Contents

Security Director User Guide
- About the Documentation
- Junos Space Security Director
  - Overview
    - Junos Space Security Director Overview
    - Juniper Networks Software-Defined Secure Network Overview
- Dashboard
  - Overview
    - Dashboard Overview
- Monitor
  - Events and Logs-All Events
    - Events and Logs Overview
    - Creating Alerts
    - Creating Reports
    - Creating Filters
    - Grouping Events
    - Using Events and Logs Settings
    - Selecting Events and Logs Table Columns
    - Viewing Threats
    - Using the Detailed Log View
    - Using the Raw Log View
    - Showing Exact Match
    - Using Filter on Cell Data
    - Using Exclude Cell Data
    - Showing Firewall Policy
    - Showing Source NAT Policy
    - Showing Destination NAT Policy
    - Downloading Packets Captured
    - Showing Attack Details
    - Using Filters
  - Events and Logs-Firewall
    - Firewall Events and Logs Overview
  - Events and Logs-Web Filtering
    - Web Filtering Events and Log Overview
  - Events and Logs-VPN
    - VPN Events and Logs Overview
  - Events and Logs-Content Filtering
    - Content Filtering Events and Logs Overview
  - Events and Logs-Antispam
    - Antispam Events and Logs Overview
  - Events and Logs-Antivirus
    - Antivirus Events and Logs Overview
  - Events and Logs-IPS
    - IPS Events and Logs Overview
  - Events and Logs-Screen
    - Screen Events and Logs Overview
  - Events and Logs-Sky ATP
    - Sky ATP Events and Logs Overview
  - Events and Logs-Apptrack
    - Apptrack Events and Logs Overview
  - Threat Prevention-Hosts
    - Infected Hosts Overview
    - Infected Host Details
  - Threat Prevention-C&C Servers
    - Command and Control Servers Overview
    - Command and Control Server Details
  - Threat Prevention-HTTP File Download
    - HTTP File Download Overview
    - HTTP File Download Details
  - Threat Prevention-Email Quarantine and Scanning
    - SMTP Quarantine Overview
    - Email Attachments Scanning Overview
    - Email Attachments Scanning Details
  - Threat Prevention-IMAP Block
    - IMAP Block Overview
  - Threat Prevention-Manual Upload
    - Manual Scanning Overview
    - File Scanning Limits
  - Applications
    - Application Visibility Overview
    - Blocking Applications and Users
  - Users
    - User Visibility Overview
    - Blocking Users and Applications
  - Source IP
    - Source IP Visibility Overview
    - Blocking Source IP Addresses
  - Live Threat Map
    - Threat Map Overview
    - Blocking Threat Events
  - Alerts and Alarms - Overview
    - Alerts and Alarms Overview
  - Alerts and Alarms-Alerts
    - Deleting an Alert
    - Searching Alerts
    - Using Generated Alerts
  - Alerts and Alarms-Alert Definitions
    - Creating Alert Definitions
    - Editing Alert Definitions
    - Cloning Alert Definition
    - Deleting Alert Definitions
    - Searching Alert Definitions
    - Alert Definitions Main Page Fields
  - Alerts and Alarms-Alarms
    - Using Device Alarms
    - Device Alarms Main Page Fields
  - VPN
    - IPsec VPN Monitoring Overview
    - About the Overview Page
    - Managing Monitored and Unmonitored VPNs
    - About the Monitored Tunnels Page
    - About the Devices Page
  - Job Management
    - Using Job Management in Security Director
    - Overview of Jobs in Security Director
    - Archiving and Purging Jobs in Security Director
    - Viewing the Details of a Job in Security Director
    - Canceling Jobs in Security Director
    - Reassigning Jobs in Security Director
    - Rescheduling and Modifying the Recurrence of Jobs in Security Director
    - Retrying a Failed Job on Devices in Security Director
    - Exporting the Details of a Job in Security Director
    - Job Management Main Page Fields
  - Audit Logs
    - Using Audit Logs in Security Director
    - Understanding Audit Logs in Security Director
    - Purging or Archiving and Purging Audit Logs in Security Director
    - Exporting Audit Logs in Security Director
    - Viewing the Details of an Audit Log in Security Director
    - Audit Logs Main Page Fields
  - Packet Capture
    - Packet Capture Overview
    - About the Packets Captured Page
    - Setting the Purge Policy
  - NSX Inventory-Security Groups
    - About the Security Groups Page
    - Viewing Members of a Security Group
  - vCenter Server Inventory-Virtual Machines
    - About the Virtual Machines Page
    - Viewing Network Details of a Virtual Machine
    - Viewing Security Groups of a Virtual Machine
- Devices
- Configure
  - Firewall Policy-Policies
    - Firewall Policies Overview
    - Policy Ordering Overview
    - Creating Firewall Policies
    - Firewall Policies Best Practices
    - Creating Firewall Policy Rules
    - Rule Base Overview
    - Rule Operations on Filtered Rules Overview
    - Creating and Managing Policy Versions
    - Comparing Policies
    - Exporting Policies
    - Creating Custom Columns
    - Importing Policies
    - Deleting and Replacing Policies and Objects
    - Editing and Cloning Policies and Objects
    - Publishing Policies
    - Showing Duplicate Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Updating Policies on Devices
    - Firewall Policies Main Page Fields
    - Firewall Policy Rules Main Page Fields
  - Firewall Policy-Devices
    - Assigning Devices to Policies
    - Devices with Firewall Policies Main Page Fields
  - Firewall Policy-Schedules
    - Schedules Overview
    - Creating Schedules
    - Schedules Main Page Fields
  - Firewall Policy-Profiles
    - Understanding Firewall Policy Profiles
    - Understanding Captive Portal Support for Unauthenticated Browser Users
    - Creating Firewall Policy Profiles
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Assigning Policies and Profiles to Domains
    - Viewing Policy and Shared Object Details
    - Firewall Policy Profiles Main Page Fields
  - Firewall Policy-Templates
    - Understanding Firewall Policy Templates
    - Creating Firewall Policy Templates
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Firewall Policy Templates Main Page Fields
  - Environment
    - Environment Variables and Conditions Overview
    - About the Environment Page
    - Creating a New Environment Variable
    - Editing and Deleting Environment Variables
      - Editing Environment Variables
      - Deleting an Environment Variable
    - Creating a New Environment Condition
    - Editing and Deleting Environment Conditions
      - Editing an Environment Condition
      - Deleting an Environment Condition
  - Application Firewall Policy-Policies
    - Understanding Application Firewall Policies
    - Creating Application Firewall Policies
    - Deleting and Replacing Policies and Objects
    - Editing and Cloning Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Finding Usages for Policies and Objects
    - Application Firewall Policies Main Page Fields
  - Application Firewall Policy-Signatures
    - Understanding Custom Application Signatures
    - Creating Application Signatures
    - Editing, Cloning, and Deleting Custom Application Signatures
    - Creating Application Signature Groups
    - Application Signatures Main Page Fields
  - SSL Profiles
    - SSL Forward Proxy Overview
    - Creating SSL Forward Proxy Profiles
    - SSL Forward Proxy Profile Main Page Fields
    - Creating SSL Reverse Proxy Profiles
  - User Firewall Management-Active Directory
    - About the Active Directory Profile Page
    - Creating Active Directory Profiles
    - Deploying the Active Directory Profile to SRX Series Devices
    - Editing and Deleting Active Directory Profiles
      - Editing Active Directory Profiles
      - Deleting Active Directory Profiles
  - User Firewall Management-Access Profile
    - LDAP Functionality in Integrated User Firewall Overview
    - About the Access Profile Page
    - Creating Access Profiles
    - Deploying the Access Profile to SRX Series Devices
    - Editing and Deleting Access Profiles
      - Editing Access Profiles
      - Deleting Access Profiles
  - User Firewall Management-Identity Management
    - Juniper Identity Management Service Overview
    - About the Identity Management Profile Page
    - Creating Identity Management Profiles
    - Editing, Cloning, and Deleting Identity Management Profiles
    - Updating the Identity Management Profile to SRX Series Devices
  - User Firewall Management-End User Profile
    - End User Profile Overview
    - About the End User Profile Page
    - Creating an End User Profile
    - Editing and Deleting End User Profile
    - End User Profile Operations
  - IPS Policy-Policies
    - Understanding IPS Policies
    - Creating IPS Policies
    - Creating IPS Policy Rules
    - Publishing Policies
    - Updating Policies on Devices
    - Assigning Devices to Policies
    - Creating and Managing Policy Versions
    - Creating Rule Name Template
    - Exporting Policies
    - Unassigning Devices to Policies
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Assigning Policies and Profiles to Domains
    - Viewing Policy and Shared Object Details
    - IPS Policies Main Page Fields
  - IPS Policy-Devices
    - Understanding IPS Policies
    - Devices with IPS Policies Main Page Fields
  - IPS Policy-Signatures
    - Understanding IPS Signatures
    - Creating IPS Signatures
    - Creating IPS Signature Static Groups
    - Creating IPS Signature Dynamic Groups
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Viewing Policy and Shared Object Details
    - IPS Policy Signatures Main Page Fields
  - IPS Policy-Templates
    - Understanding IPS Policy Templates
    - Creating IPS Policy Templates
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - IPS Policy Templates Main Page Fields
  - NAT Policy-Policies
    - NAT Overview
    - NAT Global Address Book Overview
    - Creating NAT Policies
    - Publishing Policies
    - NAT Policy Rules Main Page Field
    - Creating NAT Rules
    - Updating Policies on Devices
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Comparing Policies
    - Creating and Managing Policy Versions
    - Assigning Devices to Policies
    - Unassigning Devices to Policies
    - Creating Rule Name Template
    - Configuring NAT Rule Sets
    - NAT Policies Main Page Fields
  - NAT Policy-Devices
    - Devices with NAT Policies Main Page Fields
  - NAT Policy-Pools
    - Creating NAT Pools
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - NAT Pools Main Page Fields
  - NAT Policy-Port Sets
    - Creating Port Sets
    - Deleting and Replacing Policies and Objects
    - Editing and Cloning Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Port Sets Main Page Fields
  - UTM Policy-Policies
    - UTM Overview
    - Creating UTM Policies
    - Comparing Policies
    - Deleting and Replacing Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Showing Duplicate Policies and Objects
    - Editing and Cloning Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - UTM Policies Main Page Fields
  - UTM Policy-Web Filtering Profiles
    - Creating Web Filtering Profiles
    - Selecting a Web Filtering Solution
    - Web Filtering Profile Main Page Fields
  - UTM Policy-Category Update
    - About the Category Update Page
    - Configuring the Download URL Settings
    - Downloading and Installing URL Categories
    - Uploading and Installing URL Categories
    - Installing URL Categories on SRX Series Devices
  - UTM Policy-Antivirus Profiles
    - Creating Antivirus Profiles
    - Antivirus Profile Main Page Fields
  - UTM Policy-Antispam Profiles
    - Creating Antispam Profiles
    - Antispam Profile Main Page Fields
  - UTM Policy-Content Filtering Profiles
    - Creating Content Filtering Profiles
    - Content Filtering Profile Main Page Fields
  - UTM Policy-Global Device Profiles
    - Creating Device Profiles
    - Device Profiles Main Page Fields
  - UTM Policy-URL Patterns
    - Creating URL Patterns
  - UTM Policy-Custom URL Categories
    - Creating Custom URL Category Lists
  - Application Routing Policies
    - Understanding Application-Based Routing
    - About the Application Routing Policies Page
    - Configuring Advanced Policy-Based Routing Policy
    - About the Rules Page (Advanced Policy-Based Routing)
    - Creating Advanced Policy-Based Routing Rules
    - About the App Based Routing Page
    - Editing and Cloning Policies and Objects
    - Assigning Devices to Policies
    - Customizing Profile Names
    - Publishing Policies
    - Updating Policies on Devices
  - Threat Prevention - Policies
    - Creating Threat Prevention Policies
    - Threat Prevention Policy Overview
    - Threat Policy Analysis Overview
    - Implementing Threat Policy on VMWare NSX
  - Threat Prevention - Sky ATP Realms
    - Sky ATP Realm Overview
    - Creating Sky ATP Realms and Enrolling Devices or Associating Sites
    - Modifying Sky ATP Realm
  - Threat Prevention - Custom Feeds
    - Custom Feed Sources Overview
    - Creating Custom Feeds, Dynamic, Black and White
    - Example: Creating a Dynamic Address Custom Feed and Firewall Policy
    - Creating Custom Feeds, Infected Host
    - Creating Custom Feeds, DDoS
  - Threat Prevention - Email Management
    - Sky ATP Email Management Overview
    - Sky ATP Email Management: SMTP Settings
    - Email Management: Configure IMAP
    - Sky ATP Email Management: Whitelists and Blacklists
  - Threat Prevention - Malware Management
    - Sky ATP Malware Management Overview
    - File Inspection Profiles Overview
    - Creating File Inspection Profiles
    - Creating Whitelists and Blacklists
  - IPsec VPN-VPNs
    - IPsec VPN Overview
    - Creating IPsec VPNs
    - Understanding IPsec VPN Modes
    - Comparison of Policy-Based VPNs and Route-Based VPNs
    - Understanding IPsec VPN Routing
    - Understanding IKE Authentication
    - Publishing IPsec VPNs
    - Updating IPSec VPN
    - Modifying VPN Settings
    - Viewing Tunnels
    - Importing IPsec VPNs
    - IPsec VPN Main Page Fields
  - IPsec VPN-Extranet Devices
    - Creating Extranet Devices
    - Extranet Devices Main Page Fields
  - IPsec VPN-Profiles
    - VPN Profiles Overview
    - Creating VPN Profiles
    - Editing and Cloning Policies and Objects
    - Assigning Policies and Profiles to Domains
    - VPN Profiles Main Page Fields
  - Shared Objects-Geo IP
    - Creating Geo IP Policies
    - Geo IP Overview
    - Deleting and Replacing Policies and Objects
  - Shared Objects-Policy Enforcement Groups
    - Creating Policy Enforcement Groups
    - Policy Enforcement Groups Overview
    - Deleting and Replacing Policies and Objects
  - Shared Objects-Addresses
    - Addresses and Address Groups Overview
    - Creating Addresses and Address Groups
    - Importing and Exporting CSV Files
    - Assigning Addresses and Address Groups to Domains
    - Showing Duplicate Policies and Objects
    - Addresses Main Page Fields
  - Shared Objects-Services
    - Services and Service Groups Overview
    - Creating Services and Service Groups
    - Importing and Exporting CSV Files
    - Showing Duplicate Policies and Objects
  - Shared Objects-Variables
    - Variables Overview
    - Creating Variables
    - Editing Variables
    - Importing and Exporting CSV Files
    - Showing Duplicate Policies and Objects
  - Shared Objects-Zone Sets
    - Understanding Zone Sets
    - Creating Zone Sets
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Finding Usages for Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Zone Sets Main Page Fields
  - Shared Objects-Metadata
    - Metadata-Based Policy Enforcement Overview
    - About the Metadata Page
    - Creating a Metadata
  - Change Management-Change Requests
    - Change Control Workflow Overview
    - Creating a Firewall or NAT Policy Change Request
    - About the Changes Submitted Page
    - Approving and Updating Changes Submitted
    - Creating and Updating a Firewall Policy Using Change Control Workflow
    - Editing, Denying, and Deleting Change Requests
    - About the Changes Not Submitted Page
    - Discarding Policy Changes
    - Viewing Submitted and Unsubmitted Policy Changes
  - Change Management-Change Request History
    - About the Change Request History Page
  - Overview of Policy Enforcer and Sky ATP
    - Juniper Networks Software-Defined Secure Network Overview
    - Policy Enforcer Overview
    - Benefits of Policy Enforcer
    - Sky ATP Overview
  - Concepts and Configuration Types to Understand Before You Begin (Policy Enforcer and Sky ATP)
    - Policy Enforcer Components and Dependencies
    - Policy Enforcer Configuration Concepts
    - Sky ATP Configuration Type Overview
    - Features By Sky ATP Configuration Type
    - Available UI Pages by Sky ATP Configuration Type
    - Comparing the SDSN and non-SDSN Configuration Steps
  - Installing Policy Enforcer
    - Policy Enforcer Installation Overview
    - Deploying and Configuring the Policy Enforcer with OVA files
    - Installing Policy Enforcer with KVM
    - Policy Enforcer Ports
    - Identifying the Policy Enforcer Virtual Machine In Security Director
    - Obtaining a Sky ATP License
    - Creating a Sky ATP Cloud Web Portal Login Account
    - Loading a Root CA
    - Upgrading Your Policy Enforcer Software
  - Configuring Policy Enforcer Settings and Connectors
    - Policy Enforcer Settings
    - Policy Enforcer Connector Overview
    - Creating a Policy Enforcer Connector for Public and Private Clouds
    - Creating a Policy Enforcer Connector for Third-Party Switches
    - Editing and Deleting a Connector
      - Editing a Connector
      - Deleting a Connector
    - Viewing VPC or Projects Details
    - ClearPass Configuration for Third-Party Plug-in
    - Cisco ISE Configuration for Third-Party Plug-in
  - Guided Setup-Sky ATP with SDSN
    - Using Guided Setup for Sky ATP with SDSN
  - Guided Setup-Sky ATP
    - Using Guided Setup for Sky ATP
  - Guided Setup for No Sky ATP (No Selection)
    - Using Guided Setup for No Sky ATP (No Selection)
  - Manual Configuration-Sky ATP with SDSN
    - Configuring Sky ATP with SDSN (Without Guided Setup) Overview
    - Creating Sky ATP Realms and Enrolling Devices or Associating Sites
    - Secure Fabric Overview
    - Creating Secure Fabric and Sites
    - Editing or Deleting a Secure Fabric
    - Policy Enforcement Groups Overview
    - Creating Policy Enforcement Groups
    - Threat Prevention Policy Overview
    - Creating Threat Prevention Policies
    - Threat Policy Analysis Overview
    - Geo IP Overview
    - Creating Geo IP Policies
  - Manual Configuration-Sky ATP
    - Configuring Sky ATP (No SDSN and No Guided Setup) Overview
    - Sky ATP Realm Overview
    - Creating Sky ATP Realms and Enrolling Devices or Associating Sites
    - Threat Prevention Policy Overview
    - Creating Threat Prevention Policies
  - Configuring Cloud Feeds Only
    - Configuring Cloud Feeds Only
  - Configuring No Sky ATP (No Selection) (without Guided Setup)
    - Secure Fabric Overview
    - Creating Secure Fabric and Sites
    - Creating Policy Enforcement Groups
    - Creating Custom Feeds, Dynamic, Black and White
    - Creating Custom Feeds, Infected Host
    - Threat Prevention Policy Overview
    - Creating Threat Prevention Policies
  - Migration Instructions for Spotlight Secure Customers
    - Moving From Spotlight Secure to Policy Enforcer
- Reports
  - Reports
- Administration
  - My Profile
    - Modifying Your User Profile in Security Director
  - Users and Roles-Users
    - Overview of Users in Security Director
    - Creating Users in Security Director
    - Editing and Deleting Users in Security Director
      - Editing Users
      - Deleting Users
    - Viewing and Terminating Active User Sessions in Security Director
      - Viewing Active User Sessions
      - Terminating Active User Sessions
    - Viewing the User Details in Security Director
    - Clearing Local Passwords for Users in Security Director
    - Disabling and Enabling Users in Security Director
      - Disabling Users
      - Enabling Users
    - Unlocking Users in Security Director
    - Users Main Page Fields
  - Users and Roles-Roles
    - Domain RBAC Overview
    - Creating Customized Roles in Security Director
    - Understanding Roles in Security Director
    - Editing, Cloning, and Deleting Roles in Security Director
    - Viewing the Details of a Role in Security Director
    - Importing and Exporting Roles in Security Director
      - Importing Roles
      - Exporting Roles
    - Roles Main Page Fields
  - Users and Roles-Domains
    - Overview of Domains in Security Director
    - Creating Domains in Security Director
    - Editing and Deleting Domains in Security Director
    - Exporting Domains in Security Director
    - Viewing Users, Devices, and Remote Profiles Assigned to a Domain in Security Director
    - Assigning Devices to Domains in Security Director
    - Assigning and Unassigning Remote Profiles to Domains in Security Director
      - Assigning Remote Profiles to Domains
      - Unassigning Remote Profiles from Domains
    - Assigning and Unassigning Users to Domains in Security Director
      - Assigning Users to Domains
      - Unassigning Users from Domains
    - Domains Main Page Fields
  - Users and Roles-Remote Profiles
  - Logging Management
    - Logging and Reporting Overview
  - Logging Management-Logging Nodes
  - Logging Management-Statistics & Troubleshooting
    - Using the Log Statistics and Troubleshooting
  - Logging Management-Logging Devices
    - Logging Devices Main Page Fields
    - Creating Security Logs
  - Monitor Settings
    - About the Monitor Settings Page
    - Monitor Settings Overview
  - Signature Database
  - Migrating Content from NSM to Security Director
    - NSM Migration

Contents

Security Director User Guide
- About the Documentation
- Junos Space Security Director
  - Overview
    - Junos Space Security Director Overview
    - Juniper Networks Software-Defined Secure Network Overview
- Dashboard
  - Overview
    - Dashboard Overview
- Monitor
  - Events and Logs-All Events
    - Events and Logs Overview
    - Creating Alerts
    - Creating Reports
    - Creating Filters
    - Grouping Events
    - Using Events and Logs Settings
    - Selecting Events and Logs Table Columns
    - Viewing Threats
    - Using the Detailed Log View
    - Using the Raw Log View
    - Showing Exact Match
    - Using Filter on Cell Data
    - Using Exclude Cell Data
    - Showing Firewall Policy
    - Showing Source NAT Policy
    - Showing Destination NAT Policy
    - Downloading Packets Captured
    - Showing Attack Details
    - Using Filters
  - Events and Logs-Firewall
    - Firewall Events and Logs Overview
  - Events and Logs-Web Filtering
    - Web Filtering Events and Log Overview
  - Events and Logs-VPN
    - VPN Events and Logs Overview
  - Events and Logs-Content Filtering
    - Content Filtering Events and Logs Overview
  - Events and Logs-Antispam
    - Antispam Events and Logs Overview
  - Events and Logs-Antivirus
    - Antivirus Events and Logs Overview
  - Events and Logs-IPS
    - IPS Events and Logs Overview
  - Events and Logs-Screen
    - Screen Events and Logs Overview
  - Events and Logs-Sky ATP
    - Sky ATP Events and Logs Overview
  - Events and Logs-Apptrack
    - Apptrack Events and Logs Overview
  - Threat Prevention-Hosts
    - Infected Hosts Overview
    - Infected Host Details
  - Threat Prevention-C&C Servers
    - Command and Control Servers Overview
    - Command and Control Server Details
  - Threat Prevention-HTTP File Download
    - HTTP File Download Overview
    - HTTP File Download Details
  - Threat Prevention-Email Quarantine and Scanning
    - SMTP Quarantine Overview
    - Email Attachments Scanning Overview
    - Email Attachments Scanning Details
  - Threat Prevention-IMAP Block
    - IMAP Block Overview
  - Threat Prevention-Manual Upload
    - Manual Scanning Overview
    - File Scanning Limits
  - Applications
    - Application Visibility Overview
    - Blocking Applications and Users
  - Users
    - User Visibility Overview
    - Blocking Users and Applications
  - Source IP
    - Source IP Visibility Overview
    - Blocking Source IP Addresses
  - Live Threat Map
    - Threat Map Overview
    - Blocking Threat Events
  - Alerts and Alarms - Overview
    - Alerts and Alarms Overview
  - Alerts and Alarms-Alerts
    - Deleting an Alert
    - Searching Alerts
    - Using Generated Alerts
  - Alerts and Alarms-Alert Definitions
    - Creating Alert Definitions
    - Editing Alert Definitions
    - Cloning Alert Definition
    - Deleting Alert Definitions
    - Searching Alert Definitions
    - Alert Definitions Main Page Fields
  - Alerts and Alarms-Alarms
    - Using Device Alarms
    - Device Alarms Main Page Fields
  - VPN
    - IPsec VPN Monitoring Overview
    - About the Overview Page
    - Managing Monitored and Unmonitored VPNs
    - About the Monitored Tunnels Page
    - About the Devices Page
  - Job Management
    - Using Job Management in Security Director
    - Overview of Jobs in Security Director
    - Archiving and Purging Jobs in Security Director
    - Viewing the Details of a Job in Security Director
    - Canceling Jobs in Security Director
    - Reassigning Jobs in Security Director
    - Rescheduling and Modifying the Recurrence of Jobs in Security Director
    - Retrying a Failed Job on Devices in Security Director
    - Exporting the Details of a Job in Security Director
    - Job Management Main Page Fields
  - Audit Logs
    - Using Audit Logs in Security Director
    - Understanding Audit Logs in Security Director
    - Purging or Archiving and Purging Audit Logs in Security Director
    - Exporting Audit Logs in Security Director
    - Viewing the Details of an Audit Log in Security Director
    - Audit Logs Main Page Fields
  - Packet Capture
    - Packet Capture Overview
    - About the Packets Captured Page
    - Setting the Purge Policy
  - NSX Inventory-Security Groups
    - About the Security Groups Page
    - Viewing Members of a Security Group
  - vCenter Server Inventory-Virtual Machines
    - About the Virtual Machines Page
    - Viewing Network Details of a Virtual Machine
    - Viewing Security Groups of a Virtual Machine
- Devices
- Configure
  - Firewall Policy-Policies
    - Firewall Policies Overview
    - Policy Ordering Overview
    - Creating Firewall Policies
    - Firewall Policies Best Practices
    - Creating Firewall Policy Rules
    - Rule Base Overview
    - Rule Operations on Filtered Rules Overview
    - Creating and Managing Policy Versions
    - Comparing Policies
    - Exporting Policies
    - Creating Custom Columns
    - Importing Policies
    - Deleting and Replacing Policies and Objects
    - Editing and Cloning Policies and Objects
    - Publishing Policies
    - Showing Duplicate Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Updating Policies on Devices
    - Firewall Policies Main Page Fields
    - Firewall Policy Rules Main Page Fields
  - Firewall Policy-Devices
    - Assigning Devices to Policies
    - Devices with Firewall Policies Main Page Fields
  - Firewall Policy-Schedules
    - Schedules Overview
    - Creating Schedules
    - Schedules Main Page Fields
  - Firewall Policy-Profiles
    - Understanding Firewall Policy Profiles
    - Understanding Captive Portal Support for Unauthenticated Browser Users
    - Creating Firewall Policy Profiles
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Assigning Policies and Profiles to Domains
    - Viewing Policy and Shared Object Details
    - Firewall Policy Profiles Main Page Fields
  - Firewall Policy-Templates
    - Understanding Firewall Policy Templates
    - Creating Firewall Policy Templates
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Firewall Policy Templates Main Page Fields
  - Environment
    - Environment Variables and Conditions Overview
    - About the Environment Page
    - Creating a New Environment Variable
    - Editing and Deleting Environment Variables
      - Editing Environment Variables
      - Deleting an Environment Variable
    - Creating a New Environment Condition
    - Editing and Deleting Environment Conditions
      - Editing an Environment Condition
      - Deleting an Environment Condition
  - Application Firewall Policy-Policies
    - Understanding Application Firewall Policies
    - Creating Application Firewall Policies
    - Deleting and Replacing Policies and Objects
    - Editing and Cloning Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Finding Usages for Policies and Objects
    - Application Firewall Policies Main Page Fields
  - Application Firewall Policy-Signatures
    - Understanding Custom Application Signatures
    - Creating Application Signatures
    - Editing, Cloning, and Deleting Custom Application Signatures
    - Creating Application Signature Groups
    - Application Signatures Main Page Fields
  - SSL Profiles
    - SSL Forward Proxy Overview
    - Creating SSL Forward Proxy Profiles
    - SSL Forward Proxy Profile Main Page Fields
    - Creating SSL Reverse Proxy Profiles
  - User Firewall Management-Active Directory
    - About the Active Directory Profile Page
    - Creating Active Directory Profiles
    - Deploying the Active Directory Profile to SRX Series Devices
    - Editing and Deleting Active Directory Profiles
      - Editing Active Directory Profiles
      - Deleting Active Directory Profiles
  - User Firewall Management-Access Profile
    - LDAP Functionality in Integrated User Firewall Overview
    - About the Access Profile Page
    - Creating Access Profiles
    - Deploying the Access Profile to SRX Series Devices
    - Editing and Deleting Access Profiles
      - Editing Access Profiles
      - Deleting Access Profiles
  - User Firewall Management-Identity Management
    - Juniper Identity Management Service Overview
    - About the Identity Management Profile Page
    - Creating Identity Management Profiles
    - Editing, Cloning, and Deleting Identity Management Profiles
    - Updating the Identity Management Profile to SRX Series Devices
  - User Firewall Management-End User Profile
    - End User Profile Overview
    - About the End User Profile Page
    - Creating an End User Profile
    - Editing and Deleting End User Profile
    - End User Profile Operations
  - IPS Policy-Policies
    - Understanding IPS Policies
    - Creating IPS Policies
    - Creating IPS Policy Rules
    - Publishing Policies
    - Updating Policies on Devices
    - Assigning Devices to Policies
    - Creating and Managing Policy Versions
    - Creating Rule Name Template
    - Exporting Policies
    - Unassigning Devices to Policies
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Assigning Policies and Profiles to Domains
    - Viewing Policy and Shared Object Details
    - IPS Policies Main Page Fields
  - IPS Policy-Devices
    - Understanding IPS Policies
    - Devices with IPS Policies Main Page Fields
  - IPS Policy-Signatures
    - Understanding IPS Signatures
    - Creating IPS Signatures
    - Creating IPS Signature Static Groups
    - Creating IPS Signature Dynamic Groups
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Viewing Policy and Shared Object Details
    - IPS Policy Signatures Main Page Fields
  - IPS Policy-Templates
    - Understanding IPS Policy Templates
    - Creating IPS Policy Templates
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - IPS Policy Templates Main Page Fields
  - NAT Policy-Policies
    - NAT Overview
    - NAT Global Address Book Overview
    - Creating NAT Policies
    - Publishing Policies
    - NAT Policy Rules Main Page Field
    - Creating NAT Rules
    - Updating Policies on Devices
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Comparing Policies
    - Creating and Managing Policy Versions
    - Assigning Devices to Policies
    - Unassigning Devices to Policies
    - Creating Rule Name Template
    - Configuring NAT Rule Sets
    - NAT Policies Main Page Fields
  - NAT Policy-Devices
    - Devices with NAT Policies Main Page Fields
  - NAT Policy-Pools
    - Creating NAT Pools
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - NAT Pools Main Page Fields
  - NAT Policy-Port Sets
    - Creating Port Sets
    - Deleting and Replacing Policies and Objects
    - Editing and Cloning Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Port Sets Main Page Fields
  - UTM Policy-Policies
    - UTM Overview
    - Creating UTM Policies
    - Comparing Policies
    - Deleting and Replacing Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Showing Duplicate Policies and Objects
    - Editing and Cloning Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - UTM Policies Main Page Fields
  - UTM Policy-Web Filtering Profiles
    - Creating Web Filtering Profiles
    - Selecting a Web Filtering Solution
    - Web Filtering Profile Main Page Fields
  - UTM Policy-Category Update
    - About the Category Update Page
    - Configuring the Download URL Settings
    - Downloading and Installing URL Categories
    - Uploading and Installing URL Categories
    - Installing URL Categories on SRX Series Devices
  - UTM Policy-Antivirus Profiles
    - Creating Antivirus Profiles
    - Antivirus Profile Main Page Fields
  - UTM Policy-Antispam Profiles
    - Creating Antispam Profiles
    - Antispam Profile Main Page Fields
  - UTM Policy-Content Filtering Profiles
    - Creating Content Filtering Profiles
    - Content Filtering Profile Main Page Fields
  - UTM Policy-Global Device Profiles
    - Creating Device Profiles
    - Device Profiles Main Page Fields
  - UTM Policy-URL Patterns
    - Creating URL Patterns
  - UTM Policy-Custom URL Categories
    - Creating Custom URL Category Lists
  - Application Routing Policies
    - Understanding Application-Based Routing
    - About the Application Routing Policies Page
    - Configuring Advanced Policy-Based Routing Policy
    - About the Rules Page (Advanced Policy-Based Routing)
    - Creating Advanced Policy-Based Routing Rules
    - About the App Based Routing Page
    - Editing and Cloning Policies and Objects
    - Assigning Devices to Policies
    - Customizing Profile Names
    - Publishing Policies
    - Updating Policies on Devices
  - Threat Prevention - Policies
    - Creating Threat Prevention Policies
    - Threat Prevention Policy Overview
    - Threat Policy Analysis Overview
    - Implementing Threat Policy on VMWare NSX
  - Threat Prevention - Sky ATP Realms
    - Sky ATP Realm Overview
    - Creating Sky ATP Realms and Enrolling Devices or Associating Sites
    - Modifying Sky ATP Realm
  - Threat Prevention - Custom Feeds
    - Custom Feed Sources Overview
    - Creating Custom Feeds, Dynamic, Black and White
    - Example: Creating a Dynamic Address Custom Feed and Firewall Policy
    - Creating Custom Feeds, Infected Host
    - Creating Custom Feeds, DDoS
  - Threat Prevention - Email Management
    - Sky ATP Email Management Overview
    - Sky ATP Email Management: SMTP Settings
    - Email Management: Configure IMAP
    - Sky ATP Email Management: Whitelists and Blacklists
  - Threat Prevention - Malware Management
    - Sky ATP Malware Management Overview
    - File Inspection Profiles Overview
    - Creating File Inspection Profiles
    - Creating Whitelists and Blacklists
  - IPsec VPN-VPNs
    - IPsec VPN Overview
    - Creating IPsec VPNs
    - Understanding IPsec VPN Modes
    - Comparison of Policy-Based VPNs and Route-Based VPNs
    - Understanding IPsec VPN Routing
    - Understanding IKE Authentication
    - Publishing IPsec VPNs
    - Updating IPSec VPN
    - Modifying VPN Settings
    - Viewing Tunnels
    - Importing IPsec VPNs
    - IPsec VPN Main Page Fields
  - IPsec VPN-Extranet Devices
    - Creating Extranet Devices
    - Extranet Devices Main Page Fields
  - IPsec VPN-Profiles
    - VPN Profiles Overview
    - Creating VPN Profiles
    - Editing and Cloning Policies and Objects
    - Assigning Policies and Profiles to Domains
    - VPN Profiles Main Page Fields
  - Shared Objects-Geo IP
    - Creating Geo IP Policies
    - Geo IP Overview
    - Deleting and Replacing Policies and Objects
  - Shared Objects-Policy Enforcement Groups
    - Creating Policy Enforcement Groups
    - Policy Enforcement Groups Overview
    - Deleting and Replacing Policies and Objects
  - Shared Objects-Addresses
    - Addresses and Address Groups Overview
    - Creating Addresses and Address Groups
    - Importing and Exporting CSV Files
    - Assigning Addresses and Address Groups to Domains
    - Showing Duplicate Policies and Objects
    - Addresses Main Page Fields
  - Shared Objects-Services
    - Services and Service Groups Overview
    - Creating Services and Service Groups
    - Importing and Exporting CSV Files
    - Showing Duplicate Policies and Objects
  - Shared Objects-Variables
    - Variables Overview
    - Creating Variables
    - Editing Variables
    - Importing and Exporting CSV Files
    - Showing Duplicate Policies and Objects
  - Shared Objects-Zone Sets
    - Understanding Zone Sets
    - Creating Zone Sets
    - Editing and Cloning Policies and Objects
    - Deleting and Replacing Policies and Objects
    - Finding Usages for Policies and Objects
    - Showing and Deleting Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Zone Sets Main Page Fields
  - Shared Objects-Metadata
    - Metadata-Based Policy Enforcement Overview
    - About the Metadata Page
    - Creating a Metadata
  - Change Management-Change Requests
    - Change Control Workflow Overview
    - Creating a Firewall or NAT Policy Change Request
    - About the Changes Submitted Page
    - Approving and Updating Changes Submitted
    - Creating and Updating a Firewall Policy Using Change Control Workflow
    - Editing, Denying, and Deleting Change Requests
    - About the Changes Not Submitted Page
    - Discarding Policy Changes
    - Viewing Submitted and Unsubmitted Policy Changes
  - Change Management-Change Request History
    - About the Change Request History Page
  - Overview of Policy Enforcer and Sky ATP
    - Juniper Networks Software-Defined Secure Network Overview
    - Policy Enforcer Overview
    - Benefits of Policy Enforcer
    - Sky ATP Overview
  - Concepts and Configuration Types to Understand Before You Begin (Policy Enforcer and Sky ATP)
    - Policy Enforcer Components and Dependencies
    - Policy Enforcer Configuration Concepts
    - Sky ATP Configuration Type Overview
    - Features By Sky ATP Configuration Type
    - Available UI Pages by Sky ATP Configuration Type
    - Comparing the SDSN and non-SDSN Configuration Steps
  - Installing Policy Enforcer
    - Policy Enforcer Installation Overview
    - Deploying and Configuring the Policy Enforcer with OVA files
    - Installing Policy Enforcer with KVM
    - Policy Enforcer Ports
    - Identifying the Policy Enforcer Virtual Machine In Security Director
    - Obtaining a Sky ATP License
    - Creating a Sky ATP Cloud Web Portal Login Account
    - Loading a Root CA
    - Upgrading Your Policy Enforcer Software
  - Configuring Policy Enforcer Settings and Connectors
    - Policy Enforcer Settings
    - Policy Enforcer Connector Overview
    - Creating a Policy Enforcer Connector for Public and Private Clouds
    - Creating a Policy Enforcer Connector for Third-Party Switches
    - Editing and Deleting a Connector
      - Editing a Connector
      - Deleting a Connector
    - Viewing VPC or Projects Details
    - ClearPass Configuration for Third-Party Plug-in
    - Cisco ISE Configuration for Third-Party Plug-in
  - Guided Setup-Sky ATP with SDSN
    - Using Guided Setup for Sky ATP with SDSN
  - Guided Setup-Sky ATP
    - Using Guided Setup for Sky ATP
  - Guided Setup for No Sky ATP (No Selection)
    - Using Guided Setup for No Sky ATP (No Selection)
  - Manual Configuration-Sky ATP with SDSN
    - Configuring Sky ATP with SDSN (Without Guided Setup) Overview
    - Creating Sky ATP Realms and Enrolling Devices or Associating Sites
    - Secure Fabric Overview
    - Creating Secure Fabric and Sites
    - Editing or Deleting a Secure Fabric
    - Policy Enforcement Groups Overview
    - Creating Policy Enforcement Groups
    - Threat Prevention Policy Overview
    - Creating Threat Prevention Policies
    - Threat Policy Analysis Overview
    - Geo IP Overview
    - Creating Geo IP Policies
  - Manual Configuration-Sky ATP
    - Configuring Sky ATP (No SDSN and No Guided Setup) Overview
    - Sky ATP Realm Overview
    - Creating Sky ATP Realms and Enrolling Devices or Associating Sites
    - Threat Prevention Policy Overview
    - Creating Threat Prevention Policies
  - Configuring Cloud Feeds Only
    - Configuring Cloud Feeds Only
  - Configuring No Sky ATP (No Selection) (without Guided Setup)
    - Secure Fabric Overview
    - Creating Secure Fabric and Sites
    - Creating Policy Enforcement Groups
    - Creating Custom Feeds, Dynamic, Black and White
    - Creating Custom Feeds, Infected Host
    - Threat Prevention Policy Overview
    - Creating Threat Prevention Policies
  - Migration Instructions for Spotlight Secure Customers
    - Moving From Spotlight Secure to Policy Enforcer
- Reports
  - Reports
- Administration
  - My Profile
    - Modifying Your User Profile in Security Director
  - Users and Roles-Users
    - Overview of Users in Security Director
    - Creating Users in Security Director
    - Editing and Deleting Users in Security Director
      - Editing Users
      - Deleting Users
    - Viewing and Terminating Active User Sessions in Security Director
      - Viewing Active User Sessions
      - Terminating Active User Sessions
    - Viewing the User Details in Security Director
    - Clearing Local Passwords for Users in Security Director
    - Disabling and Enabling Users in Security Director
      - Disabling Users
      - Enabling Users
    - Unlocking Users in Security Director
    - Users Main Page Fields
  - Users and Roles-Roles
    - Domain RBAC Overview
    - Creating Customized Roles in Security Director
    - Understanding Roles in Security Director
    - Editing, Cloning, and Deleting Roles in Security Director
    - Viewing the Details of a Role in Security Director
    - Importing and Exporting Roles in Security Director
      - Importing Roles
      - Exporting Roles
    - Roles Main Page Fields
  - Users and Roles-Domains
    - Overview of Domains in Security Director
    - Creating Domains in Security Director
    - Editing and Deleting Domains in Security Director
    - Exporting Domains in Security Director
    - Viewing Users, Devices, and Remote Profiles Assigned to a Domain in Security Director
    - Assigning Devices to Domains in Security Director
    - Assigning and Unassigning Remote Profiles to Domains in Security Director
      - Assigning Remote Profiles to Domains
      - Unassigning Remote Profiles from Domains
    - Assigning and Unassigning Users to Domains in Security Director
      - Assigning Users to Domains
      - Unassigning Users from Domains
    - Domains Main Page Fields
  - Users and Roles-Remote Profiles
  - Logging Management
    - Logging and Reporting Overview
  - Logging Management-Logging Nodes
  - Logging Management-Statistics & Troubleshooting
    - Using the Log Statistics and Troubleshooting
  - Logging Management-Logging Devices
    - Logging Devices Main Page Fields
    - Creating Security Logs
  - Monitor Settings
    - About the Monitor Settings Page
    - Monitor Settings Overview
  - Signature Database
  - Migrating Content from NSM to Security Director
    - NSM Migration

Deploying the vSRX as an Advanced Security Service in a VMware NSX Environment

Use the following procedures to deploy the vSRX as an advanced security service virtual machine (VM) in the VMware NSX environment. The vSRX VM is deployed in conjunction with Juniper Networks Junos Space Security Director and VMware NSX Manager. In each procedure you are instructed whether to perform the steps in the NSX Manager (from the VMware vCenter Server) or in the vSphere cluster. For example, you create the security group using the NSX Manager, but the discovery of devices happens in the vSphere cluster.

The deployment steps are performed in the following sequence :

Creating a Security Group (VMware vCenter Server)

You create a security group by using the NSX Manager from the VMware vCenter Server. Each security group is a logical collection of objects from your vSphere inventory. These objects include VMs that you want to be members in the same security group and to which you will apply the vSRX as a Juniper security service. You can apply an advanced security service policy to all the objects contained in a security group.

Procedure

To create a security group from the VMware vCenter Server:

Log in to the vSphere Web Client through the VMware vCenter Server.
From the vSphere Web Client, click Hosts and Clusters to view hosts and clusters in the vSphere Web Client inventory. From the Summary tab, you can verify the vSphere cluster and the VMs associated as part of this cluster. All VMs are part of the VXLAN network and can communicate over this VLAN.
From the vSphere Web Client, click Networking & Security and then click Service Composer. The Service Composer appears. From the Service Composer, click the Security Groups tab.
Click the Add Security Group icon to create a new security group that contains the specific VMs you want as members of the same group, as shown in Figure 35.
Figure 35: Create a New Security Group Page
Type a name and description for the security group and then click Next.
On the Define dynamic membership page, define the criteria that an object must meet for it to be added to the security group you are creating. You can define a dynamic group membership criteria for the VMs that are to be part of each security group. For example, VM membership in a security group can be tagged by name. You define the exact membership criteria that you want to use to group VMs. Group membership is associated dynamically at runtime.
Click Next.
On the Select objects to include page, select the tab for the resources you want to include in this security group. Click Next.
On the Select objects to exclude page, select the tab for the resources you want to exclude from this security group. Click Next.
Click Finish to complete creating the security group.

Discovering the NSX Manager and Registering vSRX as a Security Service in vSphere cluster

You use the Junos Space vSphere cluster to discover the NSX Manager and perform service registration of the vSRX VM with the NSX Manager. The NSX Manager is added as a device in the Security Director, and its inventory is synchronized with the Security Director.

Note: Ensure that SNMP is disabled in the Security Director while performing device discovery for the vSRX agent VM. If SNMP is enabled in Security Director, the vSRX agent VM discovery operation fails.

Procedure

To discover the NSX Manager from the Security Director:

Select Security Director > Devices > NSX Managers.
The NSX Managers page appears.
Click the Add icon (+) to add the NSX Manager to the Security Director.
The Add NSX Manager page appears, as shown in Figure 36.
Figure 36: Add NSX Manager Page
In the NSX Manager section, enter the following information:
- Name—Enter the name of the NSX Manager.
- Host—Enter the IP address of the NSX Manager.
- Port—Enter the port number of the NSX Manager. The NSX Manager and Security Director use SSL to communicate on TCP port 443.
- Username, Password—Enter the username and password of the NSX Manager that are required for communication to be authenticated by the Security Director.
- Description—Enter a description for the NSX Manager you are to add to the Security Director.
- SSL Certificate—View the SSL certificate to authenticate the NSX Manager and select the Accept SSL Certificate option to accept the SSL certificate.
  This is a mandatory field to discover the NSX Manager. The SSL Certificate field appears once you enter the NSX details.
Click Next.
In the Service Manager Registration section, enter the following details about the Security Director:
- SD Username, SD Password—Enter the username and password of Security Director to allow the NSX Manager to authenticate communication to the Security Director.
- License Key—Enter the license key for the previously procured Juniper SDSN for NSX license (see Juniper SDSN for VMware NSX Licensing for background details).
Click Next.
In the vCenter Server section, provide the following details about the vCenter Server:
- Host—Enter the IP address of the VMWare vCenter Server.
- Port—Enter the port number of the VMWare vCenter Server. By default, 443 is used.
- Username, Password—Enter the username and password of the VMware vCenter Server. Security Director uses these credentials to discover the vCenter Server and fetch the VM inventory details.
- SSL Certificate—View the SSL certificate to authenticate the vCenter Server and select the Accept SSL Certificate option to accept the SSL certificate. To discover the vCenter Server, it is mandatory to accept the certificate.
Click Finish.
The Summary page of configuration changes appears. Click OK to add the NSX Manager. When you return to the NSX Managers page, you will see the discovered NSX Manager listed, as shown in Figure 37.
Figure 37: NSX Managers Page

After adding the NSX Manager, you must register the vSRX VM as a Juniper security service with the NSX Manager.

Procedure

To register the vSRX instance as a Juniper security service:

Select the NSX Manager for which service needs to be registered, right-click or from the More list, select Register Security Service.
The Register Security Service page appears, as shown in Figure 38.
Figure 38: Register Security Service Page
In the Service Name field, enter the name of the Juniper security service.
From the vSRX OVF URL list, select the available vSRX OVF image that you copied to the Policy Enforcer machine.
In the vSRX Root Password field, enter the root password of the vSRX instance. The same root password will be set for all the vSRX instances deployed in NSX.
In the Description field, enter a description.
Click Register.
A confirmation message indicates whether the registration is successful or not.

The vSRX instance registered as a new service in the vSphere Web Client environment. The vSRX is added as a network service that can be deployed by the NSX Manager.

In the vSphere Web Client, verify the following:

Click Networking & Security and then click Service Definitions. Click the Services tab and verify that <service-name> v1.0 is listed in the table (the newly registered vSRX VM) along with the Security Director as the Service Manager, as shown in Figure 39.
Figure 39: Service Definitions Page
Click the Service Managers tab and verify that the Security Director is listed with a status of In Service, as shown in Figure 40.
Figure 40: vSphere Web Client Service Manager Page

The NSX Manager and its inventory are now synchronized with the Security Director. All shared objects (such as security groups) are synchronized between the NSX Manager and Security Director. The shared objects include the IP addresses of all VMs in ESXi hosts, including the vSRX agent VMs. Security Director creates a dynamic address group(DAG) for each security group synchronized from the NSX Manager, along with the addresses of each member of the security group.

After you register a Juniper security service in the NSX Manager, the NSX Manager uses the vSRX agent VM to communicate the service status. The NSX Manager transmits messages to the Security Director when any changes or activities are happening in the NSX Manager that are related to the Juniper security service.

Deploying vSRX as a Security Service on a vSphere Cluster (VMware vCenter Server)

The next step is to deploy the Juniper security service on a vSphere cluster. You perform this action as a new service deployment, selecting the Juniper security service and the specific vSphere cluster on which you want the vSRX agent VM deployed.

Before you deploy the vSRX agent VM as a security service on the vSphere cluster, you must create a static IP pool with a primary DNS for the vSRX. To create the static IP pool:

Procedure

Create a static IP pool with a primary DNS for the vSRX. This is a mandatory step before you deploy the vSRX agent VM.

From the vSphere Web Client, select Networking & Security and then NSX Managers.
In the Navigator column, select the name of the NSX Manager and click Manage > Grouping Objects > IP Pools.
Click the Add icon (+) to add the static IP pool.
The Add Static IP Pool page appears, as shown in Figure 41.
Figure 41: Add Static IP Pool Page
In the Name field, provide a name for the IP pool.
In the Gateway field, provide a default gateway IP address.
In the Prefix Length field, provide a prefix length of the DNS.
Provide the primary and secondary DNS and the DNS suffix . This is a mandatory field.
In the Static IP Pool field, provide the IP address ranges to be included in the pool.
Click OK.
A new IP pool is created for the vSRX to be deployed.

Procedure

To deploy the vSRX agent VM as a security service for a vSphere cluster:

From the vSphere Web Client, click Networking & Security and then click Installation.
The Installation page appears.
Click the Service Deployments tab and then click the New Service Deployment (+) icon. The Deploy Network & Security Services page appears, as shown in Figure 42.
Figure 42: Deploy Network and Security Services Page
From the Select services & schedule page, select <service-name> v1.0 as the service to deploy and then click Next.
From the Select clusters page, select the data center and one or more clusters on which the vSRX agent VM is to be deployed, and then click Next.
From the Select storage and Management Network page:
- Select the datastore on which to allocate shared storage for the vSRX agent VM, as shown in Figure 43. ESXi hosts should be configured so that they can access shared storage. If you select Specified on-host, ensure that the datastore for the ESXi host is specified in the Agent VM Settings of the ESXi host in the cluster. See the VMware documentation for details.
  Figure 43: Select Storage and Management Network Page
- Select the network that you intend to use for traffic to the vSRX agent VM. If you select Specified on-host, ensure that the network to be used is specified in the Agent VM Settings > Network property of the ESXi host in the cluster. See the VMware documentation for details.
Note: The datastore and network must be configured for each ESXi host in the cluster.
For IP assignment, you can choose an IP pool to assign a range of IP addresses from a selected static IP pool or create a new static IP pool.
Click Next to access the Ready to complete page, and then click Finish to publish the changes and deploy the vSRX agent VM security services to the specified cluster. From the Service Deployments tab, you will see that the Juniper security service has been successfully deployed on the selected vSphere cluster.
From the vSphere Web Client, click Hosts and Clusters and verify that vSRX agent VMs are listed as service-name v1.0 in the vSphere Web Client inventory and created for each ESXi host in the vSphere cluster.
Note: service-name is the name provided at the time of service registration.
The Security Director automatically discovers all the deployed vSRX VM agents by using the device-initiated discovery. A new firewall and IPS group policies are created and all devices are assigned to these group policies.
Note: The Security Director creates predefined IPS policies with a single IPS template. You can either add more IPS templates or convert the predefined IPS policies to custom IPS policies.

When you add an ESXi host in the vSphere cluster, NSX Manager automatically detects that the new ESXi host and adds the Juniper security service vSRX agent VM for it.

Verifying vSRX Agent VM Deployment in Security Director

In the Security Director, based on the NSX Manager discovery, NSX security groups are automatically synchronized with Security Director. For each service group in NSX Manager, Security Director creates a corresponding dynamic address group.

Procedure

To verify that the vSRX agent VMs have been properly deployed:

Select Security Director > Devices > NSX Managers.
The NSX Managers page appears with the discovered NSX Manager and the vSRX instance registered as a new service in the vSphere Web Client environment.
Select Security Director > Monitor > NSX Inventory > Security Groups.
The Security Groups page appears listing all the security groups obtained from NSX and the corresponding dynamic address groups created by the Security Director, as shown in Figure 44.
Figure 44: Security Groups Page
Select Security Director > Monitor > vCenter Server Inventory > Virtual Machines.
The Virtual Machines page appears, listing the VMs that are dynamically fetched by the associated vCenter, as shown in Figure 45. You can view the security groups associated with each VM. Also, you can view security groups associated with each VM.
Figure 45: Virtual Machines Page

Automatic Creation of Security Policy in the NSX Environment to Direct Traffic Through the vSRX Agent VMs (VMware vCenter Server)

After you deploy vSRX agent VM security services to the ESXi hosts in a vSphere cluster, security policies are automatically created to redirect any network traffic originating from the VMs in a specific security group to the Juniper security service vSRX agent VM residing in the ESXi host for further analysis.

Procedure

To direct the traffic to the vSRX agent VMs in each ESXi host by using the automatically created security policies:

In the Security Director, install the IPS signature to all the vSRX VM agents.
On the Firewall and IPS Policies page, add new rules to the automatically created firewall or IPS policies with respective dynamic address groups, as shown in Figure 46. You can also use the application firewalls in the firewall rules.
Figure 46: Firewall Policy Rules Page
After creating policy rules, publish and update the firewall and IPS policies.
After the firewall and IPS policies are successfully updated in the Security Director, log in to the vSphere Web Client to verify the security policies in NSX Manager.
Select Network & Security > NSX Managers, and the Navigator column, select the NSX Manager name. The security policies are automatically created in NSX Manager by Security Director, as shown Figure 47.
Figure 47: NSX Security Groups Page
From the vSphere Web Client, select Networking & Security and then select Firewall.
The Firewall page appears.
In the right pane, select the Partner Security Services tab to view the complete list of automatically created security policies from the Security Director, as shown in Figure 48.
Figure 48: Firewall Page
The corresponding traffic now goes through the vSRX VM agent.

When you return to Security Director > Devices > Security Devices, you can view the active configuration for the vSRX agent VMs, as shown in Figure 49.

Figure 49: Security Devices Page

The NSX Manager is aware of the security groups that the Juniper security service monitors. If any changes occur in the security group, the NSX Manager notifies the Security Director about those changes. If membership changes, the NSX Manager notifies the Security Director of the changes and the Security Director updates its database based on the new membership.

Deploying the vSRX as an Advanced Security Service in a VMware NSX Environment

Creating a Security Group (VMware vCenter Server)

Procedure

Discovering the NSX Manager and Registering vSRX as a Security Service in vSphere cluster

Procedure

Procedure

Deploying vSRX as a Security Service on a vSphere Cluster (VMware vCenter Server)

Procedure

Procedure

Verifying vSRX Agent VM Deployment in Security Director

Procedure

Automatic Creation of Security Policy in the NSX Environment to Direct Traffic Through the vSRX Agent VMs (VMware vCenter Server)

Procedure

Related Documentation

Help us to improve. Rate this article.