Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating Policy Enforcement Groups

    To access this page, click Configure>Shared Objects>Policy Enforcement Groups.

    You can create policy enforcement groups from the policy enforcement groups page.

    • Know what type of endpoints you are including in your policy enforcement group: IP address, subnet, or location.
    • Determine what endpoints you will add to the group based on how you will configure threat prevention according to location, users and applications, or threat risk.
    • Keep in mind that endpoints cannot belong to multiple policy enforcement groups.

    To create a policy enforcement group:

    1. Select Configure>Shared Objects>Policy Enforcement Groups.
    2. Click the + icon.
    3. Complete the configuration by using the guidelines in the Table 1 below.
    4. Click OK.

    Table 1: Fields on the Policy Enforcement Group Page




    Enter a unique string that must begin with an alphanumeric character and can include underscores; no spaces allowed; 63-character maximum.


    Enter a description; maximum length is 1024 characters. You should make this description as useful as possible for all administrators.

    Group Type

    Select a group type from the available choices. IP Address/Subnet or Location.

    Known Subnets from

    When using Junos Space, Policy Enforcer is able to dynamically discover subnets configured on Juniper switches. Policy Enforcer does not have the same insight with third-party devices. Therefore you can add subnets to your connector configuration and select them here. This allows you to selectively apply policies to those subnets.

    If you have not configured a connector, you would select Junos Space here to view subnets discovered by Policy Enforcer. If you have a connector configured, you can select the connector name in this pulldown to view the subnets you manually added when configuring the connector. See Creating a Policy Enforcer Connector for Third-Party Switches.

    Items (IPs or Sites)

    IPs: Select the check box beside the IP address(es) of the endpoint device(es) in the Available list and click the > icon to move them to the Selected list. Click the Refresh Available IPs link to manually update the list. Manual updates can take several minutes to complete.

    This refresh is only available for Junos Space subnets.

    Note: Policy Enforcer polls for updates at one hour intervals. It also updates each time the server starts up. Use the Refresh link if the item you’re looking for has not yet been updated in the list.

    Sites: Select the check box beside the sites in the Available list and click the > icon to move them to the Selected list.

    The endpoints in the Selected list will be included in the policy enforcement group.

    Add New Endpoint

    Click the Add New Endpoint button if the address or location you want does not appear in the Available list.

    Modified: 2017-09-27