Loading a Root CA

After the Policy Enforcer virtual machine is configured and created and before creating any ATP policy, you must set up certificates on any Sky ATP-supported SRX Series device. For a list of SkyATP- supported devices, see Sky ATP Supported Platforms Guide.

NoteĀ The following is simply an example. You will need to modify the group name, profile and policy name to match your configuration.

Procedure

To set up certificates for Policy Enforcer:

  1. Create the CA profile using the following CLI command. A CA profile configuration contains information specific to a CA.
    root@host# request security pki generate-key-pair certificate-id ssl-inspect-ca size 2048 type rsa
    root@host# request security pki local-certificate generate-self-signed certificate-id ssl-inspect-ca domain-name www.juniper.net subject "CN=www.juniper.net,OU=IT,O=Juniper Networks,L=Sunnyvale,ST=CA,C=US" email security-admin@juniper.net
  2. Configure the CA profile.

    NoteĀ The CA profile name must be policyEnforcer.

    root@host# set security pki policyEnforcer ssl-inspect-ca ca-identity ssl-inspect-ca
    root@host# set security pki policyEnforcer ssl-ca ca-identity ssl-ca
  3. Load the default trusted CA.
    root@host# request security pki ca-certificate ca-profile-group load ca-group-name All-Trusted-CA-Def filename default
  4. Enable HTTPS on the threat prevention policy.

    When creating your threat prevention policy (in Security Director, select Configure>Threat Prevention > Policy), enable the Scan HTTPS option to scan files downloaded over HTTPS. For more information on creating threat prevention policies, see the Security Director online help.

    When you enable HTTPS on the threat prevention policy, Policy Enforcer sends the following configuration to the devices:

    ##Security Firewall Policy : trust - untrust##
    set security policies from-zone trust to-zone untrust policy PolicyEnforcer-Rule1-1 then permit application-services ssl-proxy profile-name policyEnforcer
    ##Security Firewall Policy : global ##
    set security policies global policy PolicyEnforcer-Rule1-1 then permit application-services ssl-proxy profile-name policyEnforcer
    ##SSL Forward proxy Profile Configurations##
    set services ssl proxy profile policyEnforcer trusted-ca all
    set services ssl proxy profile policyEnforcer root-ca ssl-inspect-ca
    
  5. Export the locally generated certificate from the SRX Series device and install it on clients as a trusted CA to avoid some of the certificate errors that may occur.

    Each website or browser behaves slightly different. Some require exceptions to be added to your browser to display the content while others may not work because the local certificate is weak.

    root@host# request security pki local-certificate export certificate-id ssl-inspect-ca type pem filename ssl-inspect-ca.pem
  6. (Optional) You can limit some certificate warning messages using the following CLI command:
    root@host# set services ssl proxy profile policyEnforcer actions ignore-server-auth-failure