Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Creating Secure Fabric and Sites


To access this page, click Devices>Secure Fabric.

You create sites within your secure fabric from the secure fabric page.

  • Plan out your sites in advance. A site is a grouping of network devices, including firewalls and switches, that contribute to threat prevention.

  • Keep in mind that when you create a site, you must identify the perimeter firewalls so you can enroll them with Sky ATP.

  • If you want to enforce an infected host policy within the network, you must assign a switch to the site.

  • Devices cannot belong to multiple sites.

  • Switches and connectors cannot be added to the same site

To create a site within your secure fabric:

  1. Select Devices>Secure Fabric.
  2. Click the + icon.
  3. Complete the configuration by using the guidelines in Table 1 below.
  4. Click OK.
  5. Create a new site and assign or reassign devices to a site by following the guidelines inTable 2 below.

Table 1: Fields on the Create Site Page




Enter a unique string that must begin with an alphanumeric character and can include underscores; no spaces allowed; 63-character maximum.


Enter a description; maximum length is 1024 characters. You should make this description as useful as possible for all administrators.

Table 2: Fields on the Sites Main Page




The user-created name of the site.

Enforcement Points/IP addresses

Click the Add Enforcement Points link to add Firewalls, Switches, and/or Connectors.

All device types are displayed in the list. To filter by type, click the three vertical dots beside the search field and select the check box for the device type.

To include a device, select the check box beside the device in the Unassigned Devices list and click the > icon to move them to the Selected list. The devices in the Selected list will be included in the site.

There is a one-to-one mapping between devices and connectors with sites. If a device or a connector is mapped to a site, you cannot use the same device or a connector to map to a different site.

Indicate whether a device is a firewall or a switch by selecting the check box. Only perimeter SRX Series devices can be enrolled with Sky ATP, therefore the system must know which devices those are.

Note: Firewall devices are automatically enrolled with Sky ATP as part of this step. No manual enrollment is required. The only exception is “no selection” mode where Sky ATP is not available and therefore no enrollment takes place. (see Sky ATP Configuration Type Overview)

The name of the connector type is shown as a tool tip when you hover over the name.


  • When a connector instance is assigned to a site, that particular connector instance will not be listed as available enforcement point for other sites.

  • If you want to enforce an infected host policy within the network, you must assign a switch to the site.

  • Assigning a device to the site will cause a change in the device configuration.


If you add certain SRX Series Devices to your Secure Fabric as enforcement points, you may see a warning that the device(s) must be reconfigured in enhanced mode and require a reboot. Here is a list of SRX models that may require rebooting for enhanced mode after being registered with Policy Enforcer/Sky ATP.

  • SRX340

  • SRX345

  • SRX650

  • SRX240h2

  • SRX320

  • SRX300

  • SRX550