Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Secure Fabric Overview


Secure Fabric is a collection of sites which contain network devices (switches, routers, firewalls, and other security devices), used in policy enforcement groups. When threat prevention policies are applied to policy enforcement groups, the system automatically discovers to which sites those groups belong. This is how threat prevention is aggregated across your secure fabric.

  • Add Enforcement Points—Click the Add Enforcement Points link to add Firewalls, Switches, and/or Connectors. There is a one-to-one mapping between devices with sites. If a device is mapped to a site, you cannot use the same device to map to a different site. The connector can be mapped to multiple sites. To filter by type, click the three vertical dots beside the search field and select the check box for the device type. See Creating Secure Fabric and Sites for more information.

  • Drag and Drop Enforcement Points—From the main page, you can select enforcement points and drag them to other sites to include them there. When you drag, the enforcement point is disenrolled from the current site and gets enrolled to the new site where the enforcement point is dropped.

    You can either have switches or a connector as enforcement points and not both. However, you can drag a switch and add to a site that already has a switch or SRX Series device.

Table 1 shows fields on the Secure Fabric page.

Table 1: Secure Fabric Page Fields




Specifies the name of the secure fabric site.


Specifies the name of the secure fabric tenant.

Enforcement Points

Specifies the enforcement points for that particular site, if enforcement points are already added. If not added, click Add Enforcement Points to add Firewalls, Switches, or Connectors as enforcement points.

A firewall icon is shown against some of the devices to indicate that they are the perimeter firewalls.

For connectors, if you hover over the enforcement point, a tool tip is shown listing the corresponding vSRX devices with IP addresses and descriptions.

Note: If tenant is configured to the site, only MX Series device can be added as enforcement points.


Specifies the IP address of the enforcement point, if the enforecement point is available.


Specifies the type of the enforcement point. For example, vSRX, QFX, Connector.

Feed Source

Specifies the feed source to Policy Enforcer.

ATP Cloud Enroll Status

Specifies the status of the Juniper ATP Cloud enrollment.

The Success status with a warning symbol indicates that the device is enabled for cloud feeds only and there is no support for malware capability and enhanced mode. This field will be blank if the device fails to disenroll Juniper ATP Cloud.

If the status is Failed, click Retry to enroll the device with Juniper ATP Cloud again. You can hover over the Failed status to see the corresponding job details. The device enroll retry option is available only when the status is Failed.

Last Updated

Specifies the date on which the Secure Fabric page was last updated.


Specifies the description that you had entered at the time of creating a secure fabric site.