SRX UTM Sophos Antivirus

On the previous post, I wrote about UTM Webfiltering. This post will provide a basic configuration example of Sophos Antivirus. Below is the simple topology we will use on this lab.

utm_web_filtering_srx_juniper

[edit]
root@srx# show security utm feature-profile 
anti-virus {
    type sophos-engine;
    sophos-engine {
        profile sophos-prof {
            fallback-options {
                content-size log-and-permit;
                engine-not-ready permit;
                out-of-resources permit;
                too-many-requests permit;
            }
            scan-options {
                content-size-limit 15000;
                timeout 600;
            }
            notification-options {
                virus-detection {
                    custom-message "Juniper Sophos has detected a virus";
                }
            }
        }
    }
}

Like web filtering configuration we must configure a feature profile for antivirus as well and a profile under sophos-engine. Again you shouldn’t forget to set “type sophos-engine” command without which you don’t really tell junos which engine (i.e sophos,kaspersky) you want to use.

In the scan-options we also instruct sophos engine not to scan more than 15M content and other options are self explanatory I believe.

After configuring the feature profile, we must assign this under a utm policy.

[edit]
root@srx# show security utm utm-policy utm-pol1 
anti-virus {
    http-profile sophos-prof;
}

Now we must apply this utm policy in our security policy

[edit]
root@srx# show security policies 
from-zone TRUST to-zone INTERNET {
    policy allow-utm-clients {
        match {
            source-address any;
            destination-address any;
            application [junos-http junos-dns-udp junos-dns-tcp];
        }
        then {
            permit {
                application-services {
                    utm-policy utm-pol1;
                }
            }
        }
    }
}

Now I did a commit and checked the sophos status immediately two times.

root@srx> show security utm anti-virus status    
 UTM anti-virus status: 
 
    Anti-virus key expire date: 2014-07-19 13:13:08
    Update server: http://update.juniper-updates.net/SAV/
           Interval: 1440 minutes
           Pattern update status: N/A
           Last result: N/A
    Anti-virus signature version: Not loaded
    Scan engine type: sophos-engine
    Scan engine information: Load failure (general error)

root@srx> show security utm anti-virus status    
 UTM anti-virus status: 
 
    Anti-virus key expire date: 2014-07-19 13:13:14
    Update server: http://update.juniper-updates.net/SAV/
           Interval: 1440 minutes
           Pattern update status: next update in 1439 minutes
           Last result: new database downloaded
    Anti-virus signature version: 1.13 (1.02)
    Scan engine type: sophos-engine
    Scan engine information: last action result: No error

As you can see first antivirus signature isn’t loaded but short time later, engine becomes ready. Make sure your SRX has a name-server configured for this to work.

Now I would like to emphasis the “type sophos-engine” option. If you don’t set it you will get an output like below as if you haven’t configure anything. So don’t forget it.

root@srx>show security utm anti-virus status        
 UTM anti-virus status: 
    Scan engine type: no-config

To try the antivirus, I have download eicar sample and I have got the message “Juniper Sophos has detected a virus” as configured. Statistics also show that a virus has been found

root@srx> show security utm anti-virus statistics 
 UTM Anti Virus statistics: 
 MIME-whitelist passed:                0
 URL-whitelist passed:                 0
 Scan Request: 

  Total           Clean         Threat-found    Fallback
       1               0              1               0

 Fallback: 
                              Log-and-Permit    Block             Permit
 Engine not ready:                0                 0                 0 
 Out of resources:                0                 0                 0
 Timeout:                         0                 0                 0
 Maximum content size:            0                 0                 0
 Too many requests:               0                 0                 0
 Others:                          0                 0                 0

About: rtoodtoo

Genco has worked for more than 10 years as a Network/Support Engineer. He is also interested in Python, Linux, Security and SD-WAN, currently lives in the Netherlands and works as a Network Support Engineer at Tesla Inc. // JNCIE-SEC #223 / RHCE / PCNSE


You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.