Contents

ContentsHide

Security Director User Guide
- About the Documentation
- Junos Space Security Director
  - Overview
    - Junos Space Security Director Overview
    - Juniper Networks Connected Security Overview
- Dashboard
  - Overview
    - Dashboard Overview
- Monitor
  - Events and Logs-All Events
    - Events and Logs Overview
    - Creating Alerts
    - Creating Reports
    - Creating Filters
    - Grouping Events
    - Using Events and Logs Settings
    - Selecting Events and Logs Table Columns
    - Viewing Threats
    - Viewing Data for Selected Devices
    - Using the Detailed Log View
    - Using the Raw Log View
    - Showing Exact Match
    - Using Filter on Cell Data
    - Using Exclude Cell Data
    - Showing Firewall Policy
    - Showing Source NAT Policy
    - Showing Destination NAT Policy
    - Downloading Packets Captured
    - Showing Attack Details
    - Using Filters
  - Events and Logs-Firewall
    - Firewall Events and Logs Overview
  - Events and Logs-Web Filtering
    - Web Filtering Events and Log Overview
  - Events and Logs-VPN
    - VPN Events and Logs Overview
  - Events and Logs-Content Filtering
    - Content Filtering Events and Logs Overview
  - Events and Logs-Antispam
    - Antispam Events and Logs Overview
  - Events and Logs-Antivirus
    - Antivirus Events and Logs Overview
  - Events and Logs-IPS
    - IPS Events and Logs Overview
  - Events and Logs-Screen
    - Screen Events and Logs Overview
  - Events and Logs-Sky ATP
    - Sky ATP Events and Logs Overview
  - Events and Logs-Apptrack
    - Apptrack Events and Logs Overview
  - Threat Prevention-Hosts
    - Infected Hosts Overview
    - Infected Host Details
  - Threat Prevention-C&C Servers
    - Command and Control Servers Overview
    - Command and Control Server Details
  - Threat Prevention-HTTP File Download
    - HTTP File Download Overview
    - HTTP File Download Details
  - Threat Prevention-Email Quarantine and Scanning
    - SMTP Quarantine Overview
    - Email Attachments Scanning Overview
    - Email Attachments Scanning Details
  - Threat Prevention-IMAP Block
    - IMAP Block Overview
  - Threat Prevention-Manual Upload
    - File Scanning Limits
  - Threat Prevention-Feed Status
    - Device Feed Status Details
  - Threat Prevention-All Hosts Status
    - All Hosts Status Details
  - Threat Prevention-DDoS Feeds Status
    - DDoS Feeds Status Details
  - Applications
    - Application Visibility Overview
    - Blocking Applications and Users
  - Users
    - User Visibility Overview
    - Blocking Users and Applications
  - Source IP
    - Source IP Visibility Overview
    - Blocking Source IP Addresses
  - Live Threat Map
    - Threat Map Overview
    - Blocking Threat Events
  - Alerts and Alarms - Overview
    - Alerts and Alarms Overview
  - Alerts and Alarms-Alerts
    - Deleting an Alert
    - Searching Alerts
    - Using Generated Alerts
  - Alerts and Alarms-Alert Definitions
    - Creating Alert Definitions
    - Editing Alert Definitions
    - Cloning Alert Definition
    - Deleting Alert Definitions
    - Searching Alert Definitions
    - Alert Definitions Main Page Fields
  - Alerts and Alarms-Alarms
    - Using Device Alarms
    - Device Alarms Main Page Fields
  - VPN
    - IPsec VPN Monitoring Overview
    - About the Overview Page
    - Managing Monitored and Unmonitored VPNs
    - About the Monitored Tunnels Page
    - About the Devices Page
  - Job Management
    - Using Job Management in Security Director
    - Overview of Jobs in Security Director
    - Archiving and Purging Jobs in Security Director
    - Viewing the Details of a Job in Security Director
    - Canceling Jobs in Security Director
    - Reassigning Jobs in Security Director
    - Rescheduling and Modifying the Recurrence of Jobs in Security Director
    - Retrying a Failed Job on Devices in Security Director
    - Exporting the Details of a Job in Security Director
    - Job Management Main Page Fields
  - Audit Logs
    - Using Audit Logs in Security Director
    - Understanding Audit Logs in Security Director
    - Purging or Archiving and Purging Audit Logs in Security Director
    - Exporting Audit Logs in Security Director
    - Viewing the Details of an Audit Log in Security Director
    - Audit Logs Main Page Fields
  - Packet Capture
    - Packet Capture Overview
    - About the Packets Captured Page
    - Setting the Purge Policy
  - NSX Inventory-Security Groups
    - About the Security Groups Page
    - Viewing Members of a Security Group
  - vCenter Server Inventory-Virtual Machines
    - About the Virtual Machines Page
    - Viewing Network Details of a Virtual Machine
    - Viewing Security Groups of a Virtual Machine
- Devices
- Configure
  - Firewall Policy-Standard Policies
    - Firewall Policies Overview
    - Policy Ordering Overview
    - Creating Firewall Policies
    - Firewall Policies Best Practices
    - Creating Firewall Policy Rules
    - Rule Base Overview
    - Firewall Policy Locking Modes
    - Rule Operations on Filtered Rules Overview
    - Create and Manage Policy Versions
    - Assigning Devices to Policies
    - Comparing Policies
    - Export Policies
    - Creating Custom Columns
    - Promoting to Group Policy
    - Converting Standard Policy to Unified Policy
    - Viewing and Synchronizing Out-of-Band Firewall Policy Changes Manually
    - Importing Policies
    - Delete and Replace Policies and Objects
    - Unassigning Devices from Policies
    - Edit and Clone Policies and Objects
    - Publishing Policies
    - Showing Duplicate Policies and Objects
    - Show and Delete Unused Policies and Objects
    - Updating Policies on Devices
    - Firewall Policies Main Page Fields
    - Firewall Policy Rules Main Page Fields
  - Firewall Policy-Unified Policies
    - About the Unified Policies Page
    - Unified Policy Overview
    - Creating Unified Firewall Policies
    - Creating Unified Firewall Policy Rules
    - Configuring a Default SSL Proxy Profile
    - Configure a Default IDP Policy
  - Firewall Policy-Devices
    - Devices with Firewall Policies Main Page Fields
  - Firewall Policy-Schedules
    - Schedules Overview
    - Creating Schedules
    - Schedules Main Page Fields
  - Firewall Policy-Profiles
    - Understanding Firewall Policy Profiles
    - Understanding Captive Portal Support for Unauthenticated Browser Users
    - Creating Firewall Policy Profiles
    - Edit and Clone Policies and Objects
    - Delete and Replace Policies and Objects
    - Assigning Policies and Profiles to Domains
    - Viewing Policy and Shared Object Details
    - Firewall Policy Profiles Main Page Fields
  - Firewall Policy-Templates
    - Understanding Firewall Policy Templates
    - Creating Firewall Policy Templates
    - Edit and Clone Policies and Objects
    - Delete and Replace Policies and Objects
    - Firewall Policy Templates Main Page Fields
  - Environment
    - Environment Variables and Conditions Overview
    - About the Environment Page
    - Creating a New Environment Variable
    - Editing and Deleting Environment Variables
    - Creating a New Environment Condition
    - Editing and Deleting Environment Conditions
  - Application Firewall Policy-Policies
    - Understanding Application Firewall Policies
    - Creating Application Firewall Policies
    - Delete and Replace Policies and Objects
    - Edit and Clone Policies and Objects
    - Show and Delete Unused Policies and Objects
    - Finding Usages for Policies and Objects
    - Application Firewall Policies Main Page Fields
  - Application Firewall Policy-Signatures
    - Understanding Custom Application Signatures
    - Creating Application Signatures
    - Editing, Cloning, and Deleting Custom Application Signatures
    - Creating Application Signature Groups
    - Application Signatures Main Page Fields
  - Application Firewall Policy-Redirect Profiles
    - About the Redirect Profiles Page
    - Adding a Redirect Profile
    - Cloning, Editing, and Deleting Redirect Profiles
  - SSL Profiles
    - SSL Forward Proxy Overview
    - Creating SSL Forward Proxy Profiles
    - SSL Forward Proxy Profile Main Page Fields
    - Creating SSL Reverse Proxy Profiles
  - User Firewall Management-Active Directory
    - About the Active Directory Profile Page
    - Creating Active Directory Profiles
    - Deploying the Active Directory Profile to SRX Series Devices
    - Editing and Deleting Active Directory Profiles
  - User Firewall Management-Access Profile
    - LDAP Functionality in Integrated User Firewall Overview
    - About the Access Profile Page
    - Creating Access Profiles
    - Deploying the Access Profile to SRX Series Devices
    - Editing and Deleting Access Profiles
  - User Firewall Management-Identity Management
    - Juniper Identity Management Service Overview
    - About the Identity Management Profile Page
    - Creating Identity Management Profiles
    - Editing, Cloning, and Deleting Identity Management Profiles
    - Updating the Identity Management Profile to SRX Series Devices
  - User Firewall Management-End User Profile
    - End User Profile Overview
    - About the End User Profile Page
    - Creating an End User Profile
    - Edit and Delete End User Profile
    - End User Profile Operations
  - IPS Policy-Policies
    - Understanding IPS Policies
    - Creating IPS Policies
    - Creating IPS Policy Rules
    - Publishing Policies
    - Updating Policies on Devices
    - Assigning Devices to Policies
    - Create and Manage Policy Versions
    - Creating Rule Name Template
    - Export Policies
    - Unassigning Devices to Policies
    - Edit and Clone Policies and Objects
    - Delete and Replace Policies and Objects
    - Assigning Policies and Profiles to Domains
    - Viewing Policy and Shared Object Details
    - IPS Policies Main Page Fields
  - IPS Policy-Devices
    - Understanding IPS Policies
    - Devices with IPS Policies Main Page Fields
  - IPS Policy-Signatures
    - Understanding IPS Signatures
    - Creating IPS Signatures
    - Creating IPS Signature Static Groups
    - Creating IPS Signature Dynamic Groups
    - Edit and Clone Policies and Objects
    - Delete and Replace Policies and Objects
    - Viewing Policy and Shared Object Details
    - IPS Policy Signatures Main Page Fields
  - IPS Policy-Templates
    - Understanding IPS Policy Templates
    - Creating IPS Policy Templates
    - Edit and Clone Policies and Objects
    - Delete and Replace Policies and Objects
    - IPS Policy Templates Main Page Fields
  - NAT Policy-Policies
    - NAT Overview
    - NAT Global Address Book Overview
    - Creating NAT Policies
    - Publishing Policies
    - NAT Policy Rules Main Page Field
    - Creating NAT Rules
    - Updating Policies on Devices
    - Edit and Clone Policies and Objects
    - Delete and Replace Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Comparing Policies
    - Create and Manage Policy Versions
    - Export Policies
    - Assigning Devices to Policies
    - Unassigning Devices to Policies
    - Creating Rule Name Template
    - Configuring NAT Rule Sets
    - Auto Grouping
    - NAT Policies Main Page Fields
  - NAT Policy-Devices
    - Devices with NAT Policies Main Page Fields
  - NAT Policy-Pools
    - Creating NAT Pools
    - Edit and Clone Policies and Objects
    - Delete and Replace Policies and Objects
    - Show and Delete Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - NAT Pools Main Page Fields
  - NAT Policy-Port Sets
    - Creating Port Sets
    - Delete and Replace Policies and Objects
    - Edit and Clone Policies and Objects
    - Show and Delete Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Port Sets Main Page Fields
  - UTM Policy-Policies
    - UTM Overview
    - Creating UTM Policies
    - Comparing Policies
    - Delete and Replace Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Showing Duplicate Policies and Objects
    - Edit and Clone Policies and Objects
    - Show and Delete Unused Policies and Objects
    - UTM Policies Main Page Fields
  - UTM Policy-Web Filtering Profiles
    - Creating Web Filtering Profiles
    - Selecting a Web Filtering Solution
    - Web Filtering Profile Main Page Fields
  - UTM Policy-Category Update
    - About the Category Update Page
    - Configuring the Download URL Settings
    - Downloading and Installing URL Categories
    - Uploading and Installing URL Categories
    - Installing URL Categories on SRX Series Devices
  - UTM Policy-Antivirus Profiles
    - Creating Antivirus Profiles
    - Antivirus Profile Main Page Fields
  - UTM Policy-Antispam Profiles
    - Creating Antispam Profiles
    - Antispam Profile Main Page Fields
  - UTM Policy-Content Filtering Profiles
    - Creating Content Filtering Profiles
    - Content Filtering Profile Main Page Fields
  - UTM Policy-Global Device Profiles
    - Creating Device Profiles
    - Device Profiles Main Page Fields
  - UTM Policy-Default Configuration
    - About the Default Configuration Page
    - Create a Default UTM Configuration
    - Edit and Clone the Default Configuration
    - View and Delete Unused Default Configuration
  - UTM Policy-URL Patterns
    - Creating URL Patterns
  - UTM Policy-Custom URL Categories
    - Creating Custom URL Category Lists
  - Application Routing Policies
    - Understanding Application-Based Routing
    - About the Application Routing Policies Page
    - Configuring Advanced Policy-Based Routing Policy
    - About the Rules Page (Advanced Policy-Based Routing)
    - Creating Advanced Policy-Based Routing Rules
    - About the App Based Routing Page
    - Edit and Clone Policies and Objects
    - Assigning Devices to Policies
    - Customizing Profile Names
    - Publishing Policies
    - Updating Policies on Devices
  - Threat Prevention - Policies
    - Creating Threat Prevention Policies
    - Threat Prevention Policy Overview
    - Threat Policy Analysis Overview
    - Implementing Threat Policy on VMWare NSX
  - Threat Prevention - Feed Sources
    - About the Feed Sources Page
    - Sky ATP Realm Overview
    - Sky ATP Malware Management Overview
    - Sky ATP Email Management Overview
    - File Inspection Profiles Overview
    - Sky ATP Email Management: SMTP Settings
    - Configure IMAP Settings
    - Creating Sky ATP Realms and Enrolling Devices or Associating Sites
    - Modifying Sky ATP Realm
    - Creating File Inspection Profiles
    - Creating Allowlist for Sky ATP Email and Malware Management
    - Creating Blocklists for Sky ATP Email and Malware Management
    - Add JATP Server
    - Edit or Delete a JATP Server
    - Custom Feed Sources Overview
    - Creating Custom Feeds
    - Example: Creating a Dynamic Address Custom Feed and Firewall Policy
    - Configuring Settings for Custom Feeds
  - IPsec VPN-VPNs
    - IPsec VPN Overview
    - Creating IPsec VPNs
    - Understanding IPsec VPN Modes
    - Comparison of Policy-Based VPNs and Route-Based VPNs
    - Understanding IPsec VPN Routing
    - Understanding IKE Authentication
    - Publishing IPsec VPNs
    - Updating IPSec VPN
    - Modifying VPN Settings
    - Viewing Tunnels
    - Importing IPsec VPNs
    - Deleting IPSec VPN
    - IPsec VPN Main Page Fields
  - IPsec VPN-Extranet Devices
    - Creating Extranet Devices
    - Extranet Devices Main Page Fields
  - IPsec VPN-Profiles
    - VPN Profiles Overview
    - Creating VPN Profiles
    - Edit and Clone Policies and Objects
    - Assigning Policies and Profiles to Domains
    - VPN Profiles Main Page Fields
  - Shared Objects-Geo IP
    - Creating Geo IP Policies
    - Geo IP Overview
    - Delete and Replace Policies and Objects
  - Shared Objects-Policy Enforcement Groups
    - Creating Policy Enforcement Groups
    - Policy Enforcement Groups Overview
  - Shared Objects-Addresses
    - Addresses and Address Groups Overview
    - Creating Addresses and Address Groups
    - Import and Export CSV Files
    - Assigning Addresses and Address Groups to Domains
    - Showing Duplicate Policies and Objects
    - Delete and Replace Policies and Objects
    - Addresses Main Page Fields
  - Shared Objects-Services
    - Services and Service Groups Overview
    - Creating Services and Service Groups
    - Delete and Replace Policies and Objects
    - Showing Duplicate Policies and Objects
  - Shared Objects-Variables
    - Variables Overview
    - Creating Variables
    - Editing Variables
    - Import and Export CSV Files
    - Showing Duplicate Policies and Objects
  - Shared Objects-Zone Sets
    - Understanding Zone Sets
    - Creating Zone Sets
    - Edit and Clone Policies and Objects
    - Delete and Replace Policies and Objects
    - Finding Usages for Policies and Objects
    - Show and Delete Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Zone Sets Main Page Fields
  - Shared Objects-Metadata
    - Metadata-Based Policy Enforcement Overview
    - About the Metadata Page
    - Creating a Metadata
  - Change Management-Change Requests
    - Change Control Workflow Overview
    - Creating a Firewall or NAT Policy Change Request
    - About the Changes Submitted Page
    - Approving and Updating Changes Submitted
    - Creating and Updating a Firewall Policy Using Change Control Workflow
    - Editing, Denying, and Deleting Change Requests
    - About the Changes Not Submitted Page
    - Discarding Policy Changes
    - Viewing Submitted and Unsubmitted Policy Changes
  - Change Management-Change Request History
    - About the Change Request History Page
  - Overview of Policy Enforcer and Sky ATP
    - Policy Enforcer Overview
    - Benefits of Policy Enforcer
    - Sky ATP Overview
  - Concepts and Configuration Types to Understand Before You Begin (Policy Enforcer and Sky ATP)
    - Policy Enforcer Components and Dependencies
    - Policy Enforcer Configuration Concepts
    - Sky ATP Configuration Type Overview
    - Features By Sky ATP Configuration Type
    - Available UI Pages by Sky ATP Configuration Type
    - Comparing the Juniper Connected Security and non-Juniper Connected Security Configuration Steps
  - Installing Policy Enforcer
    - Policy Enforcer Installation Overview
    - Deploying and Configuring the Policy Enforcer with OVA files
    - Installing Policy Enforcer with KVM
    - Policy Enforcer Ports
    - Identifying the Policy Enforcer Virtual Machine In Security Director
    - Obtaining a Sky ATP License
    - Creating a Sky ATP Cloud Web Portal Login Account
    - Loading a Root CA
    - Upgrading Your Policy Enforcer Software
  - Configuring Policy Enforcer Settings and Connectors
    - Policy Enforcer Settings
    - Policy Enforcer Connector Overview
    - Creating a Policy Enforcer Connector for Public and Private Clouds
    - Creating a Policy Enforcer Connector for Third-Party Switches
    - Editing and Deleting a Connector
    - Viewing VPC or Projects Details
    - Integrating ForeScout CounterACT with Juniper Networks Connected Security
    - ClearPass Configuration for Third-Party Plug-in
    - Cisco ISE Configuration for Third-Party Plug-in
    - Integrating Pulse Policy Secure with Juniper Networks Connected Security
  - Guided Setup-Sky ATP with SDSN
    - Using Guided Setup for Sky ATP with Juniper Connected Security
  - Guided Setup-Sky ATP
    - Using Guided Setup for Sky ATP
  - Guided Setup for No Sky ATP (No Selection)
    - Using Guided Setup for No Sky ATP (No Selection)
  - Manual Configuration-Sky ATP with SDSN
    - Configuring Sky ATP with Juniper Connected Security (Without Guided Setup) Overview
  - Manual Configuration-Sky ATP
    - Configuring Sky ATP (No Juniper Connected Security and No Guided Setup) Overview
    - Creating Sky ATP Realms and Enrolling Devices or Associating Sites
  - Cloud Feeds Only Threat Prevention
    - Configuring Cloud Feeds Only
  - Configuring No Sky ATP (No Selection) (without Guided Setup)
    - Configuring No Sky ATP (No Selection) (without Guided Setup) Overview
  - Migration Instructions for Spotlight Secure Customers
    - Moving From Spotlight Secure to Policy Enforcer
- Reports
  - Reports
- Administration
  - My Profile
    - Modifying Your User Profile in Security Director
  - Users and Roles-Users
  - Users and Roles-Roles
  - Users and Roles-Domains
  - Users and Roles-Remote Profiles
  - Logging Management
    - Logging and Reporting Overview
  - Logging Management-Logging Nodes
  - Logging Management-Statistics & Troubleshooting
    - Using the Log Statistics and Troubleshooting
  - Logging Management-Logging Devices
    - Logging Devices Main Page Fields
    - Creating Security Logs
  - Monitor Settings
    - About the Monitor Settings Page
    - Monitor Settings Overview
  - Signature Database
  - Migrating Content from NSM to Security Director
    - NSM Migration
  - Policy Sync Settings
    - About the Policy Sync Settings Page
    - Out-of-Band Changes Overview

ContentsHide

Security Director User Guide
- About the Documentation
- Junos Space Security Director
  - Overview
    - Junos Space Security Director Overview
    - Juniper Networks Connected Security Overview
- Dashboard
  - Overview
    - Dashboard Overview
- Monitor
  - Events and Logs-All Events
    - Events and Logs Overview
    - Creating Alerts
    - Creating Reports
    - Creating Filters
    - Grouping Events
    - Using Events and Logs Settings
    - Selecting Events and Logs Table Columns
    - Viewing Threats
    - Viewing Data for Selected Devices
    - Using the Detailed Log View
    - Using the Raw Log View
    - Showing Exact Match
    - Using Filter on Cell Data
    - Using Exclude Cell Data
    - Showing Firewall Policy
    - Showing Source NAT Policy
    - Showing Destination NAT Policy
    - Downloading Packets Captured
    - Showing Attack Details
    - Using Filters
  - Events and Logs-Firewall
    - Firewall Events and Logs Overview
  - Events and Logs-Web Filtering
    - Web Filtering Events and Log Overview
  - Events and Logs-VPN
    - VPN Events and Logs Overview
  - Events and Logs-Content Filtering
    - Content Filtering Events and Logs Overview
  - Events and Logs-Antispam
    - Antispam Events and Logs Overview
  - Events and Logs-Antivirus
    - Antivirus Events and Logs Overview
  - Events and Logs-IPS
    - IPS Events and Logs Overview
  - Events and Logs-Screen
    - Screen Events and Logs Overview
  - Events and Logs-Sky ATP
    - Sky ATP Events and Logs Overview
  - Events and Logs-Apptrack
    - Apptrack Events and Logs Overview
  - Threat Prevention-Hosts
    - Infected Hosts Overview
    - Infected Host Details
  - Threat Prevention-C&C Servers
    - Command and Control Servers Overview
    - Command and Control Server Details
  - Threat Prevention-HTTP File Download
    - HTTP File Download Overview
    - HTTP File Download Details
  - Threat Prevention-Email Quarantine and Scanning
    - SMTP Quarantine Overview
    - Email Attachments Scanning Overview
    - Email Attachments Scanning Details
  - Threat Prevention-IMAP Block
    - IMAP Block Overview
  - Threat Prevention-Manual Upload
    - File Scanning Limits
  - Threat Prevention-Feed Status
    - Device Feed Status Details
  - Threat Prevention-All Hosts Status
    - All Hosts Status Details
  - Threat Prevention-DDoS Feeds Status
    - DDoS Feeds Status Details
  - Applications
    - Application Visibility Overview
    - Blocking Applications and Users
  - Users
    - User Visibility Overview
    - Blocking Users and Applications
  - Source IP
    - Source IP Visibility Overview
    - Blocking Source IP Addresses
  - Live Threat Map
    - Threat Map Overview
    - Blocking Threat Events
  - Alerts and Alarms - Overview
    - Alerts and Alarms Overview
  - Alerts and Alarms-Alerts
    - Deleting an Alert
    - Searching Alerts
    - Using Generated Alerts
  - Alerts and Alarms-Alert Definitions
    - Creating Alert Definitions
    - Editing Alert Definitions
    - Cloning Alert Definition
    - Deleting Alert Definitions
    - Searching Alert Definitions
    - Alert Definitions Main Page Fields
  - Alerts and Alarms-Alarms
    - Using Device Alarms
    - Device Alarms Main Page Fields
  - VPN
    - IPsec VPN Monitoring Overview
    - About the Overview Page
    - Managing Monitored and Unmonitored VPNs
    - About the Monitored Tunnels Page
    - About the Devices Page
  - Job Management
    - Using Job Management in Security Director
    - Overview of Jobs in Security Director
    - Archiving and Purging Jobs in Security Director
    - Viewing the Details of a Job in Security Director
    - Canceling Jobs in Security Director
    - Reassigning Jobs in Security Director
    - Rescheduling and Modifying the Recurrence of Jobs in Security Director
    - Retrying a Failed Job on Devices in Security Director
    - Exporting the Details of a Job in Security Director
    - Job Management Main Page Fields
  - Audit Logs
    - Using Audit Logs in Security Director
    - Understanding Audit Logs in Security Director
    - Purging or Archiving and Purging Audit Logs in Security Director
    - Exporting Audit Logs in Security Director
    - Viewing the Details of an Audit Log in Security Director
    - Audit Logs Main Page Fields
  - Packet Capture
    - Packet Capture Overview
    - About the Packets Captured Page
    - Setting the Purge Policy
  - NSX Inventory-Security Groups
    - About the Security Groups Page
    - Viewing Members of a Security Group
  - vCenter Server Inventory-Virtual Machines
    - About the Virtual Machines Page
    - Viewing Network Details of a Virtual Machine
    - Viewing Security Groups of a Virtual Machine
- Devices
- Configure
  - Firewall Policy-Standard Policies
    - Firewall Policies Overview
    - Policy Ordering Overview
    - Creating Firewall Policies
    - Firewall Policies Best Practices
    - Creating Firewall Policy Rules
    - Rule Base Overview
    - Firewall Policy Locking Modes
    - Rule Operations on Filtered Rules Overview
    - Create and Manage Policy Versions
    - Assigning Devices to Policies
    - Comparing Policies
    - Export Policies
    - Creating Custom Columns
    - Promoting to Group Policy
    - Converting Standard Policy to Unified Policy
    - Viewing and Synchronizing Out-of-Band Firewall Policy Changes Manually
    - Importing Policies
    - Delete and Replace Policies and Objects
    - Unassigning Devices from Policies
    - Edit and Clone Policies and Objects
    - Publishing Policies
    - Showing Duplicate Policies and Objects
    - Show and Delete Unused Policies and Objects
    - Updating Policies on Devices
    - Firewall Policies Main Page Fields
    - Firewall Policy Rules Main Page Fields
  - Firewall Policy-Unified Policies
    - About the Unified Policies Page
    - Unified Policy Overview
    - Creating Unified Firewall Policies
    - Creating Unified Firewall Policy Rules
    - Configuring a Default SSL Proxy Profile
    - Configure a Default IDP Policy
  - Firewall Policy-Devices
    - Devices with Firewall Policies Main Page Fields
  - Firewall Policy-Schedules
    - Schedules Overview
    - Creating Schedules
    - Schedules Main Page Fields
  - Firewall Policy-Profiles
    - Understanding Firewall Policy Profiles
    - Understanding Captive Portal Support for Unauthenticated Browser Users
    - Creating Firewall Policy Profiles
    - Edit and Clone Policies and Objects
    - Delete and Replace Policies and Objects
    - Assigning Policies and Profiles to Domains
    - Viewing Policy and Shared Object Details
    - Firewall Policy Profiles Main Page Fields
  - Firewall Policy-Templates
    - Understanding Firewall Policy Templates
    - Creating Firewall Policy Templates
    - Edit and Clone Policies and Objects
    - Delete and Replace Policies and Objects
    - Firewall Policy Templates Main Page Fields
  - Environment
    - Environment Variables and Conditions Overview
    - About the Environment Page
    - Creating a New Environment Variable
    - Editing and Deleting Environment Variables
    - Creating a New Environment Condition
    - Editing and Deleting Environment Conditions
  - Application Firewall Policy-Policies
    - Understanding Application Firewall Policies
    - Creating Application Firewall Policies
    - Delete and Replace Policies and Objects
    - Edit and Clone Policies and Objects
    - Show and Delete Unused Policies and Objects
    - Finding Usages for Policies and Objects
    - Application Firewall Policies Main Page Fields
  - Application Firewall Policy-Signatures
    - Understanding Custom Application Signatures
    - Creating Application Signatures
    - Editing, Cloning, and Deleting Custom Application Signatures
    - Creating Application Signature Groups
    - Application Signatures Main Page Fields
  - Application Firewall Policy-Redirect Profiles
    - About the Redirect Profiles Page
    - Adding a Redirect Profile
    - Cloning, Editing, and Deleting Redirect Profiles
  - SSL Profiles
    - SSL Forward Proxy Overview
    - Creating SSL Forward Proxy Profiles
    - SSL Forward Proxy Profile Main Page Fields
    - Creating SSL Reverse Proxy Profiles
  - User Firewall Management-Active Directory
    - About the Active Directory Profile Page
    - Creating Active Directory Profiles
    - Deploying the Active Directory Profile to SRX Series Devices
    - Editing and Deleting Active Directory Profiles
  - User Firewall Management-Access Profile
    - LDAP Functionality in Integrated User Firewall Overview
    - About the Access Profile Page
    - Creating Access Profiles
    - Deploying the Access Profile to SRX Series Devices
    - Editing and Deleting Access Profiles
  - User Firewall Management-Identity Management
    - Juniper Identity Management Service Overview
    - About the Identity Management Profile Page
    - Creating Identity Management Profiles
    - Editing, Cloning, and Deleting Identity Management Profiles
    - Updating the Identity Management Profile to SRX Series Devices
  - User Firewall Management-End User Profile
    - End User Profile Overview
    - About the End User Profile Page
    - Creating an End User Profile
    - Edit and Delete End User Profile
    - End User Profile Operations
  - IPS Policy-Policies
    - Understanding IPS Policies
    - Creating IPS Policies
    - Creating IPS Policy Rules
    - Publishing Policies
    - Updating Policies on Devices
    - Assigning Devices to Policies
    - Create and Manage Policy Versions
    - Creating Rule Name Template
    - Export Policies
    - Unassigning Devices to Policies
    - Edit and Clone Policies and Objects
    - Delete and Replace Policies and Objects
    - Assigning Policies and Profiles to Domains
    - Viewing Policy and Shared Object Details
    - IPS Policies Main Page Fields
  - IPS Policy-Devices
    - Understanding IPS Policies
    - Devices with IPS Policies Main Page Fields
  - IPS Policy-Signatures
    - Understanding IPS Signatures
    - Creating IPS Signatures
    - Creating IPS Signature Static Groups
    - Creating IPS Signature Dynamic Groups
    - Edit and Clone Policies and Objects
    - Delete and Replace Policies and Objects
    - Viewing Policy and Shared Object Details
    - IPS Policy Signatures Main Page Fields
  - IPS Policy-Templates
    - Understanding IPS Policy Templates
    - Creating IPS Policy Templates
    - Edit and Clone Policies and Objects
    - Delete and Replace Policies and Objects
    - IPS Policy Templates Main Page Fields
  - NAT Policy-Policies
    - NAT Overview
    - NAT Global Address Book Overview
    - Creating NAT Policies
    - Publishing Policies
    - NAT Policy Rules Main Page Field
    - Creating NAT Rules
    - Updating Policies on Devices
    - Edit and Clone Policies and Objects
    - Delete and Replace Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Comparing Policies
    - Create and Manage Policy Versions
    - Export Policies
    - Assigning Devices to Policies
    - Unassigning Devices to Policies
    - Creating Rule Name Template
    - Configuring NAT Rule Sets
    - Auto Grouping
    - NAT Policies Main Page Fields
  - NAT Policy-Devices
    - Devices with NAT Policies Main Page Fields
  - NAT Policy-Pools
    - Creating NAT Pools
    - Edit and Clone Policies and Objects
    - Delete and Replace Policies and Objects
    - Show and Delete Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - NAT Pools Main Page Fields
  - NAT Policy-Port Sets
    - Creating Port Sets
    - Delete and Replace Policies and Objects
    - Edit and Clone Policies and Objects
    - Show and Delete Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Port Sets Main Page Fields
  - UTM Policy-Policies
    - UTM Overview
    - Creating UTM Policies
    - Comparing Policies
    - Delete and Replace Policies and Objects
    - Viewing Policy and Shared Object Details
    - Assigning Policies and Profiles to Domains
    - Showing Duplicate Policies and Objects
    - Edit and Clone Policies and Objects
    - Show and Delete Unused Policies and Objects
    - UTM Policies Main Page Fields
  - UTM Policy-Web Filtering Profiles
    - Creating Web Filtering Profiles
    - Selecting a Web Filtering Solution
    - Web Filtering Profile Main Page Fields
  - UTM Policy-Category Update
    - About the Category Update Page
    - Configuring the Download URL Settings
    - Downloading and Installing URL Categories
    - Uploading and Installing URL Categories
    - Installing URL Categories on SRX Series Devices
  - UTM Policy-Antivirus Profiles
    - Creating Antivirus Profiles
    - Antivirus Profile Main Page Fields
  - UTM Policy-Antispam Profiles
    - Creating Antispam Profiles
    - Antispam Profile Main Page Fields
  - UTM Policy-Content Filtering Profiles
    - Creating Content Filtering Profiles
    - Content Filtering Profile Main Page Fields
  - UTM Policy-Global Device Profiles
    - Creating Device Profiles
    - Device Profiles Main Page Fields
  - UTM Policy-Default Configuration
    - About the Default Configuration Page
    - Create a Default UTM Configuration
    - Edit and Clone the Default Configuration
    - View and Delete Unused Default Configuration
  - UTM Policy-URL Patterns
    - Creating URL Patterns
  - UTM Policy-Custom URL Categories
    - Creating Custom URL Category Lists
  - Application Routing Policies
    - Understanding Application-Based Routing
    - About the Application Routing Policies Page
    - Configuring Advanced Policy-Based Routing Policy
    - About the Rules Page (Advanced Policy-Based Routing)
    - Creating Advanced Policy-Based Routing Rules
    - About the App Based Routing Page
    - Edit and Clone Policies and Objects
    - Assigning Devices to Policies
    - Customizing Profile Names
    - Publishing Policies
    - Updating Policies on Devices
  - Threat Prevention - Policies
    - Creating Threat Prevention Policies
    - Threat Prevention Policy Overview
    - Threat Policy Analysis Overview
    - Implementing Threat Policy on VMWare NSX
  - Threat Prevention - Feed Sources
    - About the Feed Sources Page
    - Sky ATP Realm Overview
    - Sky ATP Malware Management Overview
    - Sky ATP Email Management Overview
    - File Inspection Profiles Overview
    - Sky ATP Email Management: SMTP Settings
    - Configure IMAP Settings
    - Creating Sky ATP Realms and Enrolling Devices or Associating Sites
    - Modifying Sky ATP Realm
    - Creating File Inspection Profiles
    - Creating Allowlist for Sky ATP Email and Malware Management
    - Creating Blocklists for Sky ATP Email and Malware Management
    - Add JATP Server
    - Edit or Delete a JATP Server
    - Custom Feed Sources Overview
    - Creating Custom Feeds
    - Example: Creating a Dynamic Address Custom Feed and Firewall Policy
    - Configuring Settings for Custom Feeds
  - IPsec VPN-VPNs
    - IPsec VPN Overview
    - Creating IPsec VPNs
    - Understanding IPsec VPN Modes
    - Comparison of Policy-Based VPNs and Route-Based VPNs
    - Understanding IPsec VPN Routing
    - Understanding IKE Authentication
    - Publishing IPsec VPNs
    - Updating IPSec VPN
    - Modifying VPN Settings
    - Viewing Tunnels
    - Importing IPsec VPNs
    - Deleting IPSec VPN
    - IPsec VPN Main Page Fields
  - IPsec VPN-Extranet Devices
    - Creating Extranet Devices
    - Extranet Devices Main Page Fields
  - IPsec VPN-Profiles
    - VPN Profiles Overview
    - Creating VPN Profiles
    - Edit and Clone Policies and Objects
    - Assigning Policies and Profiles to Domains
    - VPN Profiles Main Page Fields
  - Shared Objects-Geo IP
    - Creating Geo IP Policies
    - Geo IP Overview
    - Delete and Replace Policies and Objects
  - Shared Objects-Policy Enforcement Groups
    - Creating Policy Enforcement Groups
    - Policy Enforcement Groups Overview
  - Shared Objects-Addresses
    - Addresses and Address Groups Overview
    - Creating Addresses and Address Groups
    - Import and Export CSV Files
    - Assigning Addresses and Address Groups to Domains
    - Showing Duplicate Policies and Objects
    - Delete and Replace Policies and Objects
    - Addresses Main Page Fields
  - Shared Objects-Services
    - Services and Service Groups Overview
    - Creating Services and Service Groups
    - Delete and Replace Policies and Objects
    - Showing Duplicate Policies and Objects
  - Shared Objects-Variables
    - Variables Overview
    - Creating Variables
    - Editing Variables
    - Import and Export CSV Files
    - Showing Duplicate Policies and Objects
  - Shared Objects-Zone Sets
    - Understanding Zone Sets
    - Creating Zone Sets
    - Edit and Clone Policies and Objects
    - Delete and Replace Policies and Objects
    - Finding Usages for Policies and Objects
    - Show and Delete Unused Policies and Objects
    - Showing Duplicate Policies and Objects
    - Viewing Policy and Shared Object Details
    - Zone Sets Main Page Fields
  - Shared Objects-Metadata
    - Metadata-Based Policy Enforcement Overview
    - About the Metadata Page
    - Creating a Metadata
  - Change Management-Change Requests
    - Change Control Workflow Overview
    - Creating a Firewall or NAT Policy Change Request
    - About the Changes Submitted Page
    - Approving and Updating Changes Submitted
    - Creating and Updating a Firewall Policy Using Change Control Workflow
    - Editing, Denying, and Deleting Change Requests
    - About the Changes Not Submitted Page
    - Discarding Policy Changes
    - Viewing Submitted and Unsubmitted Policy Changes
  - Change Management-Change Request History
    - About the Change Request History Page
  - Overview of Policy Enforcer and Sky ATP
    - Policy Enforcer Overview
    - Benefits of Policy Enforcer
    - Sky ATP Overview
  - Concepts and Configuration Types to Understand Before You Begin (Policy Enforcer and Sky ATP)
    - Policy Enforcer Components and Dependencies
    - Policy Enforcer Configuration Concepts
    - Sky ATP Configuration Type Overview
    - Features By Sky ATP Configuration Type
    - Available UI Pages by Sky ATP Configuration Type
    - Comparing the Juniper Connected Security and non-Juniper Connected Security Configuration Steps
  - Installing Policy Enforcer
    - Policy Enforcer Installation Overview
    - Deploying and Configuring the Policy Enforcer with OVA files
    - Installing Policy Enforcer with KVM
    - Policy Enforcer Ports
    - Identifying the Policy Enforcer Virtual Machine In Security Director
    - Obtaining a Sky ATP License
    - Creating a Sky ATP Cloud Web Portal Login Account
    - Loading a Root CA
    - Upgrading Your Policy Enforcer Software
  - Configuring Policy Enforcer Settings and Connectors
    - Policy Enforcer Settings
    - Policy Enforcer Connector Overview
    - Creating a Policy Enforcer Connector for Public and Private Clouds
    - Creating a Policy Enforcer Connector for Third-Party Switches
    - Editing and Deleting a Connector
    - Viewing VPC or Projects Details
    - Integrating ForeScout CounterACT with Juniper Networks Connected Security
    - ClearPass Configuration for Third-Party Plug-in
    - Cisco ISE Configuration for Third-Party Plug-in
    - Integrating Pulse Policy Secure with Juniper Networks Connected Security
  - Guided Setup-Sky ATP with SDSN
    - Using Guided Setup for Sky ATP with Juniper Connected Security
  - Guided Setup-Sky ATP
    - Using Guided Setup for Sky ATP
  - Guided Setup for No Sky ATP (No Selection)
    - Using Guided Setup for No Sky ATP (No Selection)
  - Manual Configuration-Sky ATP with SDSN
    - Configuring Sky ATP with Juniper Connected Security (Without Guided Setup) Overview
  - Manual Configuration-Sky ATP
    - Configuring Sky ATP (No Juniper Connected Security and No Guided Setup) Overview
    - Creating Sky ATP Realms and Enrolling Devices or Associating Sites
  - Cloud Feeds Only Threat Prevention
    - Configuring Cloud Feeds Only
  - Configuring No Sky ATP (No Selection) (without Guided Setup)
    - Configuring No Sky ATP (No Selection) (without Guided Setup) Overview
  - Migration Instructions for Spotlight Secure Customers
    - Moving From Spotlight Secure to Policy Enforcer
- Reports
  - Reports
- Administration
  - My Profile
    - Modifying Your User Profile in Security Director
  - Users and Roles-Users
  - Users and Roles-Roles
  - Users and Roles-Domains
  - Users and Roles-Remote Profiles
  - Logging Management
    - Logging and Reporting Overview
  - Logging Management-Logging Nodes
  - Logging Management-Statistics & Troubleshooting
    - Using the Log Statistics and Troubleshooting
  - Logging Management-Logging Devices
    - Logging Devices Main Page Fields
    - Creating Security Logs
  - Monitor Settings
    - About the Monitor Settings Page
    - Monitor Settings Overview
  - Signature Database
  - Migrating Content from NSM to Security Director
    - NSM Migration
  - Policy Sync Settings
    - About the Policy Sync Settings Page
    - Out-of-Band Changes Overview

Moving From Spotlight Secure to Policy Enforcer

The Spotlight Secure Threat Intelligence Platform aggregates threat feeds from multiple sources to deliver open, consolidated, actionable intelligence to SRX Series Devices across an organization. This product is now superseded by the Juniper Connected Security Policy Enforcer. The Juniper Connected Security framework delivers enhanced security from external as well as internal attacks by leveraging both security as well as network devices as a coherent security system.

Policy Enforcer is an orchestration solution that orchestrates user intent policy enforcement for threat remediation as well as micro-segmentation across the entire network. This document talks about the logistics of migrating from Spotlight Secure to Policy Enforcer.

Spotlight Secure and Policy Enforcer with Sky ATP are two different platforms and therefore a direct migration of threat policies from Spotlight Secure to Policy Enforcer is not supported. Instead it is recommended that you remove Spotlight Connector from your Space Fabric and remove threat related configurations on Security Director before you install Policy Enforcer. Then you will need to reconfigure your data and threat feeds. The following sections provide an overview of the transition process from Spotlight Secure to Policy Enforcer with Sky ATP.

Spotlight Secure and Policy Enforcer Deployment Comparison

The function of Spotlight Secure connector, to bring together all the available threat intelligence and make it available to security policies, is now done via Policy Enforcer with Sky ATP. In addition, Policy enforcer is a key part of the Juniper Connected Security Solution.

Spotlight Secure was installed to a separate virtual machine and then added as a specialized node to the Junos Space Fabric on Junos Space until version 15.1. Policy Enforcer is shipped as a virtual machine that is deployed independently. Instead of adding the new VM as a Junos Space node, the configuration has been simplified with a workflow using the Security Director user interface.

Note Spotlight Secure supported a HA deployment. The current version of Policy Enforcer is supported only as a single stand-alone deployment.

License Requirements

For existing Spotlight Secure customers, no new additional license is needed. If you have a Spot-CC license, it can be used with Policy Enforcer and Sky ATP as well. A Policy Enforcer license would only be needed if you want to use the complete set of Juniper Connected Security features with Sky ATP. Juniper Connected Security/Policy Enforcer features includes all threat prevention types: C&C, infected hosts, malware, GeoIP, and policy management and deployment features such as secure fabric and threat prevention policies. See Features By Sky ATP Configuration Type for more details.

Sky ATP and Spotlight Secure Comparison Table

The following table provides a product comparison:

Table 310: SKY ATP and Spotlight support Quick Summary

Feature	Support in Spotlight Secure	Support with Policy Enforcer and Sky ATP	Workflow using Sky ATP, Security Director and Policy Enforcer
Command and Control Feed	Fully Supported	Fully Supported	Create a Realm in Sky ATP if you do not already have one Configure Policy Enforcer in Cloud feed only or Sky ATP or Sky ATP with Juniper Connected Security modes to connect to the realm Configure a Threat Prevention Profile using Command and Control options Use this Threat Prevention Profile in Firewall Policy
Custom Feeds	Blocklist, Allowlist, and Dynamic Address features are fully supported.	Blocklist, Allowlist, Infected Host, and Dynamic Address features are fully supported	Create a Realm in Sky ATP if you do not already have one Configure Policy Enforcer Setting in Sky ATP mode Create a Custom Feed using Blocklist, Allowlist, or Dynamic address options selecting static IP or file options
Infected Host	Not directly supported by Spotlight. You must create custom feeds	Sky ATP supports an Infected Host feed, natively integrated with Policy Enforcer and Security Director.	Sky ATP supports an Infected Host feed, natively integrated with Policy Enforcer and Security Director.
Infected Host Remediation at the Access Network level	Not supported using Spotlight and Security Director	Sky ATP supports an Infected Host feed which is natively integrated with Policy Enforcer. Policy Enforcer can take block/quarantine actions at the access network level. Note: This requires a Policy Enforcer license and does not come with a SPOT_CC license.	Sky ATP supports an Infected Host feed which is natively integrated with Policy Enforcer. Policy Enforcer can take block/quarantine actions at the switch port level.

Migrating Spotlight Secure to a Policy Enforcer Configuration Overview

In this section, there is a side by side comparison of feature configuration for Spotlight Secure on Security Director 15.1 and Policy Enforcer on Security Director 16.1 and higher to aid in re-configuring your threat policies.

Procedure

This is an overview of the tasks needed to migrate:

Document the current data and feed configuration from current version of Security Director.
Remove Spotlight Connector from your Junos Space Fabric and remove the threat prevention configuration.
Upgrade to the latest versions of Junos Space and Security Director.
Note Since the underlying operation system is upgraded to Centos6.8 on Junos Space version 16.1, first upgrade Junos Space and applications to 15.2R2 and then follow the documentation to restore the database before deploying 16.1 or higher. Please refer to the Junos Space 16.1 release notes for details.
Deploy the Policy Enforcer virtual machine. See instructions in the following section.
Deploy Security Director and install Policy Enforcer to Security Director.
Configure a Sky ATP realm and enroll SRX Series devices into the realm. For all deployment models, it is necessary to configure a Sky realm and enroll firewalls.
Configure feeds and threat policies.

Installing Policy Enforcer

Policy Enforcer provides centralized, integrated management of all your security devices (both physical and virtual), allowing you to combine threat intelligence from different solutions and act on that intelligence from one management point. Using Policy Enforcer and the intelligence feeds it offers through Sky ATP, you can create threat prevention policies that provide monitoring and actionable intelligence for threat types such as known malware, command and control servers, infected hosts, and Geo IP-based server data.

Procedure

Policy enforcer is shipped as a OVA file that should be deployed over VMware ESX.

Download the Policy Enforcer virtual machine OVA image from the Juniper Networks software download page. It is recommended to deploy Policy Enforcer on the same ESX server as Junos Space.
Note Do not change the name of the Policy Enforcer virtual machine image file that you download from the Juniper Networks support site. If you change the name of the image file, the creation of the Policy Enforcer virtual machine can fail.
Figure 140: Deploy Policy Enforcer OVF File 1
Figure 141: Deploy Policy Enforcer OVF File 2
Note See Deploying and Configuring the Policy Enforcer with OVA files for the complete Policy Enforcer installation documentation.
Initial configuration is done through the console. In addition to network and host configuration, you must set a customer ID and reset the root password. The default login to Policy Enforcer is Username: root,Password: abc123
Figure 142: Policy Enforcer Configuration Summary
Once Policy Enforcer is deployed, it must be added to Security Director via Security Director User Interface. From the Security Director UI, navigate to Administration > Policy Enforcer > Settings.
Note Unlike Spotlight Secure, Policy Enforcer does not need to be added to Junos Space Fabric. The addition is done only through the Security Director UI.
On the Settings page, there three Sky ATP Configuration Types to choose from.
- Sky ATP with Juniper Connected Security—All Policy Enforcer features and threat prevention types are available
- Sky ATP—All threat prevention types are available: Command and control server, Geo IP, and Infected hosts.
- Cloud feeds only—Command and control server and Geo IP are the only threat prevention types available.
- No selection (No Sky ATP)—You can choose to make no selection. When you make no selection, there are no feeds available from Sky ATP, but the benefits of Secure Fabric, Policy Enforcement Groups, and Threat Prevention policies provided by Policy Enforcer are available. Infected hosts is the only prevention type available
Note You can switch from Cloud feeds only to Sky ATP, or SKY ATP to SKY ATP with Juniper Connected Security, but the reverse is not supported.
Note If you upgrade from Cloud feeds only to Sky ATP, you cannot roll back again. Upgrading resets all devices previously participating in threat prevention, and you must re-enroll them with Sky ATP. This is true for upgrading from Sky ATP to SKY ATP with Juniper Connected Security. “SKY ATP with Juniper Connected Security” is for the Juniper Connected Security solution and not covered in this section.
Note See Sky ATP Configuration Type Overview for the Policy Enforcer documentation on this topic.

Note Policy Enforcer with Sky ATP does not support a workflow for removing Policy Enforcer. To switch to a different Policy Enforcer, replace the IP and login information in the Policy Enforcer settings page.

Configuring Advanced Threat Prevention Features: Spotlight Secure/Policy Enforcer Comparison

The following section is a side by side comparison of how advanced threat prevention features were configured on Spotlight Secure compared to how they are configured with Policy Enforcer.

Configuring Command and Control and Infected Host

Procedure

Spotlight Secure: C&C and Infected Host

This is how C&C and infected host feeds were configured on Security Director 15.1 with Spotlight Secure:

Under Security intelligence > Information Source, click + to add a new information source. Select Spotlight Secure Cloud as source.
Figure 143: Spotlight Secure: Add Information Source
Create a Security Intelligence profile from Security intelligence > Profiles . Choose Command and Control as the feed category and set the Blocking threshold. Configure Block Options and Logging.
Figure 144: Spotlight Secure: Create Security Intelligence Profile
Complete the workflow to create a profile.
Figure 145: Spotlight Secure: Create Profile
Create a security intelligence policy.
Figure 146: Spotlight Secure: Create Security Intelligence Policy
Apply the security intelligence policy to a firewall policy.
Figure 147: Spotlight Secure: Apply Security Intelligence Policy to Firewall Policy

Procedure

Policy Enforcer with Sky ATP: C&C and Infected Host

This is how C&C and infected host feeds are configured on Security Director 16.1 and higher with Policy Enforcer:

Note Policy Enforcer can be configured with Sky ATP or Cloud feeds only to enable Command and Control feeds. The following instructions are for Cloud feeds only.

Note In addition to the instructions provided here, Threat Prevention Guided Setup under Configuration > Guided Setup > Threat Prevention can be leveraged for a wizard driven workflow.

Configure a Sky ATP Realm by navigating to Configure > Threat Prevention > Sky ATP Realms. Click + to create a realm.
(You must have a Sky ATP account to configure a realm. If you do not have an account please click on the link provided in the Sky ATP Realm window to create one at the Sky ATP account page. See Creating Sky ATP Realms and Enrolling Devices or Associating Sites for details).
Note You do not need a Sky ATP premium license to create an account or realm.
Once the Sky ATP realm is created, add a policy by navigating to Configure > Threat Prevention > Policies. Click + to create a policy. Enable the check box to Include C&C profile in policy and set threat score thresholds, actions, and logging.
Figure 148: Policy Enforcer: Create Threat Prevention Policy
Figure 149: Policy Enforcer: Create Threat Prevention Policy, Select Threat Score and Logging
Apply the threat prevention policy to a firewall policy.
Figure 150: Policy Enforcer: Apply Threat Prevention Policy to Firewall Policy
Publish, verify the configuration and update to the firewall.
Figure 151: Policy Enforcer: Update Firewall Policy
Note If Sky ATP is chosen as the Sky ATP Configuration Type under Administration > Policy Enforcer > Settings, the workflow remains the same, but additional parameters become available for configuring anti-malware.

Configuring Custom Feeds

Procedure

Spotlight Secure: Custom Feeds

This is how custom feeds were configured on Security Director 15.1 with Spotlight Secure:

Create an information source by navigating to Security Intelligence > Information Source . Click + to add a source. (Note that WebApp Secure is no longer supported.)
Figure 152: Spotlight Secure: Add Information Source
Upload from a custom file. Select Source as Custom File Upload and point to a local file.
Figure 153: Spotlight Secure: Configure Custom File Upload
Configure a periodic upload from a remote file server. Provide the full URL to the plain text file you want to poll and enter server login information, Username and Password.
Figure 154: Spotlight Secure: Enter Server Login for Custom File Upload
Create a dynamic object by navigating to Security Intelligence > Dynamic Address Group. Configure the feed as the custom feed that was created in the previous step.
Figure 155: Spotlight Secure: Select Custom Feed in Dynamic Address Group
Use the dynamic object in a security policy.
Figure 156: Spotlight Secure: Select Dynamic Address in Security Policy
Configure a custom feed as an allowlist or blocklist by navigating to Security Intelligence > Profiles. Edit Global White List or Global Black List to add a custom feed created in the previous steps.
Figure 157: Spotlight Secure: Edit Global Whitelist or Blacklist

Procedure

Policy Enforcer with Sky ATP: Custom Feeds

This is how custom feeds are configured on Security Director 16.1 and higher with Policy Enforcer:

Note In addition to the instructions provided here, Threat Prevention Guided Setup under Configuration > Guided Setup > Threat Prevention can be leveraged for a wizard driven workflow.

Policy Enforcer supports manually adding or uploading custom feed information from a file server. The custom feed can be a dynamic object, infected hosts list, allowlist or blocklist which can then be used within the match criteria of a firewall rule.

Create Custom Feeds by navigating to Configure > Threat Prevention > Custom Feeds. Click + to create a new feed.
Provide a Name and Description for the custom feed and choose the tab for the type of feed: Dynamic Address, Blacklist, Whitelist or Infected Host.
Figure 158: Policy Enforcer: Configure Custom Feed
Manually configure the IP list or upload it from a local file. The IP list can be defined as individual IP addresses, IP address ranges, or subnets. See Creating Custom Feeds for complete details.
Note Dynamic objects can be used within a firewall policy to match criteria as a source or destination address object.
Note Policy Enforcer supports only cloud based C&C feeds and not custom C&C feeds. Policy Enforcer APIs can be used to extend this functionality.
Upload a local file. Select the Upload file option in the right corner of the page.
Figure 159: Policy Enforcer: Upload Custom File
If you have configured an allowlist, downloads from those IP addresses are considered trusted. For blocklists, all downloads from those IP addresses are blocked. Dynamic objects can be used within a firewall policy match criteria as a source or destination address object.
Figure 160: Policy Enforcer: Use Dynamic Addresses in Firewall Policy

Configuring Geo IP

Procedure

Spotlight Secure: Geo IP

This is how Geo IP feeds were configured on Security Director 15.1 with Spotlight Secure:

Create a GeoIP object under dynamic object by navigating to Security Intelligence > Dynamic Address Group. Select the feed as GeoIP and pick the countries from the drop down list.
Figure 161: Spotlight Secure: Create Geo IP with Dynamic Address Group
Use the Geo IP object in a firewall policy.
Figure 162: Spotlight Secure: Use Geo IP in Firewall Policy

Procedure

Policy Enforcer with Sky ATP: Geo IP

This is how Geo IP feeds are configured on Security Director 16.1 and higher with Policy Enforcer:

Define GeoIP objects that can then be used within the match criteria of a firewall policy by navigating to Configure > Shared Objects > Geo IP. Create a Geo IP feed and choose countries to include from the list.(This feature requires a SecIntel or SKY ATP license.)
Figure 163: Policy Enforcer: Create Geo IP
Use the Geo IP feed you created as the source or destination address in a firewall policy.
Figure 164: Policy Enforcer: Use Geo IP in the Firewall Policy

Help us to improve. Rate this article.

Feedback Received. Thank You!

Configuring No Sky ATP (No Selection) (without Guided Setup) Overview

Creating Log Report Definitions