Help Center User GuideGetting StartedFAQRelease Notes
User Guide
Getting Started
Release Notes

Policy Enforcer Components and Dependencies

The Policy Enforcer management interface is a component of Junos Space Security Director and requires the following to be configured and deployed:

Figure 78 illustrates how the components in the Policy Enforcer Deployment Model interact.

Figure 78: Components of the Policy Enforcer Deployment Model

Components of the Policy Enforcer
Deployment Model

Figure 79 shows an example infected endpoint scenario to illustrate how some of the components work together.

Figure 79: Blocking an Infected Endpoint

Blocking an Infected Endpoint




A user downloads a file from the Internet.


Based on user-defined policies, the file is sent to the Sky ATP cloud for malware inspection.


The inspection determines this file is malware and informs Policy Enforcer of the results.


The enforcement policy is automatically deployed to the SRX Series device and switches.


The infected endpoint is quarantined.

Policy Enforcer can track the infected endpoint and automatically quarantine it or block it from accessing the Internet if the user moves from one campus location to another. See Figure 80.

Figure 80: Tracking Infected Endpoint Movement

Tracking Infected Endpoint Movement

In this example, Sky ATP identifies the endpoint as having an IP address of and resides in SVL-A. The EX Series switch quarantines it because it has been labeled as an infected host by Sky ATP. Suppose the infected host physically moves from location SVL-A to location SVL-B. The EX Series switch (in SVL-B) microservice tracks the MAC address to the new IP address and automatically quarantines it. Policy Enforcer then informs Sky ATP of the new MAC address-to-IP address binding.

Policy Enforcer can also quarantine infected hosts even if those hosts are connected to third-party switches, as shown in Figure 81.

For Policy Enforcer to provide threat remediation to endpoints connecting through third-party devices, it must be able to authenticate those devices and determine their state. It does this using a tracking and accounting threat remediation plug-in to gather information from a RADIUS server and enforce policies such as terminate session and quarantine. For more information, see Policy Enforcer Connector Overview

Figure 81: Third-Party Switch Support

Third-Party Switch Support




An end-user authenticates to the network through IEEE 802.1X or through MAC-based authentication.


Sky ATP detects the end point is infected with malware and adds it to the infected host feed.


Policy Enforcer downloads the infected host feed.


Policy Enforcer enforces the infected host policy using the Connector. See Policy Enforcer Connector Overview.


The Connector queries the RADIUS server for the infected host endpoint details and initiates a Change of Authorization (CoA) for the infected host.


The CoA can be either block or quarantine the infected host.


The enforcement occurs on the NAC device the infected host is authenticated with.


Policy Enforcer communicates the infected host details back to Sky ATP.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      

Additional Comments

800 characters remaining

May we contact you if necessary?


Need product assistance? Contact Juniper Support