Policy Enforcer Settings
To access this page, in the Security Director UI, navigate to Administration > Policy Enforcer > Settings.
Before You Begin
Policy Enforcer Release version and Security Director Release version must be compatible. The Settings page shows the current release version of Policy Enforcer. If there is an incompatibility, an error message is shown that there is a mismatch between Security Director and Policy Enforcer release versions. To know more about the supported software versions, see Policy Enforcer Release Notes.
You cannot proceed further if the Policy Enforcer and Security Director Release versions are incompatible.
A valid Policy Enforce VM password is required to have a fully functional Policy Enforcer. If the password is valid, a message is shown at the top of the Settings page that the Policy Enforcer Space user (pe_user) password is currently valid and the date by when the password expires. The pe_user has the same capabilities as the super user.
If the password is invalid, an error message is shown at the top of the Settings page. To fix this issue, login to the Policy Enforcer VM, change the root password, and then enter a new value in the Settings page.
Policy Enforcer with Security Director can be used in four different configuration types. For each configuration type, certain features are available. Read the following topic: Sky ATP Configuration Type Overview before you make a Sky ATP Configuration Type selection on the Policy Enforcer Settings page.
If you are using Sky ATP without SDSN or Cloud Feeds only, you must still download Policy Enforcer and create a policy enforcer virtual machine.
Sky ATP license and account are needed for all configuration types (Sky ATP with SDSN, Sky ATP, and Cloud Feeds only). If you do not have a Sky ATP license, contact your local sales office or Juniper Networks partner to place an order for a Sky ATP premium license. If you do not have a Sky ATP account, when you configure Sky ATP, you are redirected to the Sky ATP server to create one. Please obtain a license before you try to create a Sky ATP account. Refer to Policy Enforcer Installation Overview for instructions on obtaining a Sky ATP premium license.
To set up a Sky ATP Configuration Type, you must do the following:
- Enter the IP address for the policy enforcer virtual machine. (This is the IP address you configured during the PE VM installation. You can locate this IP address in the vSphere Center portal.)
- Enter the password for the policy enforcer virtual machine.
(This is the same password you use to login to the VM with your root
credentials. Note that the username defaults to root )
Refer to Deploying and Configuring the Policy Enforcer with OVA files for instructions on downloading Policy Enforcer and creating your policy enforcer virtual machine.
- Select a Sky ATP Configuration Type. If you do not select
a type, Policy Enforcer works in default mode. (SeeSky ATP Configuration Type Overview for more information.)
Sky ATP with SDSN—All Policy Enforcer features and threat prevention types are available.
If you upgrade from cloud feeds or Sky ATP, you cannot roll back again. Upgrading resets all devices previously participating in threat prevention. Use guided setup to expedite the process configuring threat prevention policies.
See the following topics to configure Sky ATP with SDSN:
Sky ATP—All threat prevention types are available: Command and control server, Geo IP, and Infected hosts.
If you upgrade from cloud feeds only to Sky ATP, you cannot roll back again. Upgrading resets all devices previously participating in threat prevention, and you must re-enroll them with Sky ATP. Use the setup wizard to expedite the process configuring threat prevention policies.
See the following topics to configure Sky ATP:
Cloud feeds only—Command and control server, infected hosts, and Geo IP are the threat prevention types available.
See the following topic to configure Cloud feeds only:
No Selection—Custom feeds only. Infected hosts is the prevention type available.
See the following topic to configure “no selection”:
- Polling timers affect how often the system polls to discover
endpoints. There are two polling timers, one that polls network wide
and one that polls site wide. They each have default settings, but
you can change those defaults to poll more or less often.
Network wide polling interval (value in hours): The default is 24 hours. You can set this range from between 1 to 48 hours. This timer polls all endpoints added to the secure fabric.
Site wide polling interval (value in minutes): The default is 5 minutes. You can set this range from 1 minute to 60 minutes. This timer polls infected endpoints moving within the sites that are a part of Secure fabric.
- Click the Download button to view or save Policy Enforcer data logs to your local system. These logs are in a compressed file format.