Troubleshooting Common Policy Enforcer Problems

Troubleshooting Policy Enforcer Installation

Most common Policy Enforcer installation problems occur around creating and deploying the OVA file. If you are not familiar with virtual machines or OVA files, please see VMware Documentation and select the appropriate VMware vSphere version.

• Configuring the virtual machine with the correct network configuration. These values vary according to your installation. When configuring the virtual machine network, you will need to know the following:

  • Virtual machine hostname, IP address and network mask.

  • Default gateway that connects your internal network to external networks.

  • Primary and secondary DNS servers.

  • (optional) NTP servers.

• Virtual machine IP address and ssh root credentials. When configuring the virtual machine, you must identify and record the IP address and the ssh root password. In order for Security Director to communicate with your Policy Enforcer virtual machine, you must enter these values into the PE Settings page (Administration > PE Settings) of Security Director.

  If you forget the virtual machine IP address, log into the virtual machine again. The setup script automatically runs each time you log in so that you can review your settings.

  If you forget the root password, there is no way to retrieve it. You must instead reset your password. Be sure to enter your new password into the PE settings page in Security Director. To reset your password, see CentOS root password reset instructions.

Troubleshooting Juniper ATP Cloud Realms and Enrolling Devices

Juniper ATP Cloud has two service levels: free and premium. The free model solution performs basic malware detection while the premium model solution offers more protection. For more information on Juniper ATP Cloud license types and the features for each type, see Sky Advanced Threat Prevention Licenses.

• Trying to enroll devices that are not supported by Juniper ATP Cloud. See the Juniper ATP Cloud Supported Platforms Guide   for more information on supported devices.

• The Juniper ATP Cloud file limit has been reached. Juniper ATP Cloud has a maximum number of files per day that you can submit to the cloud for inspection. When an SRX Series device has reached its maximum number of files, it goes into a paused state and cannot submit files for inspection. The device automatically changes to the allowed state when it once again is below the maximum limit. See Juniper ATP Cloud File Limits for more information on the maximum number of files per day per device type.

• The vSRX instance fails to enroll. Check to make sure the proper Juniper ATP Cloud license is installed. See Managing the Juniper ATP Cloud License for more information on license management with vSRX deployments.

Troubleshooting Threat Policies and Policy Enforcement Groups

This section lists some common issues found with threat policies and policy enforcement groups.

• You create a threat policy but don’t see the appropriate profiles to choose.

  Select Administration > PE Settings and make sure the correct mode has been selected. You can only change the mode in the follow order: Cloud Feed Only to ATP Cloud to ATP Cloud with PE.

• Assigning a threat policy to a policy enforcement group in the Juniper ATP Cloud with PE mode.

  Threat policies are enforced and pushed to devices that support the given profile. If a device is not supported by a profile, it will be listed in the analysis results and in the Junos Space job details.

• You create a policy enforcement group with an IP address subnet but no IP addresses are listed in the GUI.

  Make sure that a switch is assigned to the site and that the L3 interfaces are configured on the aggregate switch.

HTTPS-Based Malware Not Detected

If your HTTPS-based malware is not detected by Juniper ATP Cloud, the root certificate on your SRX Series device (for HTTPS forward proxy) may be invalid. This may occur when the CA profile name is not correct. It must be named policyEnforcer.

For more information on loading root certificates with Policy Enforcer, see Loading a Root CA.

Unable to add Policy Enforcer to Security Director

If you are unable to add Policy Enforcer to Security Director, do the following:

• Check if Policy Enforcer and Security Director are on the same version.

• Make sure to open the following ports:

  • 8080, 443—Used to connect Security Director or Policy Enforcer to Internet.

  • 443, 8080—Used to connect Policy Enforcer to Security Director.

• Check the Policy Enforcer node disk space using df -kh command and make sure that it has enough disk space.

• Check Policy Enforcer log files. For more information, see Policy Enforcer Log File Locations.

Troubleshooting Policy Enforcer and SRX Series device Enrolment Issues

To resolve Policy Enforcer and SRX Series device enrolment issues, you must do the following:

• Check if Policy Enforcer and Security Director are on the same version.

• Use supported SRX Series or EX Series devices.

• SRX Series or EX Series device must be running supported Junos OS Release. For more information, see Supported Devices.

• Check for SRX Series supported feature against the Model Cloud feed, SkyATP and so on.

• Check for SRX Series premium, basic, or free license and supported features.

• For SRX550M, SRX340, or SRX345 models, use set security forwarding-process enhanced-services-mode command.

  Note

  Above command requires device reboot, therefore plan the downtime.

• Junos Space should have matching schema as per device Junos version.

• Check that the device is not enrolled directly via SLAX script. If enrolled, then disenroll the device.

• To check if the device is directly enrolled to SkyATP or enrolled via Policy Enforcer.

  For example

  • root@jtac> show configuration services -intelligence |match "url "

    If you get the output as https://IPADDRESS:443/api/v1/manifest.xml; then the device is enrolled via Policy Enforcer. If you get https://cloudfeeds.argon.junipersecurity.net/api/manifest.xml, then the device is directly enrolled to SkyATP.

• When you start enrolling the device to realm <RPC> job is triggered in Security Director and this is visible only for SkyATP and SkyATP with SDSN mode Policy Enforcer deployment.

• For SDSN to work, make sure that the topologies should be as per Supported Topologies. End host connection should be Access Port and other interconnecting ports should be Trunk Port.