Troubleshooting Policy Enforcer and SRX Series device Enrolment Issues
To resolve Policy Enforcer and SRX Series device enrolment issues, you must do the following:
Check if Policy Enforcer and Security Director are on the same version.
Use supported SRX Series or EX Series devices.
SRX Series or EX Series device must be running supported Junos OS Release. For more information, see Supported Devices.
Check for SRX Series supported feature against the Model Cloud feed, SkyATP and so on.
Check for SRX Series premium, basic, or free license and supported features.
For SRX550M, SRX340, or SRX345 models, use set security forwarding-process enhanced-services-mode command.
Note Above command requires device reboot, therefore plan the downtime.
Junos Space should have matching schema as per device Junos version.
Check that the device is not enrolled directly via SLAX script. If enrolled, then disenroll the device.
To check if the device is directly enrolled to SkyATP or enrolled via Policy Enforcer.
For example
root@jtac> show configuration services -intelligence |match "url "
If you get the output as https://IPADDRESS:443/api/v1/manifest.xml; then the device is enrolled via Policy Enforcer. If you get https://cloudfeeds.argon.junipersecurity.net/api/manifest.xml, then the device is directly enrolled to SkyATP.
When you start enrolling the device to realm <RPC> job is triggered in Security Director and this is visible only for SkyATP and SkyATP with SDSN mode Policy Enforcer deployment.
For SDSN to work, make sure that the topologies should be as per Supported Topologies. End host connection should be Access Port and other interconnecting ports should be Trunk Port.