Policy Enforcer Configuration Concepts
You have some options for how you can approach the initial setup of Sky ATP and Policy Enforcer. There is a “Guided Setup” approach which walks you through the necessary steps for getting the product up and running. This is the recommended approach. If you prefer, you can manually configure each part of the product.
Either way, before you begin the configuration, you need to understand the concepts behind the configuration items required to successfully deploy threat management policies across your network. These items include security realms for Sky ATP, secure fabric for sites, and policy groups for endpoints. These are explained in this section.
Security Realm—When configuring Sky ATP or Policy Enforcer with Sky ATP, there are Realm selection fields at the top of several pages. A security realm is a group identifier for an organization used to restrict access to Web applications. You must create at least one security realm to login into Sky ATP. Once you create a realm, you can enroll SRX Series devices into the realm. You can also give more users (administrators) permission to access the realm.
If you have multiple security realms, note that each SRX Series device can only be bound to one realm, and users cannot travel between realms.
Policy Enforcement Groups—A policy enforcement group is a grouping of endpoints to which threat prevention policies are applied. Create a policy enforcement group by adding endpoints (firewalls, switches, subnets, set of end users) under one common group name and later applying a threat prevention policy to that group.
Some information to know about enforcement groups is as follows: Determine what endpoints you will add to the group based on how you will configure threat prevention, either according to location, users and applications, or threat risk. Endpoints cannot belong to multiple policy enforcement groups.
Threat Prevention Policies—Once you have a Threat Prevention Policy, you assign one or more Policy Enforcement Groups to it. Threat prevention policies provide protection and monitoring for selected threat profiles, including command & control servers, GeoIP, infected hosts, and malware. Using feeds from Sky ATP and custom feeds you configure, ingress and egress traffic is monitored for suspicious content and behavior. Based on a threat score, detected threats are evaluated and action may be taken once a verdict is reached.
Secure Fabric—For your configuration you must create one or more sites for your secure fabric. Secure fabric is a collection of sites which contain network devices (switches, routers, firewalls, and other security devices), used in policy enforcement groups. When threat prevention policies are applied to policy enforcement groups, the system automatically discovers to which sites those groups belong. This is how threat prevention is aggregated across your secure fabric.
Some information to know about sites is as follows: When you create a site, you must identify the perimeter firewalls so you can enroll them with Sky ATP. If you want to enforce an infected host policy within the network, you must assign a switch to the site. Devices cannot belong to multiple sites.