Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 1 of 127
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 1 of 127
`
`EXHIBIT 15
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 1 of 127
`
`EXHIBIT 15
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 2 of 127
`
`Sky Advanced Threat Prevention Administration
`Guide
`
`Modified: 2017-09-08
`
`Copyright © 2017, Juniper Networks, Inc.
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 3 of 127
`
`Juniper Networks, Inc.
`1133 Innovation Way
`Sunnyvale, California 94089
`USA
`408-745-2000
`www.juniper.net
`
`Copyright © 2017 Juniper Networks, Inc. All rights reserved.
`
`Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates in
`the United States and other countries. All other trademarks may be property of their respective owners.
`
`Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
`transfer, or otherwise revise this publication without notice.
`
`Sky Advanced Threat Prevention Administration Guide
`Copyright © 2017 Juniper Networks, Inc. All rights reserved.
`
`The information in this document is current as of the date on the title page.
`
`YEAR 2000 NOTICE
`
`Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
`year 2038. However, the NTP application is known to have some difficulty in the year 2036.
`
`END USER LICENSE AGREEMENT
`
`The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
`software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
`http://www.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that
`EULA.
`
`ii
`
`Copyright © 2017, Juniper Networks, Inc.
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 4 of 127
`
`Table of Contents
`
`Part 1
`
`Chapter 1
`
`About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
`Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
`Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
`Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
`Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
`Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
`Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
`
`Overview and Installation
`
`Sky Advanced Threat Prevention Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
`
`Malware Today . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
`Juniper Networks Sky Advanced Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . . 3
`Sky ATP Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
`How the SRX Series Device Remediates Traffic . . . . . . . . . . . . . . . . . . . . . . . . 6
`Sky ATP Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
`How is Malware Analyzed and Detected? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
`Cache Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
`Antivirus Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
`Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
`Dynamic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
`Machine Learning Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
`Threat Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
`Sky Advanced Threat Prevention License Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
`Additional License Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
`File Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
`
`Chapter 2
`
`Installing Sky Advanced Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
`
`Sky Advanced Threat Prevention Installation Overview . . . . . . . . . . . . . . . . . . . . . 15
`Managing the Sky Advanced Threat Prevention License . . . . . . . . . . . . . . . . . . . . . 15
`Obtaining the Premium License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
`License Management and SRX Series Devices . . . . . . . . . . . . . . . . . . . . . . . . 16
`Sky ATP Premium Evaluation License for vSRX . . . . . . . . . . . . . . . . . . . . . . . . 17
`License Management and vSRX Deployments . . . . . . . . . . . . . . . . . . . . . . . . . 17
`High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
`Registering a Sky Advanced Threat Prevention Account . . . . . . . . . . . . . . . . . . . . 19
`Downloading and Running the Sky Advanced Threat Prevention Script . . . . . . . . 23
`
`Copyright © 2017, Juniper Networks, Inc.
`
`iii
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 5 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`Part 2
`
`Chapter 3
`
`Configuring Sky Advanced Threat Prevention
`
`Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
`
`Sky Advanced Threat Prevention Configuration Overview . . . . . . . . . . . . . . . . . . . 31
`Configuring Cloud Feeds for Sky Advanced Threat Prevention . . . . . . . . . . . . . . . 33
`Sky Advanced Threat Prevention Web UI Overview . . . . . . . . . . . . . . . . . . . . . . . . 33
`Accessing the Web UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
`
`Chapter 4
`
`Updating the Administrator Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
`
`Sky Advanced Threat Prevention Administrator Profile Overview . . . . . . . . . . . . . 37
`Reset Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
`
`Chapter 5
`
`Adding and Removing SRX Series Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
`
`Enrolling an SRX Series Device With Sky Advanced Threat Prevention . . . . . . . . . 41
`Disenrolling an SRX Series Device from Sky Advanced Threat Prevention . . . . . . 43
`Removing an SRX Series Device From Sky Advanced Threat Prevention . . . . . . . 43
`
`Chapter 6
`
`Creating Custom Whitelists and Blacklists . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
`
`Sky Advanced Threat Prevention Whitelist and Blacklist Overview . . . . . . . . . . . 45
`
`Chapter 7
`
`Using IP-Based Geolocations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
`
`Geolocation IPs and Sky Advanced Threat Prevention . . . . . . . . . . . . . . . . . . . . . . 47
`Configuring Sky Advanced Threat Prevention With Geolocation IP . . . . . . . . . . . . 48
`
`Chapter 8
`
`Scanning Email Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
`
`Email Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
`Email Management: Configure SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
`Email Management: Configure Blacklists and Whitelists . . . . . . . . . . . . . . . . . . . . 55
`SMTP Quarantine Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
`Configuring the SMTP Email Management Policy . . . . . . . . . . . . . . . . . . . . . . . . . 57
`Configuring Reverse Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
`
`Chapter 9
`
`Identifying Hosts Communicating with Command and Control Servers . . 65
`
`Sky Advanced Threat Prevention Command and Control Overview . . . . . . . . . . . 65
`Configuring the SRX Series Device to Block Outbound Requests to a C&C
`Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
`
`Chapter 10
`
`Identifying Infected Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
`
`Sky Advanced Threat Prevention Infected Host Overview . . . . . . . . . . . . . . . . . . . 69
`About Block Drop and Block Close . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
`Host Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
`Configuring the SRX Series Devices to Block Infected Hosts . . . . . . . . . . . . . . . . . 75
`
`Chapter 11
`
`Creating the Sky Advanced Threat Prevention Profile . . . . . . . . . . . . . . . . . . 77
`
`Sky Advanced Threat Prevention Profile Overview . . . . . . . . . . . . . . . . . . . . . . . . . 77
`
`Chapter 12
`
`Creating the Sky Advanced Threat Prevention Policy . . . . . . . . . . . . . . . . . . 79
`
`Sky Advanced Threat Prevention Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . 79
`Enabling Sky ATP for Encrypted HTTPS Connections . . . . . . . . . . . . . . . . . . . . . . 82
`Example: Configuring a Sky Advanced Threat Prevention Policy Using the CLI . . 83
`
`iv
`
`Copyright © 2017, Juniper Networks, Inc.
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 6 of 127
`
`Table of Contents
`
`Part 3
`
`Monitoring Sky Advanced Threat Prevention
`
`Chapter 13
`
`Viewing File Scan Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
`
`Sky Advanced Threat Prevention Scanned File Overview . . . . . . . . . . . . . . . . . . . 89
`
`Chapter 14
`
`Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
`
`Sky Advanced Threat Prevention Reports Overview . . . . . . . . . . . . . . . . . . . . . . . . 91
`Adding Sky Advanced Threat Prevention Reports to the Dashboard . . . . . . . . . . 92
`
`Part 4
`
`Troubleshooting Sky Advanced Threat Prevention
`
`Chapter 15
`
`Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
`
`Sky Advanced Threat Prevention Troubleshooting Overview . . . . . . . . . . . . . . . . 95
`Troubleshooting Sky Advanced Threat Prevention: Checking DNS and Routing
`Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
`Troubleshooting Sky Advanced Threat Prevention: Checking Certificates . . . . . . 98
`Troubleshooting Sky Advanced Threat Prevention: Checking the Routing Engine
`Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
`request services advanced-anti-malware data-connection . . . . . . . . . . . . . . . . . 101
`request services advanced-anti-malware diagnostic . . . . . . . . . . . . . . . . . . . . . . 103
`Troubleshooting Sky Advanced Threat Prevention: Checking the
`application-identification License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
`Viewing Sky Advanced Threat Prevention System Log Messages . . . . . . . . . . . . 106
`Configuring traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
`Viewing the traceoptions Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
`Turning Off traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
`Sky Advanced Threat Prevention Dashboard Reports Not Displaying . . . . . . . . . 110
`Sky Advanced Threat Prevention RMA Process . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
`
`Copyright © 2017, Juniper Networks, Inc.
`
`v
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 7 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`vi
`
`Copyright © 2017, Juniper Networks, Inc.
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 8 of 127
`
`List of Figures
`
`Part 1
`
`Chapter 1
`
`Overview and Installation
`
`Sky Advanced Threat Prevention Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
`
`Figure 1: Sky ATP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
`Figure 2: Sky ATP Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
`Figure 3: Inspecting Inbound Files for Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
`Figure 4: Sky ATP Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
`Figure 5: Example Sky ATP Pipeline Approach for Analyzing Malware . . . . . . . . . . 9
`Figure 6: Submission State Column Displays Device Submit Status . . . . . . . . . . . 14
`
`Chapter 2
`
`Installing Sky Advanced Threat Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
`
`Figure 7: Sky ATP Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
`Figure 8: Creating Your Sky ATP Realm Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
`Figure 9: Entering Your Sky ATP Contact Information . . . . . . . . . . . . . . . . . . . . . . . 21
`Figure 10: Creating Your Sky ATP Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
`Figure 11: Enrolling Your SRX Series Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
`Figure 12: Example Enrolled SRX Series Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
`
`Configuring Sky Advanced Threat Prevention
`
`Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
`
`Figure 13: Web UI Infotip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
`Figure 14: Sky ATP Web UI Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
`Figure 15: Logging Out of the Management Interface . . . . . . . . . . . . . . . . . . . . . . . 35
`
`Part 2
`
`Chapter 3
`
`Chapter 5
`
`Adding and Removing SRX Series Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
`
`Figure 16: Disenrolling an SRX Series Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
`
`Chapter 6
`
`Creating Custom Whitelists and Blacklists . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
`
`Figure 17: Example Sky ATP Whitelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
`
`Chapter 8
`
`Scanning Email Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
`
`Figure 18: Email Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
`
`Chapter 10
`
`Identifying Infected Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
`
`Figure 19: Infected Host from Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
`Figure 20: Viewing Infected Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
`
`Part 3
`
`Monitoring Sky Advanced Threat Prevention
`
`Chapter 13
`
`Viewing File Scan Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
`
`Figure 21: List of Inspected Files and Their Results . . . . . . . . . . . . . . . . . . . . . . . . . 89
`Figure 22: Viewing Scanned File Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
`
`Copyright © 2017, Juniper Networks, Inc.
`
`vii
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 9 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`Chapter 14
`
`Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
`
`Figure 23: Example Web UI Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
`Figure 24: Dragging a Report Widget to the Dashboard . . . . . . . . . . . . . . . . . . . . . 92
`
`viii
`
`Copyright © 2017, Juniper Networks, Inc.
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 10 of 127
`
`List of Tables
`
`Part 1
`
`Chapter 1
`
`About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
`
`Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
`Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
`
`Overview and Installation
`
`Sky Advanced Threat Prevention Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
`
`Table 3: Sky ATP Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
`Table 4: Threat Level Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
`Table 5: Comparing the Sky ATP Free Model, Basic-Threat Feed, and Premium
`Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
`Table 6: Maximum Number of Files Per Day Per Device Submitted to Cloud for
`Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
`
`Part 2
`
`Chapter 3
`
`Configuring Sky Advanced Threat Prevention
`
`Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
`
`Table 7: Configuring Sky ATP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
`
`Chapter 4
`
`Updating the Administrator Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
`
`Table 8: Sky ATP Administrator Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
`
`Chapter 5
`
`Adding and Removing SRX Series Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
`
`Table 9: Button Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
`
`Chapter 8
`
`Scanning Email Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
`
`Table 10: Configure Quarantine Malicious Messages . . . . . . . . . . . . . . . . . . . . . . . 53
`Table 11: Configure Deliver with Warning Headers . . . . . . . . . . . . . . . . . . . . . . . . . 54
`Table 12: Permit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
`Table 13: Blocked Email Summary View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
`Table 14: Blocked Email Detail View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
`Table 15: Comparing Reverse Proxy Before and After Junos OS Release
`15.1X49-D80 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
`Table 16: Supported SSL Proxy Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
`
`Chapter 11
`
`Creating the Sky Advanced Threat Prevention Profile . . . . . . . . . . . . . . . . . . 77
`
`Table 17: File Category Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
`
`Chapter 12
`
`Creating the Sky Advanced Threat Prevention Policy . . . . . . . . . . . . . . . . . . 79
`
`Table 18: Sky ATP Security Policy Additions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
`
`Copyright © 2017, Juniper Networks, Inc.
`
`ix
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 11 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`Part 4
`
`Troubleshooting Sky Advanced Threat Prevention
`
`Chapter 15
`
`Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
`
`Table 19: Troubleshooting Sky ATP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
`Table 20: Data Connection Test Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
`Table 21: aamw-diagnostics Script Error Messages . . . . . . . . . . . . . . . . . . . . . . . 104
`
`x
`
`Copyright © 2017, Juniper Networks, Inc.
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 12 of 127
`
`About the Documentation
`
`• Documentation and Release Notes on page xi
`
`• Documentation Conventions on page xi
`
`• Documentation Feedback on page xiii
`
`• Requesting Technical Support on page xiv
`
`Documentation and Release Notes
`
`To obtain the most current version of all Juniper Networks® technical documentation,
`see the product documentation page on the Juniper Networks website at
`http://www.juniper.net/techpubs/.
`
`If the information in the latest release notes differs from the information in the
`documentation, follow the product Release Notes.
`
`Juniper Networks Books publishes books by Juniper Networks engineers and subject
`matter experts. These books go beyond the technical documentation to explore the
`nuances of network architecture, deployment, and administration. The current list can
`be viewed at http://www.juniper.net/books.
`
`Documentation Conventions
`
`Table 1 on page xii defines notice icons used in this guide.
`
`Copyright © 2017, Juniper Networks, Inc.
`
`xi
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 13 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`Table 1: Notice Icons
`
`Icon
`
`Meaning
`
`Description
`
`Informational note
`
`Indicates important features or instructions.
`
`Caution
`
`Indicates a situation that might result in loss of data or hardware damage.
`
`Warning
`
`Alerts you to the risk of personal injury or death.
`
`Laser warning
`
`Alerts you to the risk of personal injury from a laser.
`
`Tip
`
`Indicates helpful information.
`
`Best practice
`
`Alerts you to a recommended use or implementation.
`
`Table 2 on page xii defines the text and syntax conventions used in this guide.
`
`Table 2: Text and Syntax Conventions
`
`Convention
`
`Description
`
`Examples
`
`Bold text like this
`
`Represents text that you type.
`
`To enter configuration mode, type the
`configure command:
`
`user@host> configure
`
`Fixed-width text like this
`
`Represents output that appears on the
`terminal screen.
`
`user@host> show chassis alarms
`
`No alarms currently active
`
`Italic text like this
`
`Italic text like this
`
`•
`
`•
`
`•
`
`Introduces or emphasizes important
`new terms.
`Identifies guide names.
`Identifies RFC and Internet draft titles.
`
`Represents variables (options for which
`you substitute a value) in commands or
`configuration statements.
`
`• A policy term is a named structure
`that defines match conditions and
`actions.
`Junos OS CLI User Guide
`•
`• RFC 1997, BGP Communities Attribute
`
`Configure the machine’s domain name:
`
`[edit]
`root@# set system domain-name
`domain-name
`
`xii
`
`Copyright © 2017, Juniper Networks, Inc.
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 14 of 127
`
`About the Documentation
`
`Table 2: Text and Syntax Conventions (continued)
`
`Convention
`
`Text like this
`
`Description
`
`Examples
`
`Represents names of configuration
`statements, commands, files, and
`directories; configuration hierarchy levels;
`or labels on routing platform
`components.
`
`• To configure a stub area, include the
`stub statement at the [edit protocols
`ospf area area-id] hierarchy level.
`• The console port is labeled CONSOLE.
`
`< > (angle brackets)
`
`Encloses optional keywords or variables.
`
`stub <default-metric metric>;
`
`| (pipe symbol)
`
`# (pound sign)
`
`Indicates a choice between the mutually
`exclusive keywords or variables on either
`side of the symbol. The set of choices is
`often enclosed in parentheses for clarity.
`
`broadcast | multicast
`
`(string1 | string2 | string3)
`
`Indicates a comment specified on the
`same line as the configuration statement
`to which it applies.
`
`rsvp { # Required for dynamic MPLS only
`
`[ ] (square brackets)
`
`Encloses a variable for which you can
`substitute one or more values.
`
`community name members [
`community-ids ]
`
`Indention and braces ( { } )
`
`Identifies a level in the configuration
`hierarchy.
`
`; (semicolon)
`
`Identifies a leaf statement at a
`configuration hierarchy level.
`
`[edit]
`routing-options {
`static {
`route default {
`nexthop address;
`retain;
`
`}
`
`}
`
`}
`
`GUI Conventions
`
`Bold text like this
`
`Represents graphical user interface (GUI)
`items you click or select.
`
`•
`
`In the Logical Interfaces box, select
`All Interfaces.
`• To cancel the configuration, click
`Cancel.
`
`> (bold right angle bracket)
`
`Separates levels in a hierarchy of menu
`selections.
`
`In the configuration editor hierarchy,
`select Protocols>Ospf.
`
`Documentation Feedback
`
`We encourage you to provide feedback, comments, and suggestions so that we can
`improve the documentation. You can provide feedback by using either of the following
`methods:
`
`• Online feedback rating system—On any page of the Juniper Networks TechLibrary site
`at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content,
`and use the pop-up form to provide us with information about your experience.
`Alternately, you can use the online feedback form at
`http://www.juniper.net/techpubs/feedback/.
`
`Copyright © 2017, Juniper Networks, Inc.
`
`xiii
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 15 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`• E-mail—Send your comments to techpubs-comments@juniper.net. Include the document
`or topic name, URL or page number, and software version (if applicable).
`
`Requesting Technical Support
`
`Technical product support is available through the Juniper Networks Technical Assistance
`Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
`support contract, or are covered under warranty, and need post-sales technical support,
`you can access our tools and resources online or open a case with JTAC.
`
`• JTAC policies—For a complete understanding of our JTAC procedures and policies,
`review the JTAC User Guide located at
`http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
`
`• Product warranties—For product warranty information, visit
`http://www.juniper.net/support/warranty/.
`
`• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
`7 days a week, 365 days a year.
`
`Self-Help Online Tools and Resources
`
`For quick and easy problem resolution, Juniper Networks has designed an online
`self-service portal called the Customer Support Center (CSC) that provides you with the
`following features:
`
`• Find CSC offerings: http://www.juniper.net/customers/support/
`
`• Search for known bugs: https://prsearch.juniper.net/
`
`• Find product documentation: http://www.juniper.net/documentation/
`
`• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
`
`• Download the latest versions of software and review release notes:
`http://www.juniper.net/customers/csc/software/
`
`• Search technical bulletins for relevant hardware and software notifications:
`http://kb.juniper.net/InfoCenter/
`
`• Join and participate in the Juniper Networks Community Forum:
`http://www.juniper.net/company/communities/
`
`• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
`
`To verify service entitlement by product serial number, use our Serial Number Entitlement
`(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/
`
`Opening a Case with JTAC
`
`You can open a case with JTAC on the Web or by telephone.
`
`• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
`
`• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
`
`xiv
`
`Copyright © 2017, Juniper Networks, Inc.
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 16 of 127
`
`About the Documentation
`
`For international or direct-dial options in countries without toll-free numbers, see
`http://www.juniper.net/support/requesting-support.html.
`
`Copyright © 2017, Juniper Networks, Inc.
`
`xv
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 17 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`xvi
`
`Copyright © 2017, Juniper Networks, Inc.
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 18 of 127
`
`PART 1
`
`Overview and Installation
`
`• Sky Advanced Threat Prevention Overview on page 3
`
`•
`
`Installing Sky Advanced Threat Prevention on page 15
`
`Copyright © 2017, Juniper Networks, Inc.
`
`1
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 19 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`2
`
`Copyright © 2017, Juniper Networks, Inc.
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 20 of 127
`
`CHAPTER 1
`
`Sky Advanced Threat Prevention Overview
`
`• Malware Today on page 3
`
`• Juniper Networks Sky Advanced Threat Prevention on page 3
`
`• How is Malware Analyzed and Detected? on page 8
`
`• Sky Advanced Threat Prevention License Types on page 11
`
`• File Limitations on page 13
`
`Malware Today
`
`Malware, or malicious software, is software that attempts to gain access to a computer
`without the owner’s knowledge. There are many types of malware, such as rootkit,
`ransomware, spyware and bots. One of the many goals of malware is to infiltrate a rich
`target where it can carry out a wide range of undetected malicious activities over months
`or years, including data theft, espionage, and disruption or destruction of infrastructure
`and processes. Although methods vary, the commonality of these specialized attacks is
`that they are created to avoid detection by mainstream security technologies, such as
`antivirus, firewalls, and content inspection gateways.
`
`The threat landscape has evolved. Malware started out as experiments or pranks but
`has recently become widespread and sophisticated. Attackers have migrated from using
`broad, unfocused tactics and are now creating specialized malware, intended for a select
`target or groups of targets, with the ultimate goal of becoming embedded in the target’s
`infrastructure. Preliminary results published by Symantec suggest that “the release rate
`of malicious code and other unwanted programs may be exceeding that of legitimate
`software applications.”
`
`With the emergence of these specialized threats, a new category of security has also
`emerged with the purpose of detecting, analyzing, and preventing advanced threats that
`are able to avoid more detection by the more traditional security methods. Juniper
`Network’s solution for preventing advanced and emerging threats is Sky Advanced Threat
`Prevention (Sky ATP), a cloud-based anti-malware solution for SRX Series devices.
`
`Juniper Networks Sky Advanced Threat Prevention
`
`Juniper Networks Sky Advanced Threat Prevention (Sky ATP) is a security framework
`that protects all hosts in your network against evolving security threats by employing
`
`Copyright © 2017, Juniper Networks, Inc.
`
`3
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 21 of 127
`
`Sky Advanced Threat Prevention Administration Guide
`
`cloud-based threat detection software with a next-generation firewall system. See
`Figure 1 on page 4.
`
`Figure 1: Sky ATP Overview
`
`Sky ATP protects your network by performing the following tasks:
`
`• The SRX Series device extracts potentially malicious objects and files and sends them
`to the cloud for analysis.
`
`• Known malicious files are quickly identified and dropped before they can infect a host.
`
`• Multiple techniques identify new malware, adding it to the known list of malware.
`
`• Correlation between newly identified malware and known Command and Control
`(C&C) sites aids analysis.
`
`• The SRX Series device blocks known malicious file downloads and outbound C&C
`traffic.
`
`Sky ATP supports the following modes:
`
`• Layer 3 mode
`
`• Tap mode
`
`• Transparent mode using MAC address. For more information, see Transparent mode
`on SRX Series devices.
`
`• Secure wire mode (high-level transparent mode using the interface to directly passing
`traffic, not by MAC address.) For more information, see Understanding Secure Wire.
`
`4
`
`Copyright © 2017, Juniper Networks, Inc.
`
`
`
`Case 3:17-cv-05659-WHA Document 88-13 Filed 05/18/18 Page 22 of 127
`
`Chapter 1: Sky Advanced Threat Prevention Overview
`
`Sky ATP Features
`
`Sky ATP is a cloud-based solution. Cloud environments are flexible and scalable, and a
`shared environment ensures tha
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
