Adding Enforcement Points

Use the Add Enforcement Points page to assign devices to a site and indicate which devices are perimeter firewalls. To enroll a device with Sky ATP, you must assign one or more perimeter firewalls to each site.

Note

When a connector instance is assigned to a site, that particular connector instance will not be listed as available enforcement point for other sites.
If you want to enforce an infected host policy within the network, you must assign a switch to the site.
Assigning a device to the site will cause a change in the device configuration.

To add firewalls, switches, or connectors as an enforcement point:

Select Devices>Secure Fabric.
The Secure Fabric page appears.
Select the required site for which you want to add enforcement points, and click Add Enforcement Points.
The Add Enforcement Points page appears.
Complete the configuration as shown in Table 1.
Click OK.

Table 1: Fields on the Add Enforcement Points Page

Field	Description
Enforcement points	All device types are displayed in the list. To filter by type, click the three vertical dots beside the search field and select the check box for the device type. To include a device, select the check box beside the device in the Unassigned Devices list and click the > icon to move them to the Selected list. The devices in the Selected list will be included in the site. There is a one-to-one mapping between devices and connectors with sites. If a device or a connector is mapped to a site, you cannot use the same device or a connector to map to a different site. Note: Firewall devices are automatically enrolled with Sky ATP as part of this step. No manual enrollment is required. The only exception is “no selection” mode where Sky ATP is not available and therefore no enrollment takes place. (see Sky ATP Configuration Type Overview) The name of the connector type is shown as a tool tip when you hover over the name.
Perimeter Device	Select the edge firewall devices connecting the network to the internet. These devices will receive the threat feeds. Only firewall (SRX, vSRX) or router devices (MX) that you choose in the Enforcement Points field appear in the Perimeter Device field. You can have SRX Series and MX Series devices in the same site and select both as perimeter devices. You must configure MX Series router as a perimeter device to download Command & Control (C&C) and Geo IP feeds from Policy Enforcer. In the Sky ATP with SDSN mode, if you choose a MX Series router as a perimeter firewall device, the MX Series router is not enrolled to Sky ATP. The Policy Enforcer URL is configured to the device and this enables the device to receive feeds from Policy Enforcer. Unlike in SRX Series device where a policy must be configured to download feeds, you do not have to configure any policies for MX Series routers to download the feeds. Among the listed devices, you can choose which device to consider as a perimeter firewall. Only the perimeter firewall devices are enrolled to Sky ATP. If you do not choose any firewall device as a perimeter firewall, all firewall devices listed in this field are enrolled to Sky ATP as perimeter firewalls by default. You can delete devices manually from the field. However, all the firewall devices are still available in the list to include later. To remove firewall devices permanently from list, you must move the firewall devices from the Selected column to the Available column in the Enforcement points field. In any Sky ATP configuration types, if there is a firewall device assigned to a site, it is mandatory to assign one of those devices as a perimeter firewall. If there are no firewall devices assigned to a site, the perimeter firewall list will be empty. When you enroll a connector instance to Policy Enforcer, the connector instance provides few vSRX Series devices. These vSRX devices are discovered by Policy Enforcer in Junos Space. Hover over the connector instances appearing in the Secure Fabric page to view the details of the corresponding vSRX devices. The vSRX Series devices associated with a connector are not shown in the Perimeter Firewall field. However, they are considered as perimeter firewalls. Note: If a branch SRX Series device is added and selected as a perimeter firewall, system reboots and a warning message is shown before rebooting the system.

Field

Description

Enforcement points

All device types are displayed in the list. To filter by type, click the three vertical dots beside the search field and select the check box for the device type.

To include a device, select the check box beside the device in the Unassigned Devices list and click the > icon to move them to the Selected list. The devices in the Selected list will be included in the site.

There is a one-to-one mapping between devices and connectors with sites. If a device or a connector is mapped to a site, you cannot use the same device or a connector to map to a different site.

Note: Firewall devices are automatically enrolled with Sky ATP as part of this step. No manual enrollment is required. The only exception is “no selection” mode where Sky ATP is not available and therefore no enrollment takes place. (see Sky ATP Configuration Type Overview)

The name of the connector type is shown as a tool tip when you hover over the name.

Perimeter Device

Select the edge firewall devices connecting the network to the internet. These devices will receive the threat feeds. Only firewall (SRX, vSRX) or router devices (MX) that you choose in the Enforcement Points field appear in the Perimeter Device field. You can have SRX Series and MX Series devices in the same site and select both as perimeter devices.

You must configure MX Series router as a perimeter device to download Command & Control (C&C) and Geo IP feeds from Policy Enforcer. In the Sky ATP with SDSN mode, if you choose a MX Series router as a perimeter firewall device, the MX Series router is not enrolled to Sky ATP. The Policy Enforcer URL is configured to the device and this enables the device to receive feeds from Policy Enforcer. Unlike in SRX Series device where a policy must be configured to download feeds, you do not have to configure any policies for MX Series routers to download the feeds.

Among the listed devices, you can choose which device to consider as a perimeter firewall. Only the perimeter firewall devices are enrolled to Sky ATP. If you do not choose any firewall device as a perimeter firewall, all firewall devices listed in this field are enrolled to Sky ATP as perimeter firewalls by default.

You can delete devices manually from the field. However, all the firewall devices are still available in the list to include later. To remove firewall devices permanently from list, you must move the firewall devices from the Selected column to the Available column in the Enforcement points field.

In any Sky ATP configuration types, if there is a firewall device assigned to a site, it is mandatory to assign one of those devices as a perimeter firewall. If there are no firewall devices assigned to a site, the perimeter firewall list will be empty.

When you enroll a connector instance to Policy Enforcer, the connector instance provides few vSRX Series devices. These vSRX devices are discovered by Policy Enforcer in Junos Space. Hover over the connector instances appearing in the Secure Fabric page to view the details of the corresponding vSRX devices. The vSRX Series devices associated with a connector are not shown in the Perimeter Firewall field. However, they are considered as perimeter firewalls.

Note: If a branch SRX Series device is added and selected as a perimeter firewall, system reboots and a warning message is shown before rebooting the system.

Adding Enforcement Points

Related Documentation