Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Troubleshooting Common Policy Enforcer Problems


This topic lists some common problem areas you may encounter and how to remedy them.

Troubleshooting Policy Enforcer Installation

Most common Policy Enforcer installation problems occur around creating and deploying the OVA file. If you are not familiar with virtual machines or OVA files, please see VMware Documentation and select the appropriate VMware vSphere version.

Other areas to look for include:

  • Configuring the virtual machine with the correct network configuration. These values vary according to your installation. When configuring the virtual machine network, you will need to know the following:

    • Virtual machine hostname, IP address and network mask.

    • Default gateway that connects your internal network to external networks.

    • Primary and secondary DNS servers.

    • (optional) NTP servers.

  • Virtual machine IP address and ssh root credentials. When configuring the virtual machine, you must identify and record the IP address and the ssh root password. In order for Security Director to communicate with your Policy Enforcer virtual machine, you must enter these values into the PE Settings page (Administration > PE Settings) of Security Director.

    If you forget the virtual machine IP address, log into the virtual machine again. The setup script automatically runs each time you log in so that you can review your settings.

    If you forget the root password, there is no way to retrieve it. You must instead reset your password. Be sure to enter your new password into the PE settings page in Security Director. To reset your password, see CentOS root password reset instructions.

Troubleshooting Sky ATP Realms and Enrolling Devices

Sky ATP has two service levels: free and premium. The free model solution performs basic malware detection while the premium model solution offers more protection. For more information on Sky ATP license types and the features for each type, see Sky Advanced Threat Prevention Licenses.

Some common problems areas with Sky ATP are:

  • Trying to enroll devices that are not supported by Sky ATP. See the Sky ATP Supported Platforms Guide   for more information on supported devices.

  • The Sky ATP file limit has been reached. Sky ATP has a maximum number of files per day that you can submit to the cloud for inspection. When an SRX Series device has reached its maximum number of files, it goes into a paused state and cannot submit files for inspection. The device automatically changes to the allowed state when it once again is below the maximum limit. See Sky ATP File LImits for more information on the maximum number of files per day per device type.

  • The vSRX instance fails to enroll. Check to make sure the proper Sky ATP license is installed. See Managing the Sky ATP License for more information on license management with vSRX deployments.

Troubleshooting Threat Policies and Policy Enforcement Groups

This section lists some common issues found with threat policies and policy enforcement groups.

  • You create a threat policy but don’t see the appropriate profiles to choose.

    Select Administration > PE Settings and make sure the correct mode has been selected. You can only change the mode in the follow order: Cloud Feed Only to SKY ATP to SKY ATP with PE.

  • Assigning a threat policy to a policy enforcement group in the Sky ATP with PE mode.

    Threat policies are enforced and pushed to devices that support the given profile. If a device is not supported by a profile, it will be listed in the analysis results and in the Junos Space job details.

  • You create a policy enforcement group with an IP address subnet but no IP addresses are listed in the GUI.

    Make sure that a switch is assigned to the site and that the L3 interfaces are configured on the aggregate switch.

HTTPS-Based Malware Not Detected

If your HTTPS-based malware is not detected by Sky ATP, the root certificate on your SRX Series device (for HTTPS forward proxy) may be invalid. This may occur when the CA profile name is not correct. It must be named policyEnforcer.

For example:

root@host# set security pki policyEnforcer ssl-inspect-ca ca-identity ssl-inspect-ca

root@host# set security pki policyEnforcer ssl-ca ca-identity ssl-ca

For more information on loading root certificates with Policy Enforcer, see Loading a Root CA.