Help Center User GuideGetting StartedFAQRelease Notes
 
X
User Guide
Getting Started
FAQ
Release Notes
Help Center
HideContents
Help CenterConfigureInstalling Policy Enforcer
Contents  
Contents
Contents
DownloadPrint

Loading a Root CA

After the Policy Enforcer virtual machine is configured and created and before creating any ATP policy, you must set up certificates on any Sky ATP-supported SRX Series device. For a list of SkyATP- supported devices, see Sky ATP Supported Platforms Guide.

Note: The following is simply an example. You will need to modify the group name, profile and policy name to match your configuration.

Procedure

To set up certificates for Policy Enforcer:

  1. Create the CA profile using the following CLI command. A CA profile configuration contains information specific to a CA.
    root@host# request security pki generate-key-pair certificate-id ssl-inspect-ca size 2048 type rsa
    root@host# request security pki local-certificate generate-self-signed certificate-id ssl-inspect-ca domain-name www.juniper.net subject "CN=www.juniper.net,OU=IT,O=Juniper Networks,L=Sunnyvale,ST=CA,C=US" email security-admin@juniper.net
  2. Configure the CA profile.

    Note: The CA profile name must be policyEnforcer.

    root@host# set security pki policyEnforcer ssl-inspect-ca ca-identity ssl-inspect-ca
    root@host# set security pki policyEnforcer ssl-ca ca-identity ssl-ca
  3. Load the default trusted CA.
    root@host# request security pki ca-certificate ca-profile-group load ca-group-name All-Trusted-CA-Def filename default
  4. Enable HTTPS on the threat prevention policy.

    When creating your threat prevention policy (in Security Director, select Configure>Threat Prevention > Policy), enable the Scan HTTPS option to scan files downloaded over HTTPS. For more information on creating threat prevention policies, see the Security Director online help.

    When you enable HTTPS on the threat prevention policy, Policy Enforcer sends the following configuration to the devices:

    ##Security Firewall Policy : trust - untrust##
set security policies from-zone trust to-zone untrust policy PolicyEnforcer-Rule1-1 then permit application-services ssl-proxy profile-name policyEnforcer
##Security Firewall Policy : global ##
set security policies global policy PolicyEnforcer-Rule1-1 then permit application-services ssl-proxy profile-name policyEnforcer
##SSL Forward proxy Profile Configurations##
set services ssl proxy profile policyEnforcer trusted-ca all
set services ssl proxy profile policyEnforcer root-ca ssl-inspect-ca
  5. Export the locally generated certificate from the SRX Series device and install it on clients as a trusted CA to avoid some of the certificate errors that may occur.

    Each website or browser behaves slightly different. Some require exceptions to be added to your browser to display the content while others may not work because the local certificate is weak.

    root@host# request security pki local-certificate export certificate-id ssl-inspect-ca type pem filename ssl-inspect-ca.pem
  6. (Optional) You can limit some certificate warning messages using the following CLI command:
    root@host# set services ssl proxy profile policyEnforcer actions ignore-server-auth-failure
Help us to improve. Rate this article.
     
Feedback Received. Thank You!
Previous
Creating a Sky ATP Cloud Web Portal Login Account
Next
Upgrading Your Policy Enforcer Software
Need more help?

Ask questions in TechWiki

Contact Customer Support

Check documentation in TechLibrary

© 2018 Juniper Networks, Inc. All rights reserved

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit