There are 5 specific functions that can be tested to make sure that the ThreatSTOP solution is working properly:
- Does your system pull IPs from our database
- Are the IPs applied to firewall rules
- Do the blocked IPs get logged
- Can the logs be uploaded to our database.
- Can 1-4 be done automatically
For all these commands, it's suggested you log into your device using Putty via ssh or console
- Does your system pull IPs from our database?
To see a list of the current IPs uploaded from our system, you can run:
root@Juniper-SRX% cli
root@Juniper-SRX> show configuration policy-options | hold
This will pull up all the IP addresses in your ThreatSTOP prefix rules. Find the ThreatSTOP-block-XX groups. The lower level groups tend to contain the singular IPs, (/32) that are being blocked by our system. You have now verified that your system can pull IPs from our database. Take a note of one of these IPs, you will use it for step 3. - Are the IPs applied to firewall rules?
This is a simple
root@Juniper-SRX> show configuration firewall filter ThreatSTOP
which should result in something similar to: (please note that this is the default filter name for the ThreatSTOP installation. If you changed the name of the filter, use the name in above command) - Do the blocked IPs get logged?
Now run:
root@Juniper-SRX> show configuration system syslog
and the output should be similar to:
in this case, the file 12.10.10.146.log is the name of the log file.Then run:
root@Juniper-SRX% ls -l /cf/var/log
and note the size of the log file, in this case 12.10.10.146.log. Run a ping to the IP address you wrote down from your ThreatSTOP-block-XX group. You should get 100% packet loss.To see if the block as been logged, you can now run
root@Juniper-SRX% ls -l /cf/var/log
again to check the the log file has grown in size. - Can the logs be uploaded to our database?
Unlike most other devices, Juniper has a function that allows for syslogs to be uploaded to an ftp site as we saw in the syslog configuration. We will now temporarily change the interval to Juniper's minimum: five minutes. Please note your log file name will be different on your device. You should run:
root@Juniper-SRX> configure
root@Juniper-SRX# edit system syslog file 12.10.10.146.log
[edit system syslog file 12.10.10.146.log]
root@Juniper-SRX# set archive transfer-interval 5
[edit system syslog file 12.10.10.146.log]
root@Juniper-SRX# commit confirmed 8
[edit system syslog file 12.10.10.146.log]
root@Juniper-SRX# exit
root@Juniper-SRX# exit
To verify the change has been committed:
root@Juniper-SRX> show configuration system syslog
After five minutes, you can check that there's been a log rotation run:root@Juniper-SRX> exit
root@Juniper-SRX% ls -l /cf/var/log
You should notice something similar to:Where there are now multiple files beginning with, in this case, 12.10.10.146.log. The file with the .0.gz was the most recently uploaded file. The original transfer interval will revert after 8 minutes.
- Can 1-4 be done automatically?
As we have seen from the previous test, logs are uploaded at regular intervals. To see if the Juniper device can update its filters should there be a change in your policy. You can run:
root@Juniper-SRX% crontab -l
With the result being similar to:To make sure the script can run, you can copy the command and run it in DEBUG mode. Running
root@Juniper-SRX% /bin/sh /root/ts-jfilter/tsupdate.sh DEBUG
You have now completed the Juniper testing activities. Should any of the steps not work, please email support@threatstop.com.
Comments