Download This Guide
Product Compatibility
This section describes the supported hardware and software versions for Policy Enforcer. For Security Director requirements, please see the Security Director 18.1R1 release notes.
Supported Security Director Software Versions
Policy Enforcer is supported only on specific Security Director software versions as shown in Table 1.
Table 1: Supported Security Director Software Versions
Policy Enforcer Software Version | Compatible with Security Director Software Version | Junos OS Release (Sky ATP Supported Devices) |
|---|---|---|
16.1R1 | 16.1R1 | Junos 15.1X49-D60 and later |
16.2R1 | 16.1R1, 16.2R2 | Junos 15.1X49-D80 and later |
17.1R1 | 17.1R1 | Junos 15.1X49-D80 and later |
17.1R2 | 17.1R2 | Junos 15.1X49-D80 and later |
17.2R1 | 17.2R1 | Junos 15.1X49-D110 and later |
17.2R2 | 17.2R2 | Junos 15.1X49-D110 or Junos 17.3R1 and later |
18.1R1 | 18.1R1 | Junos 15.1X49-D110 or Junos 17.3R1 and later |
18.1R2 | 18.1R2 | Junos 15.1X49-D110 or Junos 17.3R1 and later |
Supported Devices
Table 2 lists the SRX Series devices that support Sky ATP and the threat feeds these devices support.
 | Note: Table 2 lists the general Junos OS release support for each platform. However, each Policy Enforcer software version has specific requirements that take precedence. See Table 1 for more information. |
Table 2: Supported SRX Series Devices and Feed Types
Platform | Model | Junos OS Release | Supported Threat Feeds |
|---|---|---|---|
vSRX | 2 vCPUs, 4 GB RAM | Junos 15.1X49-D60 and later | C&C, antimalware, infected hosts, GeoIP |
SRX Series | SRX300, SRX320 | Junos 15.1X49-D90 and later | C&C, GeoIP |
SRX Series | SRX340, SRX345, SRX550m | Junos 15.1X49-D60 and later | C&C, antimalware, infected hosts, GeoIP |
SRX Series | SRX1500 | Junos 15.1X49-D60 and later | C&C, antimalware, infected hosts, GeoIP |
SRX Series | SRX5400, SRX5600, SRX5800 | Junos 15.1X49-D62 and later | C&C, antimalware, infected hosts, GeoIP |
SRX Series | SRX4100, SRX4200 | Junos 15.1X49-D65 and later | C&C, antimalware, infected hosts, GeoIP |
SRX Series | SRX4600 | Junos 18.1R1 and later | C&C, antimalware, infected hosts, GeoIP |
SRX Series | SRX3400, SRX3600 | Junos 12.1X46-D25 and later | C&C, GeoIP |
SRX Series | SRX1400 | Junos 12.1X46-D25 and later | C&C, GeoIP |
SRX Series | SRX550 | Junos 12.1X46-D25 and later | C&C, GeoIP |
SRX Series | SRX650 | Junos 12.1X46-D25 and later | C&C, GeoIP |
| Note: The SMTP e-mail attachment scan feature is supported only on the SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices running Junos OS Release 15.1X49-D80 and later. vSRX does not support the SMTP e-mail attachment scan feature. In Policy Enforcer Release 18.1R2, Policy Enforcer supports SRX Series devices running Junos OS Release 17.3R1 and later. |
Table 3 lists the supported EX Series and QFX Series switches.
Table 3: Supported EX Series Ethernet Switches and QFX Series Switches
Platform | Model | Junos OS Release | Supported Policy Enforcer Modes |
|---|---|---|---|
EX Series | EX4200, EX2200, EX3200, EX3300, EX4300 | Junos 15.1R6 and later | Sky ATP |
EX Series | EX9200 | Junos 15.1R6 and later | Sky ATP |
EX Series | EX3400, EX2300 | Junos 15.1R6 and later Junos 15.1X53-D57 and later | Sky ATP |
QFX Series | QFX5100, QFX5200 vQFX | Junos 15.1R6 and later Junos 15.1X53-D60.4 | Sky ATP |
Table 4 lists the supported MX Series routers that support the DDoS feed type.
Table 4: Supported MX Routers and Feed Types
Platform | Model | Junos OS Release | Supported Threat Feeds |
|---|---|---|---|
MX Series | MX240, MX480, MX960 vMX | Junos 14.2R1 and later Junos 16.2R2.8 | DDoS |
Table 5 shows the supported SDN and cloud platforms.
Table 5: Supported SDN and Cloud Platforms
Component | Specification |
|---|---|
VMware NSX for vSphere | 6.3.1 and later Note: For sites that are running vSphere 6.5, vSphere 6.5a is the minimum supported version with NSX for vSphere 6.3.0. |
VMware NSX Manager | 6.3.1 and later |
Third-Party Wired and Wireless Access Network
The following table lists the third-party support and required server.
Switch/Server | Notes |
|---|---|
Third-party switch | Any switch model that adheres to RADIUS IETF attributes and support RADIUS Change of Authorization from ClearPass is supported by Policy Enforcer for threat remediation. |
ClearPass RADIUS server | Must be running software version 6.6.0. |
Cisco ISE | Must be running software version 2.1 or 2.2. |
Forescout CounterACT | Must be running software version 7.0.0. Note: To obtain an evaluation copy of CounterACT for use with Policy Enforcer, click here. |
If you use Juniper Networks EX4300 Ethernet switch to integrate with the third-party switches, the EX4300 must be running Junos OS Release 15.1R6 or later.
Juniper Networks Contrail and AWS Specifications
Table 6 shows the required components for Juniper Networks Contrail.
Table 6: Juniper Networks Contrail Components
Model | Software Version | Supported Policy Enforcer Mode |
|---|---|---|
Juniper Networks Contrail | 5.0 | Microsegmentation and threat remediation with vSRX |
vSRX | Junos OS 15.1X49-D120 and later | Microsegmentation and threat remediation with vSRX |
Table 7 shows the required Policy Enforcer components for AWS.
Table 7: AWS Support Components
Model | Software Version | Supported Policy Enforcer Mode |
|---|---|---|
vSRX | Junos OS 15.1X49-D100.6 and later | vSRX policy based on workload discovery |
Virtual Machine
Policy Enforcer is delivered as an OVA or a KVM package to be deployed inside your VMware ESX or QEMU/KVM network with the following configuration:
1 CPU
8-GB RAM
120-GB disk space
Table 8: Supported Virtual Machine Versions
Virtual Machine | Version |
|---|---|
VMware | VMware ESX server version 4.0 or later or a VMware ESXi server version 4.0 or later |
QEMU/KVM | CentOS Release 6.8 or later |
Supported Browser Versions
Security Director and Policy Enforcer are best viewed on the following browsers.
Table 9: Supported Browser Versions
Browser | Version |
|---|---|
Google Chrome | 54.x |
Internet Explorer | 11 on Windows 7 |
Firefox | 46 and later |
Upgrade Support
Upgrading Policy Enforcer follows the same rules as for upgrading Security Director. You can upgrade only from the previously released version. This includes the minor releases. For example, you can upgrade to Policy Enforcer Release 18.1R2 only from Policy Enforcer Release 18.1R1. However, Policy Enforcer 18.1R1 can be upgraded from 17.2R1 -> 18.1R1, 17.2R2 -> 18.1R1, or 17.2R1-> 17.2R2 -> 18.1R1.
| Note: Ensure that the internet connectivity is available for Policy Enforcer. Without the internet connectivity, you cannot upgrade Policy Enforcer successfully. |
For more information about the Security Director upgrade path, see Upgrading Security Director.
