advertisement
Sky Advanced Threat Prevention Troubleshooting
Guide
Modified: 2016-09-13
Copyright © 2016, Juniper Networks, Inc.
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000 www.juniper.net
Copyright © 2016, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Sky Advanced Threat Prevention Troubleshooting Guide
Copyright © 2016, Juniper Networks, Inc.
All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula.html
. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.
ii Copyright © 2016, Juniper Networks, Inc.
Table of Contents
Part 1
Part 2
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Troubleshooting Sky Advanced Threat Prevention
Troubleshooting Sky Advanced Threat Prevention . . . . . . . . . . . . . . . . . . . . . . 3
Sky Advanced Threat Prevention Troubleshooting Overview . . . . . . . . . . . . . . . . . . 3
Troubleshooting Sky Advanced Threat Prevention: Checking DNS and Routing
Troubleshooting Sky Advanced Threat Prevention: Checking Certificates . . . . . . . 6
Troubleshooting Sky Advanced Threat Prevention: Checking the Routing Engine
request services advanced-anti-malware data-connection . . . . . . . . . . . . . . . . . . 9
request services advanced-anti-malware diagnostic . . . . . . . . . . . . . . . . . . . . . . . 11
Viewing Sky Advanced Threat Prevention System Log Messages . . . . . . . . . . . . . 14
Sky Advanced Threat Prevention Dashboard Reports Not Displaying . . . . . . . . . . 17
Index
Copyright © 2016, Juniper Networks, Inc.
iii
Sky Advanced Threat Prevention Troubleshooting Guide iv Copyright © 2016, Juniper Networks, Inc.
List of Tables
Part 1
Troubleshooting Sky Advanced Threat Prevention
Troubleshooting Sky Advanced Threat Prevention . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: Troubleshooting Sky Advanced Threat Prevention . . . . . . . . . . . . . . . . . . . 4
Table 5: aamw-diagnostics Script Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . 12
Copyright © 2016, Juniper Networks, Inc.
v
Sky Advanced Threat Prevention Troubleshooting Guide vi Copyright © 2016, Juniper Networks, Inc.
About the Documentation
•
Documentation and Release Notes on page vii
•
Documentation Conventions on page vii
•
Documentation Feedback on page ix
•
Requesting Technical Support on page x
Documentation and Release Notes
To obtain the most current version of all Juniper Networks
® technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/
.
If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at http://www.juniper.net/books .
Documentation Conventions
defines notice icons used in this guide.
Copyright © 2016, Juniper Networks, Inc.
vii
Sky Advanced Threat Prevention Troubleshooting Guide
Table 1: Notice Icons
Icon Meaning
Informational note
Caution
Warning
Laser warning
Tip
Best practice
Description
Indicates important features or instructions.
Indicates a situation that might result in loss of data or hardware damage.
Alerts you to the risk of personal injury or death.
Alerts you to the risk of personal injury from a laser.
Indicates helpful information.
Alerts you to a recommended use or implementation.
defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention Description Examples
Bold text like this
Fixed-width text like this
Italic text like this
Italic text like this
Represents text that you type.
To enter configuration mode, type the configure command: user@host> configure
Represents output that appears on the terminal screen.
user@host> show chassis alarms
No alarms currently active
• Introduces or emphasizes important new terms.
•
•
Identifies guide names.
Identifies RFC and Internet draft titles.
•
•
•
A policy term is a named structure that defines match conditions and actions.
Junos OS CLI User Guide
RFC 1997, BGP Communities Attribute
Represents variables (options for which you substitute a value) in commands or configuration statements.
Configure the machine’s domain name:
[edit] root@# set system domain-name
domain-name
viii Copyright © 2016, Juniper Networks, Inc.
About the Documentation
Table 2: Text and Syntax Conventions (continued)
Convention Description
Text like this
< > (angle brackets)
| (pipe symbol)
Examples
Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components.
•
•
To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level.
The console port is labeled CONSOLE .
Encloses optional keywords or variables.
stub <default-metric metric>;
Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity.
broadcast | multicast
(string1 | string2 | string3)
# (pound sign)
[ ] (square brackets)
Indention and braces ( { } )
; (semicolon)
Indicates a comment specified on the same line as the configuration statement to which it applies.
rsvp { # Required for dynamic MPLS only
Encloses a variable for which you can substitute one or more values.
Identifies a level in the configuration hierarchy.
Identifies a leaf statement at a configuration hierarchy level.
community name members [
community-ids ]
[edit] routing-options { static { route default { nexthop address; retain;
}
}
}
GUI Conventions
Bold text like this
> (bold right angle bracket)
Represents graphical user interface (GUI) items you click or select.
•
•
In the Logical Interfaces box, select
All Interfaces .
To cancel the configuration, click
Cancel
.
Separates levels in a hierarchy of menu selections.
In the configuration editor hierarchy, select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods:
• Online feedback rating system—On any page of the Juniper Networks TechLibrary site at http://www.juniper.net/techpubs/index.html
, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at http://www.juniper.net/techpubs/feedback/ .
Copyright © 2016, Juniper Networks, Inc.
ix
Sky Advanced Threat Prevention Troubleshooting Guide
•
E-mail—Send your comments to [email protected]. Include the document or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf
.
•
Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/ .
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:
•
Find CSC offerings: http://www.juniper.net/customers/support/
• Search for known bugs: http://www2.juniper.net/kb/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications: http://kb.juniper.net/InfoCenter/
•
Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
•
Use the Case Management tool in the CSC at http://www.juniper.net/cm/
.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
x Copyright © 2016, Juniper Networks, Inc.
About the Documentation
For international or direct-dial options in countries without toll-free numbers, see http://www.juniper.net/support/requesting-support.html
.
Copyright © 2016, Juniper Networks, Inc.
xi
Sky Advanced Threat Prevention Troubleshooting Guide xii Copyright © 2016, Juniper Networks, Inc.
PART 1
Troubleshooting Sky Advanced Threat
Prevention
•
Troubleshooting Sky Advanced Threat Prevention on page 3
Copyright © 2016, Juniper Networks, Inc.
1
Sky Advanced Threat Prevention Troubleshooting Guide
2 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 1
Troubleshooting Sky Advanced Threat
Prevention
•
Sky Advanced Threat Prevention Troubleshooting Overview on page 3
•
Troubleshooting Sky Advanced Threat Prevention: Checking DNS and Routing
•
Troubleshooting Sky Advanced Threat Prevention: Checking Certificates on page 6
•
Troubleshooting Sky Advanced Threat Prevention: Checking the Routing Engine
•
request services advanced-anti-malware data-connection
•
request services advanced-anti-malware diagnostic
•
•
Viewing Sky Advanced Threat Prevention System Log Messages on page 14
•
Configuring traceoptions on page 14
•
Viewing the traceoptions Log File on page 16
•
Turning Off traceoptions on page 16
•
Sky Advanced Threat Prevention Dashboard Reports Not Displaying on page 17
•
Sky Advanced Threat Prevention RMA Process on page 17
Sky Advanced Threat Prevention Troubleshooting Overview
This topic provides a general guide to troubleshooting some typical problems you may encounter on Sky Advanced Threat Prevention.
provides a summary of the symptom or problem and recommended actions with links to the troubleshooting documentation.
Copyright © 2016, Juniper Networks, Inc.
3
Sky Advanced Threat Prevention Troubleshooting Guide
Table 3: Troubleshooting Sky Advanced Threat Prevention
Symptom or Problem Recommended Action
SRX device can’t communicate with cloud
Files not being sent to cloud
Viewing system log messages
Setting traceoptions
See
“Troubleshooting Sky Advanced Threat Prevention: Checking DNS and Routing
See
“Troubleshooting Sky Advanced Threat Prevention: Checking Certificates” on page 6
See
“Troubleshooting Sky Advanced Threat Prevention: Checking the Routing Engine
See
request services advanced-anti-malware data-connection
See
request services advanced-anti-malware diagnostic
See
“Troubleshooting Sky Advanced Threat Prevention: Checking DNS and Routing
See
“Troubleshooting Sky Advanced Threat Prevention: Checking Certificates” on page 6
See
“Troubleshooting Sky Advanced Threat Prevention: Checking the Routing Engine
See
See
“Viewing Sky Advanced Threat Prevention System Log Messages” on page 14
See
“Configuring traceoptions” on page 14
See
“Viewing the traceoptions Log File” on page 16
See
“Turning Off traceoptions” on page 16
Dashboard reports not displaying any data
See
“Sky Advanced Threat Prevention Dashboard Reports Not Displaying” on page 17
Troubleshooting Sky Advanced Threat Prevention: Checking DNS and Routing
Configurations
Domain name system (DNS) servers are used for resolving hostnames to IP addresses.
For redundancy, it is a best practice to configure access to multiple DNS servers. You can configure a maximum of three DNS servers. The approach is similar to the way Web browsers resolve the names of a Web site to its network address. Additionally, Junos OS enables you configure one or more domain names, which it uses to resolve hostnames that are not fully qualified (in other words, the domain name is missing). This is convenient because you can use a hostname in configuring and operating Junos OS without the need to reference the full domain name. After adding DNS server addresses and domain names to your Junos OS configuration, you can use DNS resolvable hostnames in your configuration and commands instead of IP addresses.
DNS servers are site-specific. The following presents examples of how to check your settings. Your results will be different than those shown here.
4 Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Troubleshooting Sky Advanced Threat Prevention
First, check the the IP addresses of your DNS servers.
user@host# show groups global system name-server xxx.xxx.x.68; xxx.xxx.xx.131;
If you set up next-hop, make sure it points to the correct router.
user@host# show routing-options static {
route 0.0.0.0/0 next-hop xx.xxx.xxx.1; user@host# show groups global routing-options static {
route xxx.xx.0.0/12 {
next-hop xx.xxx.xx.1;
retain;
no-readvertise;
}
}
Use ping to verify the SRX Series device can communication with the cloud server. First use the show services advanced-anti-malware status CLI command to get the cloud server hostname.
user@host> show service advanced-anti-malware status
Server connection status:
Server hostname: xxx.xxx.xxx.com
Server port: 443
Control Plane:
Connection Time: 2015-12-14 00:08:10 UTC
Connection Status: Connected
Service Plane:
fpc0
Connection Active Number: 0
Connection Failures: 0
Now ping the server. Note that the cloud server will not respond to ping, but you can use this command to check that the hostname can be resolved to the IP address.
user@host>ping xxx.xxx.xxx.com
If you do not get a ping: cannot resolve hostname: Unknown host message, then the hostname can be resolved.
You can also use telnet to verify the SRX Series device can communicate to the cloud server. First, check the routing table to find the external route interface. In the following example, it is ge-0/0/3.0.
user@host> show route inet.0: 23 destinations, 23 routes (22 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 2d 17:42:53
> to xx.xxx.xxx.1 via ge-0/0/3.0
Now telnet to the cloud using port 443.
telnet xxx.xxx.xxx.xxx.com port 443 interface ge-0/0/3.0
Trying xx.xxx.xxx.119...
Copyright © 2016, Juniper Networks, Inc.
5
Sky Advanced Threat Prevention Troubleshooting Guide
Connected to xxx.xxx.xxx.xxx.com
Escape character is '^]'
If telnet is successful, then your SRX Series device can communicate with the cloud server.
Troubleshooting Sky Advanced Threat Prevention: Checking Certificates
Use the show security pki local-certificate CLI command to check your local certificates.
Ensure that you are within the certificate’s valid dates. The ssl-inspect-ca certificate is used for SSL proxy. Show below are some examples. Your output may look different as these are dependent on your setup and location.
user@host> show security pki local-certificate
Certificate identifier: ssl-inspect-ca
Issued to: www.juniper_self.net, Issued by: CN = www.juniper_self.net, OU = IT
, O = Juniper Networks, L = xxxxx, ST = xxxxx, C = IN
Validity:
Not before: 11-24-2015 22:33 UTC
Not after: 11-22-2020 22:33 UTC
Public key algorithm: rsaEncryption(2048 bits)
Certificate identifier: argon-srx-cert
Issued to: xxxx-xxxx_xxx, Issued by: C = US, O = Juniper Ne tworks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.net) subCA for SRX dev ices, emailAddress = [email protected]
Validity:
Not before: 10-30-2015 21:56 UTC
Not after: 01-18-2038 15:00 UTC
Public key algorithm: rsaEncryption(2048 bits)
Use the show security pki ca-certificate command to check your CA certificates. The argon-ca certificate is the client certificate’s CA while the argon-secintel-ca is the server certificate’s CA. Ensure that you are within the certificate’s valid dates.
root@host> show security pki ca-certificate
Certificate identifier: argon-ca
Issued to: SecIntel (junipersecurity.net) subCA for SRX devices, Issued by: C
= US, O = Juniper Networks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.ne
t) CA, emailAddress = [email protected]
Validity:
Not before: 05-19-2015 22:12 UTC
Not after: 05- 1-2045 15:00 UTC
Public key algorithm: rsaEncryption(2048 bits)
Certificate identifier: argon-secintel-ca
Issued to: SecIntel (junipersecurity.net) CA, Issued by: C = US, O = Juniper N etworks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.net) CA, emailAddress
Validity:
Not before: 05-19-2015 03:22 UTC
Not after: 05-16-2045 03:22 UTC
Public key algorithm: rsaEncryption(2048 bits)
When you enroll an SRX Series device, the ops script installs two CA certificates: one for the client and one for the server. Client-side CA certificates are associated with serial
6 Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Troubleshooting Sky Advanced Threat Prevention numbers. Use the show security pki local-certificate detail CLI command to get your device’s certificate details and serial number.
user@host> show security pki local-certificate detail
Certificate identifier: aamw-srx-cert
Certificate version: 3
Serial number: xxxxxxxxxx
Issuer:
Organization: Juniper Networks Inc, Organizational unit: SecIntel, Country:
US,
Common name: SecIntel (junipersecurity.net) subCA for SRX devices
Subject:
Organization: xxxxxxxxxx, Organizational unit: SRX, Country: US,
Common name: xxxxxxxxxx
Subject string:
C=US, O=xxxxxxxx, OU=SRX, CN=xxxxxxxx, [email protected]
Alternate subject: [email protected], fqdn empty, ip empty
Validity:
Not before: 11-23-2015 23:08 UTC
Not after: 01-18-2038 15:00 UTC
Then use the show security pki crl detail CLI command to make sure your serial number is not in the Certificate Revocation List (CRL). If your serial number is listed in the CRL then that SRX Series device cannot connect to the cloud server.
user@host> show security pki crl detail
CA profile: aamw-ca
CRL version: V00000001
CRL issuer: C = US, O = Juniper Networks Inc, OU = SecIntel, CN = SecIntel
(junipersecurity.net) subCA for SRX devices, emailAddress = [email protected]
Effective date: 11-23-2015 23:16 UTC
Next update: 11-24-2015 23:16 UTC
Revocation List:
Serial number Revocation date
xxxxxxxxxxxxxxxxx 10-26-2015 17:43 UTC
xxxxxxxxxxxxxxxxx 11- 3-2015 19:07 UTC
...
Troubleshooting Sky Advanced Threat Prevention: Checking the Routing Engine Status
Use the show services advanced-anti-malware status CLI command to show the connection status from the control plane or routing engine.
user@host> show services advanced-anti-malware status
Server connection status:
Server hostname: xxx.xxx.xxx.xxx.com
Server port: 443
Control Plane:
Connection Time: 2015-12-01 08:58:02 UTC
Connection Status: Connected
Service Plane:
fpc0
Connection Active Number: 0
Connection Failures: 0
Copyright © 2016, Juniper Networks, Inc.
7
Sky Advanced Threat Prevention Troubleshooting Guide
If the connection fails, the CLI command will display the reason in the Connection Status field. Valid options are:
•
Not connected
• Initializing
• Connecting
•
Connected
•
Disconnected
• Connect failed
• Client certificate not configured
•
Request client certificate failed
•
Request server certificate validation failed
• Server certificate validation succeeded
• Server certificate validation failed
•
Server hostname lookup failed
8 Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Troubleshooting Sky Advanced Threat Prevention
request services advanced-anti-malware data-connection
Syntax request services advanced-anti-malware data-connection test (start <0-32768> | status)
Release Information Command introduced in Junos OS Release 15.1X49-D60.
Description Tests the connection between the SRX Series device and the Sky ATP cloud by initiating a websocket connection and then sending data payloads of a given size. The SRX Series device must already be enrolled with Sky ATP before running this command.
Run this command when the show services advanced-anti-malware statistics CLI command shows that several files failed to be sent to the cloud (see the “File Send to
Cloud Failed” result.)
Options start <0-32768>
—Start the data connection test and specify the packet payload size in bytes.
status
—Returns the result of the data connection test. See
.
Required Privilege
Level
View
Related
Documentation
•
request services advanced-anti-malware diagnostic on page 11
List of Sample Output
Output Fields This CLI command returns a single line that indicates the data connection results.
lists the possible results.
Table 4: Data Connection Test Output
Message Description
Test not started.
Test in progress.
Test OK.
You cannot view the status without first running the data connection test.
Run the request services advanced-anti-malware data-connection test start
CLI command and then check the status again.
The data connection test has not finished. Wait a few seconds and try the command again.
Depending on your environment, it can take up to 20 seconds for the test to complete.
The data connection test passed.
Copyright © 2016, Juniper Networks, Inc.
9
Sky Advanced Threat Prevention Troubleshooting Guide
Table 4: Data Connection Test Output (continued)
Message Description
Test failed.
The data connection test failed and indicates where it failed. Possible failures are:
•
•
Connect error—The websocket connection cannot be established.
Ping pong error—Successfully connected to the cloud server, but the payload delivery is not reliable.
Sample Output
request services advanced-anti-malware data-connection test start user@host> request services advanced-anti-malware data-connection test start
Cloud connectivity test started. Ping payload size: 128 bytes.
request services advanced-anti-malware data-connection test status user@host> request services advanced-anti-malware data-connection test status
fpc0: Test OK. RTT = 38 ms. Test time: 2016-08-11 20:53:02 UTC.
request services advanced-anti-malware data-connection test status user@host> request services advanced-anti-malware data-connection test status
fpc0: Test failed. Reason: Ping pong error. Test time: 2016-08-11 21:13:05 UTC.
10 Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Troubleshooting Sky Advanced Threat Prevention
request services advanced-anti-malware diagnostic
Syntax request services advanced-anti-malware diagnostic url (detail | pre-detection url)
Release Information Command introduced in Junos OS Release 15.1X49-D60.
Description Use this command before you enroll your SRX Series device with Sky Advanced Threat
Prevention to verify your Internet connection to the cloud. If you already enrolled your
SRX Series device, you can still use this command and the request services aamw data-connection CLI command to check and troubleshoot your connection to the cloud.
This CLI command checks the following:
•
DNS lookup—Performs a forward DNS lookup of the cloud hostname to verify it returns an IP address.
•
Route to cloud—Tests your network connection using telnet.
•
Whether server is live—Uses the telnet and ping commands to verify connection with the cloud.
•
Outgoing interface—Checks that both the Routing Engine (RE) and the Packet
Forwarding Engine (PFE) can connect to the Internet.
•
IP path MTU—Determines the maximum transmission unit (MTU) size on the network path between the SRX Series device and the cloud server.
•
SSL configuration consistency—Verifies that the SSL profile, client certificate and CA exists in both the RE and the PFE.
Options
url
—URL to the Sky Advanced Threat Prevention cloud server.
detail
—(optional) Debug mode that provides more verbose output.
pre-detection url —(optional) Pre-detection mode where you can test your connection to the cloud server prior to actually enrolling your SRX Series device.
To use this option, in the Web UI, click Devices and then click Enroll. You will receive an ops script similar to this: op url https://abc.def.junipersecurity.net/bootstrap/enroll/AaBbCc/DdEeFf.slax
Use the root URL from the ops script as the url for the pre-detection option. For example, using the above ops script run the command as: request services advanced-anti-malware diagnostic pre-detection abc.def.junipersecurity.net
Additional Information
lists the error conditions detected by this CLI command.
Copyright © 2016, Juniper Networks, Inc.
11
Sky Advanced Threat Prevention Troubleshooting Guide
Table 5: aamw-diagnostics Script Error Messages
Error Message Description
URL unreachable is detected, please make sure URL url port port is reachable.
Could not access the cloud server.
SSL profile ssl profile name is inconsistent between PFE and RE.
The SSL profile exists in the RE but does not exist in the PFE.
SSL profile ssl profile name is empty.
SSL local certificate local certificate is inconsistent between PFE and RE.
The SSL profile has neither trusted CA nor client certificate configured.
The SSL client certificate does not exist in PFE.
SSL CA ca name is inconsistent between PFE and RE.
The SSL CA exists in the RE but does not exist in the PFE.
DNS lookup failure is detected, please check your DNS configuration.
The IP address of the cloud server could not be found.
If this test fails, check to make sure your Internet connection is working properly and your DNS server is configured and has an entry for the cloud URL.
To-SKYATP connection through management interface is detected. Please make sure to-SKYATP connection is through packet forwarding plane.
The test detected that the Internet connection to the cloud server is through the management interface. This may result in your PFE connection to the cloud server failing.
To correct this, change the Internet connection to the cloud to be through the PFE and not the management interface.
Required Privilege
Level
View
Related
Documentation
•
request services advanced-anti-malware data-connection on page 9
List of Sample Output
request services advanced-anti-malware diagnostic on page 12
Sample Output
request services advanced-anti-malware diagnostic user@host> request services advanced-anti-malware diagnostic abc.def.junipersecurity.net
SKYATP reachability check :OK
SKYATP ICMP service check :OK
To-SKYATP connection through Packet Forwarding Engine :OK
IP Path MTU check :OK
IP Path MTU is 1472
SSL configuration consistent check :OK
12 Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Troubleshooting Sky Advanced Threat Prevention request services advanced-anti-malware diagnostic detail user@host> request services advanced-anti-malware diagnostic abc.def.junipersecurity.net
detail
[INFO] Try to get IP from URL abc.def.junipersecurity.net
DNS check : [OK]
[INFO] Try to test SKYATP server connectivity
SKYATP reachability check : [OK]
[INFO] Try ICMP service in SKYATP
SKYATP ICMP service check : [OK]
[INFO] To-SKYATP connection is using ge-0/0/3.0, according to route
To-SKYATP connection through Packet Forwarding Engine: [OK]
[INFO] Check IP MTU with length 1472
IP Path MTU check : [OK]
IP Path MTU is 1472
SSL configuration consistent check : [OK] request services advanced-anti-malware diagnostic pre-detection user@host> request services advanced-anti-malware diagnostic pre-detection abc.def.junipersecurity.net
DNS check : [OK]
SKYATP reachability check : [OK]
SKYATP ICMP service check : [OK]
To-SKYATP connection through Packet Forwarding Engine: [OK]
IP Path MTU check : [OK]
IP Path MTU is 1472
Troubleshooting Sky Advanced Threat Prevention: Checking the application-identification License
If you are using an SRX1500 Series device, you must have a have a valid application-identification license installed. Use the show services application-identification version
CLI command to verify the applications packages have been installed. You must have version 2540 or later installed. For example: user@host> show services application-identification version
Application package version: 2540
If you do not see the package or the package version is incorrect, use the request services application-identification download
CLI command to download the latest application package for Junos OS application identification. For example: user@host> request services application-identification download
Please use command "request services application-identification download status" to check status
Then use the request services application-identification install CLI command to install the downloaded application signature package.
user@host> request services application-identification install
Please use command "request services application-identification install status" to check status
Use the show services application-identification application version CLI command again to verify the applications packages is installed.
Copyright © 2016, Juniper Networks, Inc.
13
Sky Advanced Threat Prevention Troubleshooting Guide
Viewing Sky Advanced Threat Prevention System Log Messages
The Junos OS generates system log messages (also called syslog messages) to record events that occur on the SRX Series device. Each system log message identifies the process that generated the message and briefly describes the operation or error that occurred. Sky Advanced Threat Prevention logs are identified with a
SRX_AAWM_ACTION_LOG or SRX AAMWD entry.
The following example configures basic syslog settings.
set groups global system syslog user * any emergency set groups global system syslog host log kernel info set groups global system syslog host log any notice set groups global system syslog host log pfe info set groups global system syslog host log interactive-commands any set groups global system syslog file messages kernel info set groups global system syslog file messages any any set groups global system syslog file messages authorization info set groups global system syslog file messages pfe info set groups global system syslog file messages archive world-readable
To view events in the CLI, enter the following command: show log
Example Log Message
<14> 1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG
[[email protected] http-host="www.mytest.com" file-category="executable" action="BLOCK" verdict-number="8" verdict-source=”cloud/blacklist/whitelist” source-address="x.x.x.1" source-port="57116" destination-address="x.x.x.1" destination-port="80" protocol-id="6" application="UNKNOWN" nested-application="UNKNOWN" policy-name="argon_policy" username="user1" session-id-32="50000002" source-zone-name="untrust" destination-zone-name="trust"] http-host=www.mytest.com file-category=executable action=BLOCK verdict-number=8 verdict-source=cloud source-address=x.x.x.1 source-port=57116 destination-address=x.x.x.1 destination-port=80 protocol-id=6 application=UNKNOWN
nested-application=UNKNOWN policy-name=argon_policy username=user1 session-id-32=50000002 source-zone-name=untrust destination-zone-name=trust
Configuring traceoptions
In most cases, policy logging of the traffic being permitted and denied is sufficient to verify what Sky Advanced Threat Prevention is doing with the SRX Series device data.
However, in some cases you may need more information. In these instances, you can use traceoptions to monitor traffic flow into and out of the SRX Series device.
Using trace options are the equivalent of debugging tools. To debug packets as they traverse the SRX Series device, you need to configure traceoptions and flag basic-datapath.
This will trace packets as they enter the SRX Series device until they exit, giving you details of the different actions the SRX Series device is taking along the way.
14 Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Troubleshooting Sky Advanced Threat Prevention
A minimum traceoptions configuration must include both a target file and a flag. The target file determines where the trace output is recorded. The flag defines what type of data is collected. For more information on using traceoptions, see the documentation for your SRX Series device.
To set the trace output file, use the file filename option. The following example defines the trace output file as srx_aamw.log: user@host# edit services advanced-anti-malware traceoptions
[edit services advanced-anti-malware traceoptions] user@host# set file srx_aamw.log
where flag defines what data to collect and can be one of the following values:
• all —Trace everything.
• connection —Trace connections to the server.
• content —Trace the content buffer management.
• daemon —Trace the Sky Advanced Threat Prevention daemon.
• identification —Trace file identification.
• parser —Trace the protocol context parser.
• plugin —Trace the advanced anti-malware plugin.
• policy —Trace the advanced anti-malware policy.
The following example traces connections to the SRX device and the advanced anti-malware policy: user@host# edit services advanced-anti-malware traceoptions
[edit services advanced-anti-malware traceoptions] user@host# set services advanced-anti-malware traceoptions file skyatp.log
user@host# set services advanced-anti-malware traceoptions file size 100M user@host# set services advanced-anti-malware traceoptions level all user@host# set services advanced-anti-malware traceoptions flag all
Before committing your traceoption configuration, use the show services advanced-anti-malware command to review your settings.
# show services advanced-anti-malware url https://xxx.xxx.xxx.com; authentication {
tls-profile
...
} traceoptions {
file skyatp.log;
flag all;
...
}
...
You can also configure public key infrastructure (PKI) trace options. For example: set security pki traceoptions file pki.log
set security pki traceoptions flag all
Copyright © 2016, Juniper Networks, Inc.
15
Sky Advanced Threat Prevention Troubleshooting Guide
Debug tracing on both the Routing Engine and the Packet Forwarding Engine can be enabled for SSL proxy by setting the following configuration: set services ssl traceoptions file ssl.log
set services ssl traceoptions file size 100m set services ssl traceoptions flag all
You can enable logs in the SSL proxy profile to get to the root cause for the drop. The following errors are some of the most common:
• Server certification validation error.
•
The trusted CA configuration does not match your configuration.
•
System failures such as memory allocation failures.
• Ciphers do not match.
• SSL versions do not match.
•
SSL options are not supported.
•
Root CA has expired. You need to load a new root CA.
Set flow trace options to troubleshoot traffic flowing through your SRX Series device: set security flow traceoptions flag all set security flow traceoptions file flow.log size 100M
Related
Documentation
•
Enabling Debugging and Tracing for SSL Proxy
• traceoptions (Security PKI)
Viewing the traceoptions Log File
Once you commit the configuration, traceoptions starts populating the log file with data.
Use the show log CLI command to view the log file. For example: user@host> show log srx_aamw.log
Use match, last and trim commands to make the output more readable. For more information on using these commands, see Configuring Traceoptions for Debugging and
Trimming Output .
Turning Off traceoptions
traceoptions is very resource-intensive. We recommend you turn off traceoptions when you are finished to avoid any performance impact. There are two ways to turn off traceoptions .
The first way is to use the deactivate command. This is a good option if you need to activate the trace in the future. Use the activate command to start capturing again.
user@host# deactive services advanced-anti-malware traceoptions user@host# commit
16 Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Troubleshooting Sky Advanced Threat Prevention
The second way is to remove traceoptions from the configuration file using the delete command.
user@host# delete services advanced-anti-malware traceoptions user@host# commit
You can remove the traceoptions log file with the file delete filename CLI command or clear the contents of the file with the clear log filename CLI command.
Sky Advanced Threat Prevention Dashboard Reports Not Displaying
Sky Advanced Threat Prevention dashboard reports require the Sky Advanced Threat
Prevention premium license for the C&C Server & Malware report and any GeoIP reports.
If you do not see any data in these dashboard reports, make sure that you have purchased a premium license.
NOTE: Sky Advanced Threat Prevention does not require you to install a license key onto your SRX Series device. Instead, your entitlement for a specific serial number is automatically transferred to the cloud server. It may take up to 24 hours for your activation to be updated in the Sky Advanced Threat cloud server. For more information, see Obtaining the Sky Advanced Threat
Prevention License.
All reports are specific to your realm; no report currently covers trends derived from the
Sky Advanced Threat Prevention worldwide database. Data reported from files uploaded from your SRX Series devices and other features make up the reports shown in your dashboard.
If you did purchase a premium license and followed the configuration steps (
Quick Start or Sky Advanced Threat Prevention Configuration Overview) and are still not seeing data in the dashboard reports, contact Juniper Networks Technical Support.
Sky Advanced Threat Prevention RMA Process
Sometimes, because of hardware failure, a device needs to be returned for repair or replacement. For these cases, contact Juniper Networks, Inc. to obtain a Return Material
Authorization (RMA) number and follow the
RMA Procedure
.
Once you transfer your license keys to the new device, it may take up to 24 hours for the new serial number to be registered with Sky Advanced Threat Prevention cloud service.
You must enroll your replacement unit as a new device. See Enrolling an SRX Series Device
With Sky Advanced Threat Prevention. Sky Advanced Threat Prevention does not have an “RMA state”, and does not see these as replacement devices from a configuration or registration point of view. Meaning, data is not automatically transferred to the replacement SRX Series device from the old device.
Copyright © 2016, Juniper Networks, Inc.
17
Sky Advanced Threat Prevention Troubleshooting Guide
18 Copyright © 2016, Juniper Networks, Inc.
PART 2
Index
•
Copyright © 2016, Juniper Networks, Inc.
19
Sky Advanced Threat Prevention Troubleshooting Guide
20 Copyright © 2016, Juniper Networks, Inc.
Index
Symbols
#, comments in configuration statements.....................
( ), in syntax descriptions.......................................................
< >, in syntax descriptions.....................................................
[ ], in configuration statements...........................................
{ }, in configuration statements..........................................
| (pipe), in syntax descriptions............................................
B
braces, in configuration statements..................................
brackets
angle, in syntax descriptions........................................
ix square, in configuration statements.........................
C
comments, in configuration statements.........................
conventions
text and syntax................................................................
curly braces, in configuration statements.......................
customer support......................................................................
x contacting JTAC.................................................................
D
documentation
comments on....................................................................
F
font conventions.....................................................................
M
manuals
comments on....................................................................
P
parentheses, in syntax descriptions..................................
S
support, technical See technical support
syntax conventions................................................................
T
technical support
contacting JTAC.................................................................
Copyright © 2016, Juniper Networks, Inc.
21
Sky Advanced Threat Prevention Troubleshooting Guide
22 Copyright © 2016, Juniper Networks, Inc.
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement