Juniper Advanced Threat Prevention Appliance, Cli Command Reference Manual

Page 1: ...Juniper Advanced Threat Prevention Appliance CLI Command Reference Guide Release 5 0 March 2018 ...

Page 2: ...Guide Copyright 2018 Juniper Networks Inc All rights reserved The information in this document is current as of the date on the title page YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant Junos OS has no known time related limitations through the year 2038 However the NTP application is known to have some difficulty in the year 2036 END USER LICENSE AGREEMEN...

Page 3: ...ssing the CLI 3 Hardware Appliance Access via the Console 3 Configuration Wizard Command Prompt Progressions 4 Hardware Software and Virtual Appliance Access via SSH 6 CLI Help and Keyboard Shortcuts 6 CLI Modes 7 All in One CLI Commands Basic Mode Commands 9 CM Commands 10 Core Mode Commands 10 Server Mode Commands 10 Collector Mode Commands 10 Diagnosis Mode Commands 11 All in One CLI Commands 1...

Page 4: ...etupcheck 30 show collector mode 31 show core mode 32 show diagnosis mode 33 shutdown 34 traceroute 34 upgrade 34 updateimage 35 wizard 35 Configuration Wizard for the All in One Server 36 Core CM Server CLI Commands Basic Mode Commands 37 CM Commands 37 Core Mode Commands 38 Server Mode Commands 38 Diagnosis Mode Commands 38 CoreCM CLI Commands 39 capture start 39 cm 39 core 40 copy 41 diagnosis ...

Page 5: ... Mac OS X Detection Engine CLI Commands 65 capture start 65 copy 65 core 66 diagnosis 66 exit 67 gssreport 67 help 68 history 69 ifrestart 69 ping 70 reboot 70 restart 70 restore 72 server 72 set server mode 74 set diagnosis mode 76 setupcheck 77 show core mode 77 show diagnosis mode 78 show server mode 79 shutdown 81 traceroute 81 updateimage 81 upgrade 83 wizard 83 Configuration Wizard Command P...

Page 6: ...tore 96 server 97 set proxy collector mode 97 set honeypot collector mode 98 set diagnosis mode 99 set protocols collector mode 99 set server mode 100 set traffic filter collector mode 102 set traffic monitoring for JATP700 Appliances only collector mode 102 setupcheck 103 show collector mode 104 show diagnosis mode 105 show server mode 106 shutdown 108 traceroute 108 wizard 108 Configuration Wiza...

Page 7: ...e understanding of our JTAC procedures and policies review the JTAC User Guide located at http www juniper net us en local pdf resource guides 7100059 en pdf Product warranties For product warranty information visit http www juniper net support warranty JTAC hours of operation The JTAC centers have resources available 24 hours a day 7 days a week 365 days a year Self Help Online Tools and Resource...

Page 8: ...ntsearch juniper net entitlementsearch Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone Use the Case Management tool in the CSC at http www juniper net cm Call 1 888 314 JTAC 1 888 314 5822 toll free in the USA Canada and Mexico For international or direct dial options in countries without toll free numbers see http www juniper net support requesting support html ...

Page 9: ...s setting configurations and defining system level settings for Collector and Detection Engine interfaces and network deployment services Chapter 3 Core CM Server CLI Commands Provides information about commands available to the Core and Central Manager for all hardware appliance software appliance and virtual appliance models including the commands used to manage Detection Engines and Juniper ATP...

Page 10: ... SIEM Juniper ATP Appliance Safety and Regulatory Guide Contains conformance and safety information for Juniper ATP Appliances Juniper ATP Appliance API Reference Guide Provides Juniper ATP Appliance HTTP API functions and information about usage Table 4 1 Typographical Conventions Convention Meaning Example courier font Coding examples and text to be entered at the command prompt Enter the follow...

Page 11: ...nce Access via the Console To access the Juniper ATP Appliance CLI using the console port 1 Connect your computer s serial port to the DB 9 console port on the Juniper ATP Appliance 2 Open a terminal program such as Console on Mac OS X HyperTerminal on Windows or Minicom on Linux 3 Configure the terminal program serial communication settings as follows Bits per second 960 Data bits 8 Stop bit 1 Pa...

Page 12: ...ng the form 255 255 255 0 c Enter a gateway IP address d Enter the DNS server IP address e If yes enter the IP address of the secondary DNS server f Enter yes if you want DNS lookups to use a specific domain g Enter space domain s separated by spaces for example example com lan com dom2 com Enter yes to restart with the new configuration settings applied Westronglydiscourage the use of DHCP addres...

Page 13: ...ce Enter the eth2 netmask Enter the gateway IP address Enter the primary DNS server IP Address for the alternate exhaust eth2 interface Enter yes or no to confirm or deny an eth2 secondary DNS server Enter yes or no to indicate whether you want to enter search domain Refer to Configuring an Alternate Analysis Engine Interface in the Juniper ATP Appliance Operator s Guide for more information Enter...

Page 14: ...keyword to display command matches for auto completions You can enter commands in abbreviated form if you enter enough characters to uniquely identify each keyword For example the show interface command can be abbreviated as sh in Enter the following server attributes Is this a Central Manager device Device Name must be unique Device Description Device Key PassPhrase NOTE Remember this passphrase ...

Page 15: ... characters are typed to uniquely identify it Recall Ctrl P or Retrieve previous command from CLI history Ctrl N or Retrieve next command from CLI history Ctrl L or Ctrl R Clear the screen or Redisplay the current command line Delete Ctrl D Delete character Ctrl H Delete character before cursor Backspace Ctrl K Delete all characters from cursor to end of line Ctrl U or Ctrl W Delete all characters...

Page 16: ...sic mode The prompt changes to indicate the mode in parentheses JATP_Hostname collector JATP_Hostname collector Enter exit to leave server mode Diagnosis Packet Capture Monitoring GSS Reporting and Configuration Mode Check Initial Setup Diagnose Monitor Set GSS and Configure the Juniper ATP Appliance includes all commands To access Diagnosis mode enter diagnosis in Basic mode The prompt changes to...

Page 17: ...tes in CLI commands Basic Mode Commands Use general system commands to configure the appliance view appliance history enter other CLI modes obtain help with CLI syntax and to exit the CLI session The general commands are cm on page 12 core on page 13 collector on page 12 diagnosis on page 14 exit on page 14 help on page 16 history on page 17 server on page 20 wizard on page 35 Refer to the section...

Page 18: ... page 19 restore on page 20 set ip interface server mode on page 26 set system alert server mode on page 29 set server mode on page 27 shutdown on page 34 shutdown on page 34 traceroute on page 34 Collector Mode Commands exit on page 14 help on page 16 history on page 17 set honeypot collector mode on page 22 set traffic monitoring for JATP700 Appliances only collector mode on page 22 set traffic ...

Page 19: ...ts packet capture as a means for diagnosing and debugging network traffic and obtaining stats See Also diagnosis mode collector mode copy Product s CLI All in One Collector Mode s Diagnosis Syntax capture start Parameters IP address interface_name Sub Commands None Example The following example starts a packet capture process on interface eth1 for a Traffic Collector with IP address 8 8 8 8 hostna...

Page 20: ...it help history upgrade Example The following command example enters cm configuration mode hostname cm hostname cm Table 2 3 collector Description Enters the Collector configuration mode See Also server mode Product s CLI All in One Collector Mode s Basic Syntax collector Parameters None Sub Commands exit help history set server mode show collector mode Example The following example enters collect...

Page 21: ...name username destination_host destination_folder traceback tab ALL string URI as user hostname path Parameters copy capture scp remote filename_location copy traceback ALL filename copy traceback tab tab displays all available crash filenames Sub Commands None Example The following example copies the file Eth1 txt from the local host to a remote host hostname diagnosis copy capture Eth1 txt admin...

Page 22: ...mands capture start copy exit gssreport help history set server mode setupcheck show diagnosis mode shutdown Example The following example enters diagnosis configuration and status check mode hostname diagnosis hostname diagnosis Table 2 7 exit Description Ends the CLI session Product s CLI All in One Collector Core CM Mac Mini OS X Detection Engine Mode s Basic Core Collector Diagnosis Server Syn...

Page 23: ... Parameters status displays the status of the current GSS report submit submits a report to Juniper ATP Appliance GSS Sub Commands None Example The following examples display the status of a GSS report submission hostname diagnosis hostname diagnosis gssreport submit Successfully started GSS report hostname diagnosis gssreport status GSS is currently enabled Last 5 minute GSS report at 2015 07 28 ...

Page 24: ...lowing keys both perform auto completion for the current command line If the command prefix is not unique then the bell will ring and a subsequent repeat of the key will display possible completions enter Auto completes syntax checks then executes a command If there is a syntax error then offending part of the command line will be highlighted and explained tab Auto completes space Auto completes o...

Page 25: ... The following examples returns command line history for the current CLI session JATP core history Table 2 11 ifrestart Description Restarts the interface driver and services using the interface Product s CLI All in One Core CM Mac Mini OS X Detection Engine Mode s Server Syntax ifrestart eth0 eth1 Parameters Example The following example restarts the eth0 interface for the management network Fire...

Page 26: ... 84 bytes of data 64 bytes from 10 10 10 1 icmp_req 1 ttl 64 time 0 314 ms 64 bytes from 10 10 10 1 icmp_req 2 ttl 64 time 0 277 ms 64 bytes from v icmp_req 3 ttl 64 time 0 274 ms 10 10 10 1 ping statistics 3 packets transmitted 3 received 0 packet loss time bbbb1999ms rtt min avg max mdev 0 274 0 288 0 314 0 022 ms Table 2 13 reboot Description Reboots the Juniper ATP Appliance Product s CLI All ...

Page 27: ... Parameters Example The following example restarts the Central manager service JATP restart cm all Restarts all Juniper ATP Appliance services behaviorengine Restarts the Behavioral Analysis Engine cm Restarts the Central Manager Web UI service collector Restarts the Collector service core Restarts the Core Detection Engine correlationengine Restarts the Correlation Engine database Restarts the Da...

Page 28: ...ord Restore the default support password Yes No yes support password was restored successfully Table 2 16 server Description Enters the server configuration mode See Also collector Product s CLI All in One Collector Core CM Mac Mini Mac OS X Mode s Basic Syntax server Sub Commands exit help history ifrestart ping reboot restore set server mode upgrade Whitelist rules rely on normal service shutdow...

Page 29: ...CLI Command Reference Guide Copyright 2018 Juniper Networks Inc 21 Example The following example enters server configuration mode hostname server hostname server Table 2 16 server ...

Page 30: ... in One Collector Mode s collector Syntax collector set honeypot ssh honeypot enable dhcp collector set honeypot ssh honeypot enable address IP address netmask subnet IP gateway IP address collector set honeypot ssh honeypot disable Example The following example enables the SMB parser for lateral detections collector set honeypot ssh honeypot enable address 1 2 3 4 netmask 255 255 0 0 gateway 1 2 ...

Page 31: ...0 16 20 0 0 2 90 120 tcp where destination address is 20 0 0 2 destination port is 120 protocol is tcp source address is 10 2 0 0 16 and source port is 90 in our example Table 2 20 set protocols Description Enables and disables the HTTP or SMB parser for a Traffic Collector See Also show protocols command in show collector mode Product s CLI All in One Collector Mode s collector Syntax collector s...

Page 32: ... XFF feature in the proxy setting if desired See Also set server mode set proxy command for management network set diagnosis mode NOTE The mitigation IP address of a CNC server is not be available for Inside proxy deployments When a Juniper ATP Appliance is deployed behind a proxy the Mitigation Firewall page in the Juniper ATP Appliance Central Manager Web UI which typically displays the CNC serv...

Page 33: ...S X Detection Engine Mode s diagnosis Syntax set logging Parameters Example The following example sets the default logging level for all Juniper ATP Appliance components JATP set logging all all Sets logging for all Juniper ATP Appliance components default Sets logging to the default parameters debug Sets logging at the debug level info Sets logging at the info level warning Sets logging at the wa...

Page 34: ...lternate exhaust address netmask gateway Parameters Example The following example configures the management interface eth0 for a Juniper ATP Appliance Core device JATP server set ip interface management address 10 2 123 18 netmask 255 255 255 0 gateway 10 2 0 1 The following example configures the management interface eth0 using DHCP JATP server set ip interface management dhcp This example config...

Page 35: ... mode set proxy command is a management network proxy tool for data path Collector proxy configurations refer to set proxy collector mode autoupdate content software on off Turn on or off automatic product updates set autoupdate content on cli timeout secs Sets CLI timeout period in seconds 0 indicates no timeout clock Sets the current date and time cm address Sets the IP address of the Central Ma...

Page 36: ...e key password enter a string password Sets a new password for the CLI administrator proxy config all http enabled on off remove all http Config enable disable or remove all proxy configs or remove an HTTP specific proxy server TIP Tip Config the proxy for all protocols first and then change HTTP proxy as needed timezone string Sets the timezone for the device uipassword Sets a new admin password ...

Page 37: ...arameters are required in order to set the threshold for both the minimum traffic and time Parameters traffic the minimum traffic in KB interval the checking interval in minutes Example JATP server set system alert traffic 100 time 30 This example sets the system alert such that if the total monitored traffic of a collector within the last 30 minutes dips lower than 100KB then a system health aler...

Page 38: ...ll in One Core CM Mac Mini OS X Detection Engine Mode s diagnosis Syntax setupcheck all report basic analysis Parameters Example The following example checks all basic configuration settings as well as the analysis pipeline JATP diagnosis setupcheck all all Checks both basic settings and analysis pipelin report Shows report of last setupcheck basic Checks basic configuration settings analysis Chec...

Page 39: ...r collector02 collector show traffic filter Name CustomRule2 Domain headqtrs example com The following example displays the current SMB protocol parser setting collector02 collector show protocols The following example displays the current honeypot configuration collector02 collector show honeypot ssh honeypot Table 2 28 show collector mode Description Display the currently selected traffic monito...

Page 40: ...f Last Hit URI1 10 Wed Sep 2 18 16 55 2015 URI2 10 Wed Sep 2 18 16 55 2015 URI3 10 Wed Sep 2 18 16 55 2015 greatfilesarey 49 Wed Sep 2 18 20 00 2015 The following example shows how to get the alternate exhaust interface eth2 status JATP core show alternate exhaust interface images Displays guest image update and status information whitelist Displays the name hit count and the time of last hit of a...

Page 41: ...0 07 00 Install Date 2013 11 14 09 25 39 08 00 This example displays the log error traceback JATP diagnosis show log error traceback cr device collectorstatus corestatus slavecorestatus Display connected device statistics for Traffic Collector CoreCM or Mac Mini Detection Engine Secondary slave core protocol web email Displays the session counts for network web or email protocols objects Displays ...

Page 42: ...er Collector Syntax traceroute Parameters Example The following example performs a traceroute of the named device JATP traceroute h 2 MacMininOSX Engine Table 2 32 upgrade Description Upgrade Juniper ATP Appliance software for the Core CM device or vCore and all connected physical or virtual devices Product s CLI All in One Core CM Mode s cm Syntax upgrade URI as user hostname path Parameters Exam...

Page 43: ...pdateimage built in Installing image SC XP 20150617 img Previous version of SC XP 20150617 img exists Checking integrity Image SC XP 20150617 img is already installed Installing image SC W7 20150521 img Previous version of SC W7 20150521 img exists Checking integrity Image SC W7 20150521 img is already installed Table 2 34 wizard Description Enters the Configuration Wizard For Configuration Wizard...

Page 44: ... configuration settings applied Enter a valid hostname Type a hostname when prompted do not include the domain for example JuniperATP1 OPTIONAL If the system detects a Secondary Core with an eth2 port then the alternate CnC exhaust option is displayed Use alternate exhaust for the analysis engine exhaust traffic Yes No Enter IP address for the alternate exhaust eth2 interface Enter netmask for the...

Page 45: ... system commands to configure the appliance view appliance history enter other CLI modes obtain help with CLI syntax and to exit the CLI session The general commands are cm on page 39 core on page 40 diagnosis on page 41 exit on page 42 help on page 43 history on page 44 server on page 48 wizard on page 59 Refer to the respective sections in this guide to review Diagnosis Mode CM Mode Collector Mo...

Page 46: ... page 43 history on page 44 ifrestart on page 44 ping on page 45 reboot on page 45 restart on page 45 restore on page 47 set server mode on page 50 server on page 48 show server mode on page 55 shutdown on page 58 traceroute on page 58 upgrade on page 58 Diagnosis Mode Commands capture start on page 39 copy on page 41 exit on page 42 gssreport on page 42 help on page 43 history on page 44 set diag...

Page 47: ...meters IP address interface_name Sub Commands None Example The following example starts a packet capture process on interface eth1 for a Juniper ATP Appliance with IP address 8 8 8 8 hostname diagnosis hostname diagnosis capture start 8 8 8 8 eth1 NOTE Address 8 8 8 8 need not be a Juniper ATP Appliance It is just a host that the capture filters on Table 3 2 cm Description Enters cm Central Manage...

Page 48: ... Description Enters core mode See Also basic mode Product s CLI All in One Collector Core Mac OS X Detection Engine Mode s Basic Syntax core Parameters None Sub Commands exit help history set show updateimage Example The following command example enters core configuration mode hostname core hostname core ...

Page 49: ...ocation copy traceback all path string copy traceback tab tab displays all available crash filenames Sub Commands None Example The following example copies the file captureEth1 txt from the local host to a remote host hostname diagnosis copy capture scp captureEth1 txt admin remotehost edu some remote directory Table 3 5 diagnosis Description Enters the Diagnosis configuration and status check mod...

Page 50: ... See Also gssreport diagnosis mode Product s CLI All in One Collector Core CM Mac OS X Detection Engine Mode s diagnosis Syntax gssreport status submit Parameters status displays the status of the current GSS report submit submits a report to Juniper ATP Appliance GSS Sub Commands None Example The following examples display the status of a GSS report submission hostname diagnosis hostname diagnosi...

Page 51: ...keys both perform auto completion for the current command line If the command prefix is not unique then the bell will ring and a subsequent repeat of the key will display possible completions enter Auto completes syntax checks then executes a command If there is a syntax error then offending part of the command line will be highlighted and explained tab Auto completes space Auto completes or if th...

Page 52: ...None Example The following examples returns command line history for the current CLI session JATP history Table 3 10 ifrestart Description Restarts the interface driver and services using the interface Product s CLI All in One Core CM Mac Mini OS X Detection Engine Mode s Server Syntax ifrestart eth0 eth1 Parameters Example The following example restarts the eth0 interface for the management netwo...

Page 53: ... 1 icmp_req 1 ttl 64 time 0 314 ms 64 bytes from 10 10 10 1 icmp_req 2 ttl 64 time 0 277 ms 64 bytes from v icmp_req 3 ttl 64 time 0 274 ms 10 10 10 1 ping statistics 3 packets transmitted 3 received 0 packet loss time bbbb1999ms rtt min avg max mdev 0 274 0 288 0 314 0 022 ms Table 3 12 reboot Description Reboots the Juniper ATP Appliance Product s CLI All in One Collector Core CM Mac Mini OS X D...

Page 54: ... restarts the Central manager service JATP restart cm Table 3 13 restart all Restarts all Juniper ATP Appliance services behaviorengine Restarts the Behavioral Analysis Engine cm Restarts the Central Manager Web UI service collector Restarts the Collector service core Restarts the Core Detection Engine correlationengine Restarts the Correlation Engine database Restarts the Database ntpserver Resta...

Page 55: ...he default suppport password Yes No yes support password was restored successfully support Restores the default support password setting for SSH remote login set during initial installation per license See also server set server mode support firewall backup default Restores the firewall settings from either the previous backup or from the default factory settings Whitelist rules rely on normal ser...

Page 56: ...restart ping reboot restore set server mode show server mode traceroute upgrade Whitelist rules rely on normal service shutdown to be backed up Powering off a VM directly will lose the whitelist state as rules cannot be saved in that case Example The following example enters server configuration mode hostname server hostname server Table 3 17 set system alert Description Configure the traffic thre...

Page 57: ... the total monitored traffic of a collector within the last 30 minutes dips lower than 100KB then a system health alert will be generated and users will receive an email notification of the alert if email notifications are configured for system health events By default this alert is disabled and users must set the minimum traffic and interval in order to enable it Also note that all bytes seen on ...

Page 58: ...ig enabled remove timezone string uipassword Parameters Note vCore for AWS does not use the following CLI commands set ip set hostname Users cannot set static IP address or change the hostname directly on an EC2 AWS instance See columns below autoupdate content software on off Turn on or off automatic product updates set autoupdate content on cli secs Sets CLI period in seconds 0 indicates no time...

Page 59: ... IP address netmask or default gateway or enables DHCP for the management or alternate exhaust interface ntpserver Sets the Network Time Protocol NTP server passphrase string Sets the device key password enter a string password Sets a new password for the CLI administrator proxy config all http enable on off remove all http Config enable disable or remove all proxy configs or remove an HTTP specif...

Page 60: ...n settings and analysis pipeline setup Product s CLI All in One Core CM Mac Mini OS X Detection Engine Mode s diagnosis Syntax setupcheck all report basic analysis Parameters Example The following example checks all basic configuration settings as well as the analysis pipeline JATP diagnosis setupcheck all all Sets logging for all Juniper ATP Appliance components default Sets logging to the defaul...

Page 61: ...me of Last Hit URI1 10 Wed Sep 2 18 16 55 2015 URI2 10 Wed Sep 2 18 16 55 2015 URI3 10 Wed Sep 2 18 16 55 2015 greatfilesarey 49 Wed Sep 2 18 20 00 2015 The following example shows how to get the alternate exhaust interface eth2 status JATP core show alternate exhaust interface images Displays guest image update and status information whitelist Displays the name hit count and the time of last hit ...

Page 62: ...2014 07 28 11 07 42 046000 07 00 Install Date 2013 11 14 09 25 39 08 00 device collectorstatus corestatus slavecorestatus Display connected device statistics for Traffic Collector CoreCM or Mac Mini Detection Engine Secondary slave core protocol web email Displays the session counts for network web or email protocols objects Displays the current number of file objects logging Displays the currentl...

Page 63: ...ces support Show the remote SSH login support status description Show the server or system description devicekey Show the device key devicetype Show the device type dns Show the DNS servers settings eula Show the End User License Agreement firewall all whitelist Show the firewall configuration settings hostname Show the system s host name interface management monitoring alternate exhaust See Also ...

Page 64: ...verage CPU load in the system for running processes in the last 1 5 and 15 min intervals disk shows the disk space usage in the system memory shows the system memory usage show stats cpuload 0 06 0 13 0 13 system alert Shows the current set system alert settings timezone US Eastern US Central US Mountain Show the current timezone example set timezone US Pacific TIP set timezone tab shows options u...

Page 65: ... shows details about the Collector s monitoring interface eth1 CoreCM server show interface monitoring Interface monitoring eth1 Enabled Yes Link Yes IP Address unknown Mask unknown MTU 1500 MAC Address 90 d6 1f 22 70 g6 Speed 1000Mb s Duplex Full Auto negotiation Yes Medium Copper RX packets 1869032424 Bytes 1716560257902 Errors 0 Overruns 0 TX packets 409287 Bytes 44607401 Errors 0 Overruns 0 Tr...

Page 66: ...or an IP address Product s CLI All in One Collector Core CM Mac Mini OS X Detection Engine Mode s Server Syntax traceroute Parameters Example The following example performs a traceroute of the named device JATP traceroute h 2 MacMininOSX Engine Table 3 25 upgrade Description Upgrade Juniper ATP Appliance software for the Core CM device or vCore and all connected physical or virtual devices Product...

Page 67: ...age Parameters Example The following example performs a built in profile update for the Core detection engine JATP core updateimage built in Installing image SC XP 20140617 img Previous version of SC XP 20140617 img exists Checking integrity Image SC XP 20140617 img is already installed Installing image SC W7 20140521 img Previous version of SC W7 20140521 img exists Checking integrity Image SC W7...

Page 68: ...when prompted a IP address no CIDR format b Netmask c Enter a gateway IP address for this management administrative interface d Enter primary DNS server IP address e Do you have a secondary DNS Server Yes No f Do you want to enter the search domains g Enter the search domain separate multiple search domains by space Restart the administrative interface Yes No We strongly discourage the use of DHCP...

Page 69: ...e Operator s Guide for more information Enter yes to configure an alternate eth2 interface Enter the IP address for the eth2 interface Enter the eth2 netmask Enter the gateway IP address Enter the primary DNS server IP Address for the alternate exhaust eth2 interface Enter yes or no to confirm or deny an eth2 secondary DNS server Enter yes or no to indicate whether you want to enter search domain ...

Page 70: ...Juniper Advanced Threat Prevention Appliance 62 Copyright 2018 Juniper Networks Inc ...

Page 71: ...story enter other CLI modes obtain help with CLI syntax and to exit the CLI session The general commands are core on page 66 diagnosis on page 66 exit on page 67 help on page 68 history on page 69 server on page 72 wizard on page 83 Refer to the respective chapters in this guide to review Collector Mode Diagnosis Mode and Server Mode commands per device All in One Mac OS X Engine Traffic Collector...

Page 72: ...0 reboot on page 70 restart on page 70 restore on page 72 server on page 72 set server mode on page 74 show server mode on page 79 shutdown on page 81 traceroute on page 81 Diagnosis Mode Commands capture start on page 65 copy on page 65 exit on page 67 gssreport on page 67 help on page 68 history on page 69 set diagnosis mode on page 76 setupcheck on page 77 show diagnosis mode on page 78 ...

Page 73: ...8 8 8 8 need not be a Juniper ATP Appliance It is just a host that the capture filters on Table 4 2 copy Description Uses Secure Copy SCP to scp to copy and transfer packet capture or traceback crash data to a remote location providing the same authentication and level of security as an SSH transfer See Also diagnosis mode capture start Product s CLI All in One Collector Core Mac OS X Detection En...

Page 74: ... example enters core configuration mode hostname core hostname core Table 4 4 diagnosis Description Enters the Diagnosis configuration and status check mode See Also collector mode server mode Product s CLI All in One Collector Core Mac OS X Detection Engine Mode s Basic Syntax diagnosis Parameters None Sub Commands capture start copy exit gssreport help history set server mode setupcheck show dia...

Page 75: ...gssreport diagnosis mode Product s CLI All in One Collector Core CM Mac OS X Detection Engine Mode s diagnosis Syntax gssreport status submit Parameters status displays the status of the current GSS report submit submits a report to Juniper ATP Appliance GSS Sub Commands None Example The following examples display the status of a GSS report submission hostname diagnosis hostname diagnosis gssrepor...

Page 76: ...keys both perform auto completion for the current command line If the command prefix is not unique then the bell will ring and a subsequent repeat of the key will display possible completions enter Auto completes syntax checks then executes a command If there is a syntax error then offending part of the command line will be highlighted and explained tab Auto completes space Auto completes or if th...

Page 77: ...ollowing examples returns command line history for the current CLI session JATP history Table 4 9 ifrestart Description Restarts the interface driver and services using the interface Product s CLI All in One Core CM Mac Mini OS X Detection Engine Mode s Server Syntax ifrestart eth0 eth1 Parameters Example The following example restarts the eth0 interface for the management network JATPMAC server i...

Page 78: ... 10 10 10 1 icmp_req 1 ttl 64 time 0 314 ms 64 bytes from 10 10 10 1 icmp_req 2 ttl 64 time 0 277 ms 64 bytes from v icmp_req 3 ttl 64 time 0 274 ms 10 10 10 1 ping statistics 3 packets transmitted 3 received 0 packet loss time bbbb1999ms rtt min avg max mdev 0 274 0 288 0 314 0 022 ms Table 4 11 reboot Description Reboots the Juniper ATP Appliance Product s CLI All in One Collector Core CM Mac Mi...

Page 79: ...rt all behaviorengine cm collector core correlationengine database ntpserver sshserver staticengine webserver Parameters Example The following example restarts the Central manager service JATP restart cm Table 4 12 restart all Restarts all Juniper ATP Appliance services database Restarts the Database ntpserver Restarts the NTP server sshserver Restarts the SSH server ...

Page 80: ...lt suppport password Yes No yes support password was restored successfully Table 4 14 server Description Enters the server configuration mode Product s CLI All in One Collector Core CM Mac Mini Mac OS X Mode s Basic Syntax server Sub Commands exit help history ifrestart ping reboot restore set server mode show server mode traceroute updateimage support Restores the default support password setting...

Page 81: ...CLI Command Reference Guide Copyright 2018 Juniper Networks Inc 73 Example The following example enters server configuration mode hostname server hostname server Table 4 14 server ...

Page 82: ...ock Sets the current date and time cm address Sets the IP address of the Central Manager and netmask using the slash notation example AAA BBB CCC DD x set support enable disable localmode Enables remote SSH login support account or localmode enable disable passphrase string Sets the device key password enter a string dns Sets the DNS servers or enable DHCP for DNS for the management interface eth0...

Page 83: ...roxy config all http enabled on off remove all http Config enable disable or remove all proxy configs or remove an HTTP specific proxy server Tip Config the proxy for all protocols first and then change HTTP proxy as needed timezone US Eastern US Central US Mountain Show the current timezone example set timezone US Pacific TIP set timezone tab shows options uipassword Sets a new admin password for...

Page 84: ...tection Engine Mode s diagnosis Syntax set logging Parameters Example The following example sets the default logging level for all Juniper ATP Appliance components JATP diagnosis set logging all all Sets logging for all Juniper ATP Appliance components default Sets logging to the default parameters debug Sets logging at the debug level info Sets logging at the info level warning Sets logging at th...

Page 85: ...meters Example The following example demonstrates the show images command usage JATP core show images The following example shows how to get the alternate exhaust interface eth2 status JATP core show alternate exhaust interface all Checks both basic settings and analysis pipelin report Shows report of last setupcheck basic Checks basic configuration settings analysis Checks the analysis pipeline i...

Page 86: ...tics for Traffic Collector CoreCM or Mac Mini Detection Engine Secondary core NOTE Not available from the Mac Mini CLI protocol web email Displays the session counts for network web or email protocols NOTE Not available from the Mac Mini CLI objects Displays the current number of file objects NOTE Not available from the Mac Mini CLI logging Displays the currently configured logging level See Also ...

Page 87: ...ow support status description Show the server or system description devicekey Show the device key devicetype Show the device type dns Show the DNS servers settings eula Show the End User License Agreement firewall all whitelist Show the firewall configuration settings hostname Show the system s host name interface management monitoring alternate exhaust Show information about the management admini...

Page 88: ...one Show the current timezone upgrade Show the last manual upgrade related information uuid Show the system UUID universally unique ID uptime Show how long the system has been running version Show Juniper ATP Appliance software and content security versions Example The following example displays information about the MacOSX cpuload statistics MacOSX server show stats cpuload 0 06 0 13 0 13 The fol...

Page 89: ... host name or an IP address Product s CLI All in One Collector Core CM Mac Mini OS X Detection Engine Mode s Server Syntax traceroute Parameters Example The following example performs a traceroute of the named device MacOSX1 traceroute h 2 MacMininOSX2 Engine Description Update or correct the guest image OS profile used by the MAC OS X detection and analysis behavioral engine The updateimage comma...

Page 90: ...img Previous version of SC OSX 20131003 img exists Checking integrity Latest Image SC OSX 20131003 img is already installed Installing image SC XP 20140617 img Previous version of SC XP 20140617 img exists Checking integrity Image SC XP 20140617 img is already installed Installing image SC W7 20140521 img Previous version of SC W7 20140521 img exists Checking integrity Image SC W7 20140521 img is ...

Page 91: ...ready installed so in this case the upgrade command will again not be available from the Juniper ATP Appliance Mac OSX Engine CLI Product s CLI Mac Mini OS X Detection Engine Mode s Core Syntax upgrade Parameters Example The following example performs a built in Mac OS X profile update for the Mac Mini based Secondary core detection engine MAC2 core upgrade Table 4 24 wizard Description Enters the...

Page 92: ...to enter the search domains g Enter the search domain separate multiple search domains by space Restart the administrative interface Yes No We strongly discourage the use of DHCP addressing because it changes dynamically A static IP address is preferred Recommended Respond with no a Enter an IP address b Enter a netmask using the form 255 255 255 0 c Enter a gateway IP address d Enter the DNS serv...

Page 93: ...face Enter the IP address for the eth2 interface Enter the eth2 netmask Enter the gateway IP address Enter the primary DNS server IP Address for the alternate exhaust eth2 interface Enter yes or no to confirm or deny an eth2 secondary DNS server Enter yes or no to indicate whether you want to enter search domain Regenerate the SSL self signed certificate Yes No Enter yes to create a new SSL certif...

Page 94: ...Juniper Advanced Threat Prevention Appliance 86 Copyright 2018 Juniper Networks Inc ...

Page 95: ...it on page 91 help on page 92 history on page 93 server on page 97 wizard on page 108 Collector Mode Commands exit on page 91 help on page 92 history on page 93 set honeypot collector mode on page 98 set proxy collector mode on page 97 set proxy collector mode on page 97 set protocols collector mode on page 99 set traffic filter collector mode on page 102 show collector mode on page 104 CHAPTER 5 ...

Page 96: ... help on page 92 history on page 93 set diagnosis mode on page 99 setupcheck on page 103 show diagnosis mode on page 105 Server Mode Commands exit on page 91 help on page 92 history on page 93 ifrestart on page 93 ping on page 94 reboot on page 94 restart on page 94 restore on page 96 set server mode on page 100 show server mode on page 106 shutdown on page 108 traceroute on page 108 ...

Page 97: ...mmands None Example The following example starts a packet capture process on interface eth1 for a Traffic Collector with IP address 8 8 8 8 hostname diagnosis hostname diagnosis capture start 8 8 8 8 eth1 NOTE Note Address 8 8 8 8 need not be a Juniper ATP Appliance It is just a host that the capture filters on Table 5 2 collector Description Enters the Collector configuration mode See Also server...

Page 98: ... as user hostname path Parameters copy capture scp remote filename_location copy traceback all path string copy traceback tab tab displays all available crash filenames Sub Commands None Example The following example copies the file captureEth1 txt from the local host to a remote host hostname diagnosis copy capture scp captureEth1 txt admin remotehost edu some remote directory Table 5 4 diagnosis...

Page 99: ...sreport diagnosis mode Product s CLI All in One Collector Mac OS X Detection Engine Mode s diagnosis Syntax gssreport status submit Parameters status displays the status of the current GSS report submit submits a report to Juniper ATP Appliance GSS Sub Commands None Example The following examples display the status of a GSS report submission hostname diagnosis hostname diagnosis gssreport submit S...

Page 100: ...wing keys both perform auto completion for the current command line If the command prefix is not unique then the bell will ring and a subsequent repeat of the key will display possible completions enter Auto completes syntax checks then executes a command If there is a syntax error then offending part of the command line will be highlighted and explained tab Auto completes space Auto completes or ...

Page 101: ... The following examples returns command line history for the current CLI session JATP history Table 5 9 ifrestart Description Restarts the interface driver and services using the interface Product s CLI All in One Core CM Mac Mini OS X Detection Engine Mode s Server Syntax ifrestart eth0 eth1 Parameters Example The following example restarts the eth0 interface for the management network FireEye_na...

Page 102: ... 10 10 10 1 icmp_req 1 ttl 64 time 0 314 ms 64 bytes from 10 10 10 1 icmp_req 2 ttl 64 time 0 277 ms 64 bytes from v icmp_req 3 ttl 64 time 0 274 ms 10 10 10 1 ping statistics 3 packets transmitted 3 received 0 packet loss time bbbb1999ms rtt min avg max mdev 0 274 0 288 0 314 0 022 ms Table 5 11 reboot Description Reboots the Juniper ATP Appliance Product s CLI All in One Collector Core CM Mac Mi...

Page 103: ...rt all behaviorengine cm collector core correlationengine database ntpserver sshserver staticengine webserver Parameters Example The following example restarts the Central manager service JATP restart cm Table 5 12 restart all Restarts all Juniper ATP Appliance services database Restarts the Database ntpserver Restarts the NTP server sshserver Restarts the SSH server ...

Page 104: ...ult JATP restore support password Restore the default suppport password Yes No yes support password was restored successfully support Restores the default support password setting for SSH remote login set during initial installation per license See also server set server mode support firewall backup default Restores the firewall settings from either the previous backup or from the default factory ...

Page 105: ...xy When configured the Juniper ATP Appliance Traffic Collector will monitor all traffic and correctly identify source and destination hosts for each link in the kill chain wherever the data allows for it Note that if the X Forwarded For header is provided in the HTTP request detection will identify threat targets when deployed outside of the proxy customers can choose to disable the XFF feature in...

Page 106: ...s that can be set for a honeypot Enable disable a honeypot Set a Static IP IP mask and gateway or DHCP of a publicly addressable inter face See Also show honeypot command in show collector mode Product s CLI All in One Collector Mode s collector Syntax collector set honeypot ssh honeypot enable dhcp collector set honeypot ssh honeypot enable address IP address netmask subnet IP gateway IP address ...

Page 107: ... set logging all Table 5 18 set protocols Description Enables and disables the HTTP or SMB parser for a Traffic Collector See Also show protocols command in show collector mode Product s CLI All in One Collector Mode s collector Syntax collector set protocols http on off smb on off Example The following example enables the SMB parser for lateral detections hostname collector set protocols smb on a...

Page 108: ...f the Central Manager and netmask using the slash notation example AAA BBB CCC DD x set support enable disable localmode Enables remote SSH login support account or localmode enable disable passphrase string Sets the device key password enter a string dns Sets the DNS servers or enable DHCP for DNS for the management interface eth0 firewall all backup flush whitelist add delete flush Backs up or f...

Page 109: ... proxy for all protocols first and then change HTTP proxy as needed for management network timezone Show the current timezone example set timezone US Pacific US Eastern US Central US Mountain TIP set timezone tab shows all options uipassword Sets a new Central Manager Web UI admin password Example The following example sets an ip address for the device management interface eth0 JATP set ip interfa...

Page 110: ...mple add a traffic filter rule to the Traffic Collector JATP collector02 collector set traffic rule add CustomRule2 headqrts example com 10 2 00 16 20 0 0 2 90 120 tcp where destination address is 20 0 0 2 destination port is 120 protocol is tcp source address is 10 2 0 0 16 and source port is 90 in our example Table 5 21 set traffic monitoring Description Sets the traffic monitoring interface on ...

Page 111: ...le 5 22 setupcheck Description Checks and reports on basic configuration settings and analysis pipeline setup Product s CLI All in One Core CM Mac Mini OS X Detection Engine Mode s diagnosis Syntax setupcheck all report basic analysis Parameters Example The following example checks all basic configuration settings as well as the analysis pipeline JATP diagnosis setupcheck all Table 5 21 set traffi...

Page 112: ...ettings collector02 collector show proxy inside Proxy IPs 10 1 1 1 The following example displays the current traffic filter collector02 collector show traffic filter Name CustomRule2 Domain headqtrs example com The following example displays the current SMB protocol parser setting collector02 collector show protocols traffic filter Shows all traffic filter rules protocols Shows current HTTP or SM...

Page 113: ...08 00 device collectorstatus corestatus slavecorestatus Display connected device statistics for Traffic Collector Core or Mac Mini Detection Engine Secondary core NOTE Not available from the Collector CLI protocol web email Displays the session counts for network web or email protocols NOTE Not available from the Collector CLI objects Displays the current number of file objects NOTE Not available ...

Page 114: ...the remote SSH login support status description Show the server or system description devicekey Show the device key devicetype Show the device type dns Show the DNS servers settings eula Show the End User License Agreement firewall all whitelist Show the firewall configuration settings hostname Show the system s host name interface Show information about the management administrative network inter...

Page 115: ...e in the system memory shows the system memory usage show stats cpuload 0 06 0 13 0 13 timezone Show the current timezone uptime Show how long the system has been running version Show software and content security versions Example The following example displays information about the All in One server device type All in One server show devicetype Device type cm core web_collector Table 5 25 show ...

Page 116: ...ctor Core CM Mac Mini OS X Detection Engine Mode s Server Collector Syntax traceroute Parameters Example The following example performs a traceroute of the named device JATP traceroute h 2 8 8 8 8 Table 5 28 wizard Description Enters the Configuration Wizard For Configuration Wizard commands and response see Configuration Wizard Command Prompt Progressions in the next section to see command prompt...

Page 117: ...an IP address b Enter a netmask using the form 255 255 255 0 c Enter a gateway IP address d Enter the DNS server IP address e If yes enter the IP address of the secondary DNS server f Enter yes if you want DNS lookups to use a specific domain g Enter search domain s separated by spaces for example example com lan com dom2 com Enter yes to restart with the new configuration settings applied Enter a...

Page 118: ...Juniper Advanced Threat Prevention Appliance 110 Copyright 2018 Juniper Networks Inc ...

Page 119: ...d immediately Collector Juniper ATP Appliance s Traffic inspection and object collection mechanism CnC server Command and control server that directs the operation of a botnet CLI Command line interface The Juniper ATP Appliance has a CLI interface for administering the appliance CM The Juniper ATP Appliance Central Manager component that has a web based graphical user interface Darkspace Currentl...

Page 120: ...tes an optimal path for traffic in a TCP IP network Sandbox mode A mode in which malware is permitted to run but results of the malware action are restricted to the virtual machine and not permitted to escape SNMP Simple Network Management Protocol Spyware A type of malware installed on computers that collects small pieces of information about user s it is spying on SSL Secure Sockets Layer TLS Tr...