Page 2
The Juniper Networks product that is the subject of this technical document ation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula/. By downloading, installing or using...
JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self service portal called the Customer Support Center (CSC) that provides you with the following features: •...
Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. • Use the Case Management tool in the CSC at http://www.juniper.net/cm/. • Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
Related Documentation on page 2 About This Guide This guide describes the commands that make up the command-line interface (CLI) of the Juniper ATP Appliance. This guide is intended for system administrators responsible for deploying, operating, and maintaining the Juniper ATP Appliance.
Juniper ATP Appliance Release Notes— Describes the latest release of the Juniper ATP Appliance software. • Juniper ATP Appliance Quick Start Guides— Quick Starts describe how to install and initially configure a Juniper ATP Appliance; refer to the Quick Start for your device or model.
CHAPTER 1 Introduction This chapter explains how to use the Juniper ATP Appliance command line interface (CLI) to configure and administer a Juniper ATP Appliance. This chapter contains the following sections: • “Accessing the CLI” in the next section •...
Juniper Advanced Threat Prevention Appliance # wizard Configuration Wizard Command Prompt Progressions NOTE Enter CTRL-C to exit the Configuration Wizard at any time. If you exit without completing the configuration, you will be prompted again whether to run the Configuration Wizard.
CLI Help and Keyboard Shortcuts To display Juniper ATP Appliance CLI help, type the command help to display CLI keys and auto-completion usage. For context-sensitive help, alternatively, enter a “?” to display either a list of possible command completions with summaries, or the full syntax of the current command.
SPECIAL CHARACTER REQUIREMENT You must enclose non-alphabet characters in double quotes in CLI commands; for example: Juniper ATP Appliance(server)# set passphrase “kfe$nd#$^S” CLI Modes The CLI commands that you can enter depend on your user privileges and the CLI command mode. User roles are “admin”...
Page 16
Juniper Advanced Threat Prevention Appliance Note that the prompt in each mode includes the host name of the Juniper ATP Appliance. Table 1-2 Summary of CLI Modes Mode Description How to Exit Basic Mode Monitor system operation and issue basic system Enter exit to log commands.
CHAPTER 2 All-in-One CLI Commands This chapter describes the administration commands for a Juniper ATP Appliance All-in-One server appliance, software appliance or virtual appliance. These commands are used to configure the Juniper ATP Appliance All-in-One appliance, manage configurations, and set system-level settings for interfaces, network services, and SIEM integration.
Juniper Advanced Threat Prevention Appliance CM Commands • exit on page 14 • help on page 16 • history on page 17 • upgrade on page 34 Core Mode Commands • exit on page 14 • help on page 16 •...
Juniper Advanced Threat Prevention Appliance Table 2-2 cm Enters cm (Central Manager) mode. Description See Also: basic [mode]; Product(s) CLI All-in-One | Core Mode(s) Basic Syntax None Parameters exit | help | history | upgrade Sub-Commands The following command example enters cm configuration mode:...
CLI Command Reference Guide gssreport Table 2-8 gssreport Use the gssreport command to submit reports to Juniper Global Security Services (GSS), and to display the status of the current GSS report. Description See Also: gssreport; diagnosis [mode] Product(s) CLI All-in-One | Collector | Mac OS X Detection Engine...
Juniper Advanced Threat Prevention Appliance help Table 2-9 help Description Displays information about the CLI help system. Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine Mode(s) Basic | Core | Collector | Diagnosis | Server...
Juniper Advanced Threat Prevention Appliance ping Table 2-12 ping Sends ICMP (Internet Control Message Protocol) echo request packets to a Description specified host name or IP address to verify that the destination is reachable over the network. Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine...
Juniper Advanced Threat Prevention Appliance restore Table 2-15 restore Restores the system configuration to the factory default settings. Description This will only reset the password to default temporarily. Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine...
Juniper Advanced Threat Prevention Appliance set honeypot (collector mode) Table 2-17 set honeypot Enables and disables the SSH-Honeypot feature for a Traffic Collector. A honeypot can be deployed within a customer network to detect network activity generated by malware attempting to infect or attack other machines in a local area network.
NOTE The mitigation IP address of a CNC server is not be available for Inside proxy deployments. When a Juniper ATP Appliance is deployed behind a proxy, the Mitigation-> Firewall page in the Juniper ATP Appliance Central Manager Web UI (which typically displays the CNC server IP address to mitigate) will be empty.
Sets the Gateway IP address for the management interfac or the optional alternate-exhaust network. The following example configures the management interface (eth0) for a Juniper ATP Appliance Core device: JATP (server)# set ip interface management address 10.2.123.18 netmask 255.255.255.0 gateway 10.2.0.1...
Page 36
Juniper Advanced Threat Prevention Appliance Table 2-24 set hostname string Sets the system’s host name. ip interface Sets the IP address, netmask, or default gateway, or enables DHCP for the management or {management | alternate-exhaust interface. alternate- exhaust} <dhcp |...
Juniper Advanced Threat Prevention Appliance show (core mode) Table 2-1 Displays the guest image(s) status or whitelist statistics. Description See Also: shutdown; show (diagnostic mode) Product(s) CLI All-in-One | Core CM | Mac Mini OS X Detection Engine Mode(s) Core...
CLI Command Reference Guide show (diagnosis mode) Table 2-29 show Sets the logging levels for Juniper ATP Appliance components from diagnosis mode. Description See Also: shutdown; show (core mode) Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine...
The following example performs a traceroute of the named device. Example JATP# traceroute -h 2 MacMininOSX-Engine upgrade Table 2-32 upgrade Upgrade Juniper ATP Appliance software for the Core/CM device or vCore, and all Description connected physical or virtual devices. Product(s) CLI All-in-One | Core CM Mode(s) upgrade <URI as user@hostname:path>...
Description The updateimage command will update the guest images from the Juniper ATP Appliance update servers or a USB drive attached to the Juniper ATP Appliance. Product(s) CLI All-in-One | Core-CM | Mac Mini OS X Detection Engine...
JuniperATP1 [OPTIONAL] Refer to “Configuring an Alternate Analysis If the system detects a Secondary Core with an Engine Interface” in the Juniper ATP Appliance eth2 port, then the alternate CnC exhaust Operator’s Guide for more information. option is displayed:...
CHAPTER 3 Core/CM Server CLI Commands This chapter describes the commands for available for Juniper ATP Appliance Core/CM or vCore servers. These commands are used to configure devices and software, manage security events, and show system information and status. You must enclose non-alphabet characters in double quotes in CLI commands.
Juniper Advanced Threat Prevention Appliance Core Mode Commands • exit on page 42 • help on page 43 • history on page 44 • set (core mode) on page 48 • show (core mode) on page 53 • updateimage on page 59 Server Mode Commands •...
Juniper ATP Appliance with IP address 8.8.8.8: hostname # diagnosis hostname (diagnosis)# capture-start 8.8.8.8 eth1 Example NOTE Address 8.8.8.8 need not be a Juniper ATP Appliance. It is just a host that the capture filters on. Table 3-2 cm Enters cm (Central Manager) mode. Description See Also: basic [mode];...
JATP# (diagosis) exit Example JATP# gssreport Table 3-7 gssreport Use the gssreport command to submit reports to Juniper Global Security Services (GSS), and to display the status of the current GSS report. Description See Also: gssreport; diagnosis [mode] Product(s) CLI...
Juniper Advanced Threat Prevention Appliance history Table 3-9 history Description Displays the current CLI session command line history. Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine Mode(s) Basic | Core | CM | Collector | Diagnosis | Server...
3 packets transmitted, 3 received, 0% packet loss, time bbbb1999ms rtt min/avg/max/mdev = 0.274/0.288/0.314/0.022 ms reboot Table 3-12 reboot Description Reboots the Juniper ATP Appliance. Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine Mode(s) Server reboot...
Page 54
Juniper Advanced Threat Prevention Appliance Table 3-13 restart Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine Mode(s) Server restart [all | behaviorengine | cm | collector | core | correlationengine | database | ntpserver | sshserver |...
Juniper Advanced Threat Prevention Appliance set (core mode) Table 3-15 set Description Resets the Secondary Core UUID, if the virtual core is cloned. Product(s) CLI Core/CM (Virtual Core) Mode(s) Core (for Virtual Core configurations) set id Syntax Sub-Commands None The following example sets the Virtual Core appliance id:...
Juniper Advanced Threat Prevention Appliance set (server mode) Table 3-18 set Description Configure the system settings. Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine Mode(s) Server, See Also: set (diagnosis mode); set (core mode); show (core mode)
Sets logging at the warning level. error Sets logging at the error level. critical Sets logging at the critical level. The following example sets the default logging level for all Juniper ATP Appliance components. Example JATP(diagnosis)# set logging all setupcheck...
Page 62
See Also: set (diagnosis mode) logging Parameters log error traceback Displays only the tracebacks (if any) generated by Juniper ATP Appliance OS process error logs. A traceback is a stack of functions that were executing when an error condition was encountered. log error last Displays n [1-1000] lines of the contents of the <integer: number of...
The following example performs a traceroute of the named device. Example JATP# traceroute -h 2 MacMininOSX-Engine upgrade Table 3-25 upgrade Upgrade Juniper ATP Appliance software for the Core/CM device or vCore, and all Description connected physical or virtual devices. Product(s) CLI All-in-One | Core CM Mode(s) upgrade <URI as user@hostname:path>...
CLI Command Reference Guide Table 3-25 upgrade The following example copies Juniper ATP Appliance software to the Core from a remote location defined by the path provided. CoreCM(cm)# upgrade admin@remoteHost.edu:some/remote/ Example directory updateimage Table 3-26 updateimage Update or correct the guest-image OS profile used by the detection and analysis behavioral engine.
Juniper Advanced Threat Prevention Appliance Table 3-27 wizard wizard Syntax Parameters None The following command starts the configuration wizard. Example hostname # wizard Configuration Wizard for the CoreCM Server NOTE Enter CTRL-C to exit the Configuration Wizard at any time. If you exit without completing the configuration, you will be prompted again whether to run the Configuration Wizard.
Page 69
CLI Command Reference Guide Enter a valid hostname. Type a hostname when prompted; do not include the domain; for example: Juniper ATP Appliance1 [OPTIONAL] Refer to “Configuring an Alternate Analysis If the system detects a Secondary Core with an Engine Interface” in the Juniper ATP Appliance eth3 port, then the alternate CnC exhaust Operator’s Guide for more information.
Juniper Advanced Threat Prevention Appliance Server Mode Commands • exit on page 67 • help on page 68 • history on page 69 • ifrestart on page 69 • ping on page 70 • reboot on page 70 • restart on page 70 •...
# diagnosis hostname (diagnosis)# capture-start 8.8.8.8 eth1 Example NOTE Note: Address 8.8.8.8 need not be a Juniper ATP Appliance. It is just a host that the capture filters on. copy Table 4-2 copy Uses Secure Copy (SCP) to scp to copy and transfer packet capture or traceback...
JATP# (diagosis) exit Example JATP# gssreport Table 4-6 gssreport Use the gssreport command to submit reports to Juniper ATP Appliance Global Security Services (GSS), and to display the status of the current GSS report. Description See Also: gssreport; diagnosis [mode] Product(s) CLI...
Juniper Advanced Threat Prevention Appliance help Table 4-7 help Description Displays information about the CLI help system. Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine Mode(s) Basic | Server | Diagnosis help Syntax...
Juniper Advanced Threat Prevention Appliance ping Table 4-10 ping Sends ICMP (Internet Control Message Protocol) echo request packets to a Description specified host name or IP address to verify that the destination is reachable over the network. Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine...
Page 79
Server restart [all | behaviorengine | cm | collector | core | correlationengine | database | ntpserver | sshserver | Syntax staticengine | webserver] Restarts all Juniper ATP Appliance services. database Restarts the Database. Parameters ntpserver Restarts the NTP server.
Juniper Advanced Threat Prevention Appliance restore Table 4-13 restore Description Restores the system configuration to the factory default settings. Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine Mode(s) Server restore [support | firewall {backup | default} | hostname...
Juniper Advanced Threat Prevention Appliance set (server mode) Table 4-15 server mode Description Configure the system settings. Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine Mode(s) Server, See Also: set (diagnosis mode) set [autoupdate {on | off} | cli timeout secs | clock | cm address | support {on | off} | passphrase string | dns | firewall {all <backup | flush>...
Juniper Advanced Threat Prevention Appliance show (diagnosis mode) Table 4-19 show Sets the logging levels for Juniper ATP Appliance components from diagnosis mode. Description See Also: show (server mode) Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine...
Page 88
Show the system UUID (universally unique ID). uptime Show how long the system has been running. version Show Juniper ATP Appliance software and content security versions. The following example displays information about the MacOSX cpuload statistics: MacOSX (server)# # show stats cpuload (0.06, 0.13, 0.13) Example The following example requests details for the Collector’s monitoring interface...
CLI Command Reference Guide shutdown Table 4-21 shutdown Description Shuts down the Juniper ATP Appliance server. Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine Mode(s) Server shutdown Syntax Parameters None The following example performs a shutdown of the current device.
Page 90
Juniper Advanced Threat Prevention Appliance built-in Updates the guest-image on the Mac OSX Detection Parameters “Secondary core.”. The following example performs a built-in Mac OS X profile update for the Mac Mini-based Secondary core detection engine. MAC2(core)# updateimage built-in Installing image SC-OSX-20131003.img...
Table 4-23 upgrade Upgrade a configured Juniper ATP Appliance Mac OSX Mac Mini device. If the Mac Mini has already been upgraded to Ubuntu 14.04, this upgrade command will not be visible at the CLI because it will not be needed.
Juniper Advanced Threat Prevention Appliance Configuration Wizard Command Prompt Responses Configuration Wizard Prompts Customer Response from the Mac Mini Use DHCP to obtain the IP address and DNS server We strongly discourage the use of DHCP addressing address for the administrative interface (Yes/No)? because it changes dynamically.
Page 93
Required:Enter the IP address of the Juniper ATP Appliance Server Core/CM or All-in-One. Device Name: (must be unique) Enter a Juniper ATP Appliance Mac Mini or Core/CM Device Name; this identifies the Mac OS X or Core Engine in the Web UI.
CHAPTER 5 Traffic Collector CLI Commands This chapter describes the commands specific to the Juniper ATP Appliance Collector CLI. The available commands are as follows: Basic Mode Commands • collector on page 89 • diagnosis on page 90 • exit on page 91 •...
Juniper Advanced Threat Prevention Appliance Diagnosis Mode Commands • capture-start on page 89 • copy on page 90 • exit on page 91 • gssreport on page 91 • help on page 92 • history on page 93 • set (diagnosis mode) on page 99 •...
Traffic Collector with IP address 8.8.8.8: hostname # diagnosis hostname (diagnosis)# capture-start 8.8.8.8 eth1 Example NOTE Note: Address 8.8.8.8 need not be a Juniper ATP Appliance. It is just a host that the capture filters on. collector Table 5-2 collector Enters the Collector configuration mode.
Juniper Advanced Threat Prevention Appliance copy Table 5-3 copy Uses Secure Copy (SCP) to scp to copy and transfer packet capture or traceback (crash) data to a remote location, providing the same authentication and level of security as an SSH transfer.
Syntax status - displays the status of the current GSS report. Parameters submit - submits a report to Juniper ATP Appliance GSS. Sub-Commands None The following examples display the status of a GSS report submission: hostname # diagnosis hostname (diagnosis)# gssreport submit...
Juniper Advanced Threat Prevention Appliance help Table 5-7 help Description Displays information about the CLI help system. Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine Mode(s) Basic | Server | Collector | Diagnosis...
Juniper Advanced Threat Prevention Appliance ping Table 5-10 ping Sends ICMP (Internet Control Message Protocol) echo request packets to a Description specified host name or IP address to verify that the destination is reachable over the network. Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine...
Page 103
Server restart [all | behaviorengine | cm | collector | core | correlationengine | database | ntpserver | sshserver | Syntax staticengine | webserver] Restarts all Juniper ATP Appliance services. database Restarts the Database. Parameters ntpserver Restarts the NTP server.
Juniper Advanced Threat Prevention Appliance restore Table 5-13 restore Description Restores the system configuration to the factory default settings. Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine Mode(s) Server restore [support | firewall {backup | default} | hostname...
The mitigation IP address of a CNC server is not be available for Inside proxy deployments. When a Juniper ATP Appliance is deployed behind a proxy, the Mitigation-> Firewall page in the Juniper ATP Appliance Central Manager Web UI (which typically displays the CNC server IP address to mitigate) will be empty.
Juniper Advanced Threat Prevention Appliance Table 5-15 set proxy inside Sets the inside proxy IP addresses outside Sets the outside proxy IP addresses Parameters Adds a proxy configuration. remove Removes a proxy configuration. The following example sets an inside data path proxy: JATP(collector)# set proxy inside 10.1.1.1 53...
Sets logging at the warning level. error Sets logging at the error level. critical Sets logging at the critical level. The following example sets the default logging level for all Juniper ATP Appliance components. Example JATP# set logging all set protocols (collector mode) Table 5-18 set protocols Enables and disables the HTTP or SMB parser for a Traffic Collector.
Juniper Advanced Threat Prevention Appliance set (server mode) Table 5-19 set Description Configure the system settings. Engine Product(s) CLI ll-in-One | Collector | Core CM | Mac Mini OS X Detection Mode(s) Server, See Also: set (diagnosis mode); set proxy (collector mode)
Juniper Advanced Threat Prevention Appliance set traffic-filter (collector mode) Table 5-20 set traffic-filter Sets traffic filter rules to avoid analysis on a set of configured traffic, which cannot be made retroactive; for example: any analysis skipped as a result of the filtering cannot be reversed.
Juniper Advanced Threat Prevention Appliance show (collector mode) Table 5-23 show Displays the Traffic Collector current traffic filters and the current XFF status Description (enabled or disabled) Product(s) CLI All-in-One | Collector Mode(s) Collector traffic-filter | proxy | honeypot Subcommands...
CLI Command Reference Guide show (diagnosis mode) Table 5-24 show Sets the logging levels for Juniper ATP Appliance components from diagnosis mode. Description See Also: show (server mode); show (collector mode) Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine...
Juniper Advanced Threat Prevention Appliance show (server mode) Table 5-25 show Description Display configurations and status information. Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine Mode(s) Server, See Also: show (collector mode); show (diagnosis mode)
Juniper Advanced Threat Prevention Appliance shutdown Table 5-26 shutdown Description Shuts down the Juniper ATP Appliance server. Product(s) CLI All-in-One | Collector | Core CM | Mac Mini OS X Detection Engine Mode(s) Server shutdown Syntax Parameters None The following example performs a shutdown of the current device.
No)? Enter the following server attributes: Central Manager (CM) IP Address: Required: Enter the IP address of the Juniper ATP Appliance Server All-in-One CM or CoreCM to which you are connecting [another] Collector in order to register with and view the Collector in the CM Web...
Greylists provide control over the priority of workorders for known IP addresses and URLs. Greylists contain files that contain either URLs or IP addresses and are used by the Juniper ATP Appliance analysis engines to check if the specified URLs or IP addresses contain a malicious rule match.
Page 120
Juniper Advanced Threat Prevention Appliance Graphical user interface. The Juniper ATP Appliance uses a web-based GUI for managing the appliance. Known botnet Events that are triggered when the appliance sees any of the common IRC bot server bot commands or detects any communication sent to known botnet servers.