Help Center User GuideGetting StartedFAQRelease Notes
 
X
User Guide
Getting Started
FAQ
Release Notes
Contents  

Adding Enforcement Points

Use the Add Enforcement Points page to assign devices to a site and indicate which devices are perimeter firewalls. To enroll a device with Sky ATP, you must assign one or more perimeter firewalls to each site.

Note 

  • When a connector instance is assigned to a site, that particular connector instance will not be listed as available enforcement point for other sites.

  • If you want to enforce an infected host policy within the network, you must assign a switch to the site.

  • Assigning a device to the site will cause a change in the device configuration.

Procedure

To add firewalls, switches, or connectors as an enforcement point:

  1. Select Devices>Secure Fabric.

    The Secure Fabric page appears.

  2. Select the required site for which you want to add enforcement points, and click Add Enforcement Points.

    The Add Enforcement Points page appears.

  3. Complete the configuration as shown in Table 132.
  4. Click OK.

Table 132: Fields on the Add Enforcement Points Page

Field

Description

Enforcement points

All device types are displayed in the list. To filter by type, click the three vertical dots beside the search field and select the check box for the device type.

To include a device, select the check box beside the device in the Unassigned Devices list and click the > icon to move them to the Selected list. The devices in the Selected list will be included in the site.

There is a one-to-one mapping between devices and connectors with sites. If a device or a connector is mapped to a site, you cannot use the same device or a connector to map to a different site.

Note: Firewall devices are automatically enrolled with Sky ATP as part of this step. No manual enrollment is required. The only exception is “no selection” mode where Sky ATP is not available and therefore no enrollment takes place. (see Sky ATP Configuration Type Overview)

The name of the connector type is shown as a tool tip when you hover over the name.

Perimeter Firewall

Select the edge firewall devices connecting the network to the internet. These devices will receive the threat feeds. Only firewall devices (SRX and vSRX) that you choose in the Enforcement Points field appear in the Perimeter Firewall field.

Among the listed firewall devices, you can choose which firewall device to consider as a perimeter firewall. Only the perimeter devices are enrolled to Sky ATP. If you do not choose any firewall device as a perimeter firewall, all firewall devices listed in this field are enrolled to Sky ATP as perimeter firewalls by default.

You can delete devices manually from the field. However, all the firewall devices are still available in the list to include later. To remove firewall devices permanently from list, you must move the firewall devices from the Selected column to the Available column in the Enforcement points field.

In any Sky ATP configuration types, if there is a firewall device assigned to a site, it is mandatory to assign one of those devices as a perimeter firewall. If there are no firewall devices assigned to a site, the perimeter firewall list will be empty.

When you enroll a connector instance to Policy Enforcer, the connector instance provides few vSRX Series devices. These vSRX devices are discovered by Policy Enforcer in Junos Space. Hover over the connector instances appearing in the Secure Fabric page to view the details of the corresponding vSRX devices. The vSRX Series devices associated with a connector are not shown in the Perimeter Firewall field. However, they are considered as perimeter firewalls.

Note: If a branch SRX Series device is added and selected as a perimeter firewall, system reboots and a warning message is shown before rebooting the system.

Related Documentation

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit