sky: ATP Web Portal 55 cccciccesveerse sade avert areees aoa aa ne oes 31
`
`Faure ls: Web Winfatls.:.scccscccavaceue seacbtaneantneeaemeegae eaads 34
`Figure 14: Sky ATP Web UI Login Page. ........0..00ceceeeee cee eeueueees 35
`Figure 15: Logging Out of the Management Interface... ............0 0 eee 35
`
`Part 2
`
`Chapter 3
`
`Chapter 4
`
`Enroll SRY Serles Pevices « eic-s iviiacat bie etiueddecbipaneaddmrbanewe 39
`
`Figure 16: Searching for a Device in the Web Ul... 2. ee eee 43
`Figure 17: Example Device Search ResultS. 2.2... cee ee ee eee ees 44
`
`Part 3
`
`Configure
`
`Chapter 5
`
`Whitelists and BIacklist8:s. ici iccc cc dicteaatecacacearaae ncaa awed so 49
`
`Figure 18: Example Sky ATP Whitelist... 0.0.00... 0. ccc eee eee eee eee 50
`
`Chapter 6
`
`Email Scanning? SKVATP ia tieic as cian caamendus isa Geman de gaa 53
`
`Figure 19: Email Management Overview ...........0. 00.50 c se eee eee eee 54
`
`Part 4
`
`Monitor and Take Action
`
`Chapter 12
`
`Identifying Infected HOSS). 5s eee eae eg nea ened 95
`
`Figure 20: Infected Host from Malware... . 0.0... ce eee eee 96
`Figure 21: Viewing Infected’Hosts’...2..:066s00c2tscaacananewasainiaaaaeds 97
`
`vii
`
`FINJAN-JN 044893
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 9 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 9 of 183
`
`Sky Advanced Threat Prevention Administration Guide
`
`Chapter 15
`
`Fil@ SCannie viva tevee sd veh acined eeiiidces ewes eta eter rerdeaae vat IL]
`
`Figure 222 Sarnnle STK REWOr tis be
`
`a'c
`
`u'wse'eca'eaa's a sleielalelala wlalala'sla'sls wlnislalelele aw
`
`ae 115
`
`viil
`
`FINJAN-JN 044894
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 10 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 10 of 183
`
`List of Tables
`
`About the: BocOmentatlon: ».c<ioc ncotns sear eratat ware eeweer-ene sds xi
`
`Table}: NOTEE IGONS 5.22 .0c dein devia ged ’s chs daa Beads aa deleted pas naleLe xii
`
`Table 2: Text and Syntax Conventions ......... 00: eee cece eee eee eet eens xii
`
`Part 1
`
`Overview and Installation
`
`Chapter 1
`
`Sky Advanced Threat Prevention Overview.........0.00 ccc cece eae eeeee 3
`
`Table Ss Sha PE Gomponens:. cineainehs cit adav aaa gate Git a dav aanaone ote 5
`Table 4: Threat Level Definitions... 2... 0. cc cee eee a
`
`Table 5: Comparing the Sky ATP Free Model, Basic-Threat Feed, and Premium
`PRA CRONEN ae elvis taeda cs
`irtd ay Sideemaee GAR th se
`tata aa av
`SOP arty BER Pana aes Seid ray deere a eaves 12
`
`Part 2
`
`The WebPortal and Enrolling SRX Series Devices
`
`Chapter 3
`
`The Sky ATP Web Portal... 0.2... . 0... cece eee cette ene eeneeee 31
`
`Chapter 4
`
`Tet ORESoTEURSRM PNTPs rencesnta:d co's bua cerca! gia ere anaegWe Rane be OE oe 31
`Table 7: Sky ATP Dashboard Widgets ......... cee cece eect ee eee eee 36
`
`Enroll SRX Serres Devices). 30isiscaccecarer i eave paw ieee Rare a0 ee ES 39
`Table 8? Button ACtlons ai iacs ac acr-b acxcganinacy enetgn space dasnig-w gia eunrd Ora eucd Ra ie A 40
`Table 9: Device Information Fields... 0... 0. ce cee ee eee tte eee 45
`
`Part 3
`
`Configure
`
`Chapter 6
`
`Email Scannitig: SkKV-ATR ws tvs euriniacd nn vent eenres da mare as ian 53
`
`Table 10: Blocked Email Summary View ........... 0000s cece cece tence eas 55
`Table 11: Blocked Email Detail View.........6 0:0 cece cece eee ree ence eaeee 55
`
`Table 12: Configure Quarantine Malicious Messages .......... 0.0... c eee ee 57
`Table 13: Configure Deliver with Warning Headers. ...........20.00020e eee 58
`Table JA: Perrit soc cstwak co ae ea g.e dh amaae bE WAT Na awd bead waae whee 58
`
`Table 15: Blocked Email Summary View... 0.0.0... 0 0. cece eee eee eee 59
`Table 16: Blocked Email Detail View... 0.2... cee eee eee eee 59
`
`Table 17: Configure Block Malicious Messages .........2. 5.0.00. 0 cee eee eee 60
`
`Chapter 7
`
`Email Scanning: SRX Series Device. .... 0... 0.00 ccc eee ee eee teens 63
`
`Table 18: Comparing Reverse Proxy Before and After Junos OS Release
`TeBBG este tas Rake 2 aah anes Meee NAR Dee ead. i dees Rae heels 74
`
`Table 19: Supported SSL Proxy Configurations........ 2.0000. c eee aot
`
`Chapter 8
`
`Fil& INSpeCHOMPrGTlOgs .acis ds eecdecadsab el 254 saab tee seel an O65. Ti
`
`Table.20; File. Gatesory: Contents : icidna i wneaai read das tidae banat awdd ei etna Vi
`Table. 21; (Device Profile Settings... ce.c civsatiees semen enadenenaea ead Wee 79
`
`ix
`
`FINJAN-JN 044895
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 11 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 11 of 183
`
`Sky Advanced Threat Prevention Administration Guide
`
`Chapter 10
`
`Global. Configurations.» icc sccscsewee vanew dias nena ee wel He dew OES Ue 85
`
`Table 22‘Global Configuration Fields :1 gaicn eaten ceadsaaleseciere eis ada 86
`Fable 25; ACGitGhal INTOMTATON 6 nite een ie Amer kee wets Ar ree pe 87
`
`Part 4
`
`Monitor and Take Action
`
`Chapter 11
`
`PIGStS.
`
`i aia'ao eesteau dad Geib o08 Odea odes the heeatiG ade ie aah teed 9)
`
`Chapter 13
`
`Table 24: Operations for Multiple Infected Hosts. ....... 20.0... 0.2 cece ee eee 9]
`Table 25: Compromised HostInformation .........00c.00eeeee errr eeeeaes 92
`Table 26: Threat Level Recommendations ...........0000 cece cece eee eeee 93
`
`Command and Control Servers ......... 0... c cee eee eee ee eee 103
`Table 27: Command & Control Server Data FIRAS.. ...5.cccw eee pee ees 104
`Table 28: Command & Control Server Contacted Host Data................ 105
`Table 29: Command & Control Server Associated Domains Data............ 105
`
`Table 30: Command & Control Server Signature Data. ....... 0.0.0. cee aes 105
`
`Chapter 15
`
`PilGHSRAaiiltt <6 22s 55.94 Fah he 66s Gh ahes Biasrmiaus- Ua wate ahere 1
`
`i vicsti ssi. dare ta eas Me Ride ewan Paes mM
`Table SAAT Scannine Date: FeElGS |.
`Table 32: Links on he HTTP File Download Details Page..............0.0... 112
`Table 35: General Sumifiany FOS ae hbo Rak ged e bees ega ad © mae 3
`Table 34: File Scanning Data Fields ......... cee eee tee ee eee 16
`
`Chapter 16
`
`EmallSGAnMAS: wcidienie carn addins Raa wr Aaa malnatlertie dae bad ng
`
`Table 35: Email Attachments Scanning Data Fields....................005 19
`Table 36: General Summiary Fields... 2.0.5. cae ee nae ewes ee weeuen nue 121
`
`Part 5
`
`Policies on the SRX Series Device
`
`Chapter 17
`
`Configure Sky ATP Policies on the SRX Series Device ................. 125
`
`Table 37: Sky ATP Security Policy Additions ......... 0.00.0 cc cee eee eee 126
`
`Part 6
`
`Administration
`
`Chapter 19
`
`Sky ATP: Administration :
`
`« ici c acc scans io asa aaas aca s ataawneaaeeaaa 139
`
`Jalota Sse. Wve Protea: FIGs). Gssegn av borane s We pr e¥ airings Wage eS et 139
`TeSe MAPSEELS: 5 5k dtevasgrdovcadecityse bed cis pie mug ANTES Te ase Rana atae Ge Rie 140
`
`Table 40: Application Token Settings... 0.0.0.0. c ccs eee cece eee eens 142
`
`Part 7
`
`Troubleshoot
`
`Chapter 20
`
`Troubleshooting Topless iii ei ack eg das Seda ares acs aap doe Ge aaa ao dd ace 145
`
`Table 41: Troubleshooting Sky ATP... 2... 0.0. c eee ee ee eee eee 146
`Table 42: Data Connection Test Output... 0... 0... cee eee eee 151
`Table 43: aamw-diagnostics Script Error Messages... 1.2.2.2... eee eee 154
`
`FINJAN-JN 044896
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 12 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 12 of 183
`
`About the Documentation
`
`+ Documentation and Release Notes on page xi
`
`» Documentation Conventions on pagexi
`
`« Documentation Feedback on pagexiii
`
`+ Requesting Technical Support on page xiv
`
`Documentation and Release Notes
`
`To obtain the most current version of all Juniper Networks” technical docum entation,
`see the product documentation page on the Juniper Networks website at
`http://www,juniper.net/techpubs/.
`
`If the information in the latest release notes differs from the information in the
`
`documentation, follow the product Release Notes.
`
`Juniper Networks Books publishes books by Juniper Networks engineers and subject
`matter experts. These books go beyond the technical documentation to explore the
`nuances of networkarchitecture, deployment, and administration. The currentlist can
`be viewedat http://www,luniper.net/books.
`
`Documentation Conventions
`
`Table | on page xii defines notice icons usedin this guide.
`
`xl
`
`FINJAN-JN 044897
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 13 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 13 of 183
`
`Sky Advanced Threat Prevention Administration Guide
`
`Table 1: Notice Icons
`Meaning
`@ Informationalnote
`A Caution
`A Warning
`A Laserwarning
`Q Tip
`@ Bestpractice
`
`| Gescrption
`Indicatesimportantfeaturesorinstructions.
`Indicatesasituationthatmightresultinlossofdataorhardwaredamage.
`Alertsyoutotheriskofpersonalinjuryordeath.
`Alertsyoutotheriskofpersonalinjuryfromalaser.
`Indicateshelpfulinformation.
`AlertsyoutoarecommendeduseorImplementation.
`
`
`
`Table 2 on page xii defines the text and syntax conventions used in this guide.
`
`Table 2: Text and Syntax Conventions
`
` Convention
`
`ete}diel)
`
`best age) at
`
`Bold text like this
`
`Represents text that you type.
`
`To enter configuration mode, type the
`configure command;
`
`user @host> configure
`
`Fixed-width text like this
`
`Represents output that appears on the
`terminal screen.
`
`user@host> show chassis alarms
`:
`No alarms currently active
`
`+
`
`+
`+
`
`Introduces oremphasizesimportant
`new terms.
`
`Identifies guide names.
`Identifies RFC and Internetdraft titles,
`
`» Apolicy termisanamed structure
`that defines match conditions and
`actions.
`
`* /¥0s OS CL/ User Guide
`» RFCI997, BGP Communities Attribute
`
`Italic text like this
`
`
`
`Italic text like this
`
`[edit]
`root@# set system domain-name
`domain-name
`
`Represents variables (options for which
`you substitute a value) in commands or
`configuration statements.
`
`Configure the machine's domain name:
`
`
`ail
`
`FINJAN-JN 044898
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 14 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 14 of 183
`
`About the Documentatian
`
`Table 2: Text and Syntax Conventions (continued)
`
`Mersasl a
`Description
`Exampies
`
`Text like this
`Represents names of configuration
`+ Toconfigure a stub area, include the
`statements, commands, files, and
`stub statementat the [edit protocols
`directories; configuration hierarchy levels;
`ospf area area-id] hierarchy level.
`orlabels on routing platform
`+ Theconsole port islabeled CONSOLE.
`components,
`
`
`stub <default-metric metric>;
`Encloses optional! keywordsor variables,
`< > (angle brackets)
`
`
`| (pipe symbol)
`
`Indicates a choice between the mutually
`exclusive keywords or variables on either
`side of the symbol. The set of choices is
`often enclosed in parentheses for clarity.
`
`
`broadcast| multicast
`
`(string! | string2 | string3)
`
`# (pound sign)
`
`Indicates a commentspecified on the
`sameline as the configuration statement
`to which it applies.
`
`
`rsvp { # Required for dynamic MPLSonly
`
`[ ] (Square brackets)
`
`community name members [
`Encloses a variable for which you can
`substitute one or more values.
`community-ids ]
`
`
`Indention and braces ( { })
`
`identifies a level in the configuration
`hierarchy.
`
`
`‘ (semicolon)
`
`Identifies a leaf statement at a
`configuration hierarchy level.
`
`[edit]
`routing-optians {
`static {
`route default {
`nexthop address;
`retain;
`
`I
`
`}
`
`} B
`
`Represents graphical user Interface (GUI)
`items you click or select.
`
`+
`
`Inthe Logical Interfaces box, select
`All Interfaces.
`
`GUI Conventions
`old textlike this
`
`+ TJocancel the configuration, click
`Cancel.
`
`
`> (bold right angle bracket)
`
`Separates levels in a hierarchy of menu
`In the configuration editor hierarchy,
`selections.
`select Protocols>Ospf.
`
`
`Documentation Feedback
`
`We encourage you to provide feedback, comments, and suggestions so that we can
`improve the documentation. You can provide feedbackby using either of the following
`methods:
`
`+ Online feedback rating system—Onany pageof the Juniper Networks TechLibrary site
`at http://www juniper.net/techpubs/index.html, simply click the stars torate the content,
`and use the pop-up form to provide us with information about your experience,
`Alternately, you can use the online feedback form at
`htto://www,junipernet/techoubs/feedback/.
`
`xiil
`
`FINJAN-JN 044899
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 15 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 15 of 183
`
`Sky Advanced Threat Prevention Administration Guide
`
`+ E-mail—Send your comments to techpubs-comments@junipernet.Include the document
`or topic name, URL or page number, and software version (if applicable).
`
`Requesting Technical Support
`
`Technical product supportis available through the Juniper Networks Technical Assistance
`Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
`support contract, or are covered under warranty, and need post-sales technical support,
`you can access our tools and resources online or open a case with JTAC.
`
`» JTAC policies—For a complete understanding of our JTAC procedures and policies,
`review the JTAC User Guide located at
`hitp://www,juniper.net/us/en/local/pdt/resource-guides/710005S9-en, pdf,
`
`+ Product warranties—For product warranty information,visit
`http://www.juniper.net/support/warranty/.
`
`+ JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
`7 days a week, 365 days a year.
`
`Self-Help Online Tools and Resources
`
`For quick and easy problem resolution, Juniper Networks has designed an online
`self-service portal called the Customer Support Center (CSC) that provides you with the
`following features:
`
`+ Find CSC offerings: http://wwwjuniper.net/customers/support/
`
`+ Search for known bugs: https://prsearch.juniper.net/
`
`* Find product documentation: http://www.,|uniper.net/documentation/
`
`» Find solutions and answer questions using our Knowledge Base: http://kb,|uniper.net/
`
`+ Downloadthe latest versions of software and review release notes:
`htto.//anww.juniper.net/custamers/csc/software/
`
`+ Search technical bulletins for relevant hardware and software notifications:
`htte://kbjunipernet/InfoCenter/
`
`+ Join and participate in the Juniper Networks Community Forum:
`http://www.juniper.net/company/communities/
`
`+« Openacase online in the CSC Case Management tool: http://www.junipernet/em/
`
`To verify service entitlement by product serial number, use our Serial Number Entitlement
`(SNE) Tool: https://entitlementsearch,juniper.net/entitlementsearch/
`
`Opening a Case with JTAC
`
`You can open a case with JTAC on the Web orby telephone.
`
`+ Use the Case Management tool in the CSC at http://www,juniper.net/em/.
`
`* Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
`
`xiv
`
`FINJAN-JN 044900
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 16 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 16 of 183
`
`About the Documentation
`
`For international or direct-dial options in countries without toll-free numbers, see
`http://www.juniper.net/support/requesting-support.html.
`
`xv
`
`FINJAN-JN 044901
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 17 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 17 of 183
`
`Sky Advanced Threat Prevention Administration Guide
`
`FINJAN-JN 044902
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 18 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 18 of 183
`
`PART 1
`
`Overview and Installation
`
`« Sky Advanced Threat Prevention Overview on page 3
`
`e
`
`Install Sky Advanced Threat Prevention on page 15
`
`FINJAN-JN 044903
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 19 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 19 of 183
`
`Sky Advanced Threat Prevention Administration Guide
`
`FINJAN-JN 044904
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 20 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 20 of 183
`
`CHAPTER 1
`
`Sky Advanced Threat Prevention Overview
`
`- Juniper Networks Sky Advanced Threat Prevention on page 3
`
`« Howis Malware Analyzed and Detected? on page 8
`
`« Sky Advanced Threat Prevention License Types on page 1)
`
`« About Policy Enforcer on page 13
`
`Juniper Networks Sky Advanced Threat Prevention
`
`Juniper Networks Sky Advanced Threat Prevention (Sky ATP) is a security framework
`that protects all hosts in your network against evolving security threats by employing
`cloud-based threat detection software with a next-generation firewall system. See
`Figure | on page 3.
`
`Figure 1: Sky ATP Overview
`
`
`
`
`a
`»«StaticAnalysis
`
`
`
`» Advanced Threat Prevention
`« Sandbox with Deception
`
`Sky Advanced
`Threat Prevention Cloud
`
`™o
`
`OmA
`
`=oo
`
`3
`
`FINJAN-JN 044905
`
`SRX Series
`
`Customer
`
`
`
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 21 of 183
`Case 3:17-cv-05659-WHA Document 470-19 Filed 05/13/19 Page 21 of 183
`
`Sky Advanced Threat Prevention Administration Guide
`
`Sky ATP Features
`
`Sky ATP protects your network by performing the following tasks:
`
`The SRX Series device extracts potentially malicious objects and files and sends them
`to the cloud for analysis.
`
`Known malicious files are quickly identified and dropped before they can infect a host.
`
`Multiple techniques identify new malware, adding it to the knownlist of malware.
`
`Correlation between newly identified malware and known Command and Control
`(C&C) sites aids analysis.
`
`The SRX Series device blocks known malicious file downloads and outbound C&C
`traffic.
`
`Sky ATP supports the following modes:
`
`Layer 3 mode
`
`Tap mode
`
`Transparent mode using MAC address. For more information, see Transparent mode
`on SRX Serles devices.
`
`Secure wire mode(high-level transparent mode using the interface to directly passing
`traffic, not by MAC address.) For more information, see Understanding Secure Wire.
`
`Sky ATP is a cloud-based solution. Cloud environments are flexible and scalable, anda
`shared environment ensures that everyone benefits from new threatintelligence in near
`real-time. Your sensitive data is secured even thoughitis in a cloud shared environment,
`Security analysts can update their defense when new attack techniques are discovered
`and distribute the threatintelligence with very little delay.
`
`In addition, Sky ATP offers the following features:
`
`Integrated with the SRX Series device to simplify deployment and enhance the
`anti-threat capabilities of the firewall.
`
`Delivers protection against “zero-day” threats using a combination of
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
