Configure Sophos anti-virus on SRX devices

The Sophos AV solution uses the sophos-engine, which is different from the kaspersky-lab-engine and juniper-express-engine. Before configuring the Sophos AV on the device, check if the av_key_sophos_engine license is installed on it; to verify if the license is installed on the device, run the show system license usage command and look for the av_key_sophos_engine license.


Sample output:

root> show system license usage

Feature name	Licenses    used	Licenses installed	Licenses   needed	Expiry
av_key_kaspersky_engine	1	0	1	29 days
anti_spam_key_sbl	1	0	1	29 days
wf_key_surfcontrol_cpa	1	0	1	29 days
ax411-wlan-ap	0	2	0	permanent
av_key_sophos_engine	1	0	1	29 days
logical-system	0	1	0	permanent

If the license is not installed, refer to KB14103 - SRX License Installation steps after registering product for auto license installation. You can also download the license file and add it by using the following command:

root>request system license add terminal

Configuration:

The configuration is similar to that of the other AV engines.

JWeb procedure:

Configure the express antivirus feature profile:

1. Go to Configure > Security > UTM > Global options and click the Anti-Virus tab.


2. In the Engine Type list, select Sophos and click OK.


3. If the policy is successfully saved, you will receive a confirmation; click OK again. If the profile is not successfully saved, you can click Details in the displayed pop-up window to find out the reason.

Configure a UTM policy for express antivirus:

1. Go to Configure > Security > Policy > UTM Policies and click Add to configure a UTM policy; the Add Policy window is displayed.


2. In the Main tab, next to Policy Name, type a unique name for the UTM policy (for example, sophos-utm-policy).


3. Click the Anti-Virus profiles tab.


4. Next to the HTTP profile, select junos-sophos-av-defaults and click OK.


5. If the policy is successfully saved, you will receive a confirmation; click OK again. If the profile is not successfully saved, you can click Details in the displayed pop-up window to find out the reason.

Create a security policy and attach the UTM policy to it:

1. Go to Configure > Security > Policy > FW Policies.


2. From the Security Policy window, click Add to configure a security policy with UTM. The policy configuration window is displayed.


3. In the Policy tab, type a name in the Policy Name text box.


4. In Default Policy Action, select either Deny-All or Permit-All.


5. In From Zone, select a zone from the list and in To Zone, select a zone from the list.


6. Under Zone Direction, click Add a Policy.


7. Select a Source Address.


8. Select a Destination Address.


9. Choose an application by selecting junos-protocol (for all protocols that support antivirus scanning) in the Application Sets list and clicking the right arrow key (—>) button to move it to the Matched box.


10. In Policy Action, select Permit.


11. Click the Application Services tab.


12. In UTM Policy, select the appropriate policy from the list. This action attaches the UTM policy to the security policy.


13. Click OK.


14. If the policy is successfully saved, you will receive a confirmation; click OK again. If the profile is not successfully saved, you can click Details in the displayed window to find out the reason.

CLI procedure:

1. Configuring the type of engine:
   

   set security utm feature-profile anti-virus type sophos-engine

2. Configure the UTM policies for the desired protocols:
   

   set security utm utm-policy sophos-utm-policy anti-virus http-profile junos-sophos-av-defaults
set security utm utm-policy sophos -utm-policy anti-virus ftp upload-profile junos-sophos-av-defaults
set security utm utm-policy sophos -utm-policy anti-virus ftp download-profile junos-sophos-av-defaults
set security utm utm-policy sophos -utm-policy anti-virus smtp-profile junos-sophos-av-defaults

3. Apply this UTM policy in a security policy:
   

   set security policies from-zone trust to-zone untrust policy utm-security-policy match source-address any
set security policies from-zone trust to-zone untrust policy utm-security-policy match destination-address any
set security policies from-zone trust to-zone untrust policy utm-security-policy match application any
set security policies from-zone trust to-zone untrust policy utm-security-policy then permit application-services utm-policy sophos-utm-policy

Troubleshooting:

1. Check the status of the Sophos engine:
   

   root> show security utm anti-virus status

utm anti-virus status:

anti-virus key expire date: 29 days left (grace period)
update server: http://update.juniper-updates.net/sav/
interval: 1440 minutes
pattern update status: next update in 1347 minutes
last result: download version file failed
anti-virus signature version: not loaded
scan engine type: sophos-engine
scan engine information: last action result: No error



2. Check the Sophos AV statistics:
   

   root> show security utm anti-virus statistics