Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Creating Policy Enforcement Groups


You can create policy enforcement groups from the policy enforcement groups page.

Before You Begin

  • Know what type of endpoints you are including in your policy enforcement group: IP address/subnet, or location.

  • Determine what endpoints you will add to the group based on how you will configure threat prevention according to location, users and applications, or threat risk.

  • Keep in mind that endpoints cannot belong to multiple policy enforcement groups.

To create a policy enforcement group:

  1. Select Configure>Shared Objects>Policy Enforcement Groups.
  2. Click the + icon.
  3. Complete the configuration by using the guidelines in the Table 1 below.
  4. Click OK.

Table 1: Fields on the Policy Enforcement Group Page




Enter a unique string that must begin with an alphanumeric character and can include only dashes and underscores; no spaces allowed; 32-character maximum.


Enter a description; maximum length is 64 characters. You should make this description as useful as possible for all administrators.

Group Type

Select a group type from the available choices. IP Address/Subnet or Location.

Connector IPs

This field is available only if the Group Type field is IP Address/Subnet

The subnets of all connectors added in the Connector page are dynamically listed in the Available column. If the Group Type is IP Address/Subnet, the subnets within the connector instances that have the threat remediation enabled are only listed.

When using Junos Space, Policy Enforcer is able to dynamically discover subnets configured on Juniper switches. Policy Enforcer does not have the same insight with third-party devices. Therefore you can add subnets to your connector configuration and select them here. This allows you to selectively apply policies to those subnets.

If you have not configured a connector, you will see only Junos Space subnets discovered by Policy Enforcer. If you have a connector configured, you can see the subnets of a connector in the Available column. Hover over subnets to view the description for these subnets entered during the connector creation. You will not see any description if it is not entered during creating a connector. The description will show “No description available” for subnets that come from Junos Space.

The Available and Selected columns have filters listed with connectors or Space. You can choose a connector and filter only the subnets belonging to that particular connector. The result shows the name of a device to which the subnet belongs and also the type of the device.

You can also use the search bar to search and filter the result based on subnet, name of the device, or type of the device.

Click Refresh Available IPs to refresh the available IP addresses or subnets. If you edit any selected items in the Selected column, the list is refreshed to the initial selected list after the refresh. A progress bar is shown with the refresh progress in percentage.

In a scenario where there are no IP addresses or subnets, the refresh will still be successful. A message is displayed showing that the refresh was successful but there are no IP addresses or subnets found.

Additional IP

This field is available only if the Group Type field is IP Address/Subnet

Enter an IP address and select the connector type from the list to add to PEG. The IP address must be within the subnet range of the selected connector. Click Add to add the additional IP address to the Selected column of the Connector IPs field.

A validation is performed to check if the additional IP address is within the subnet range of the selected connector. If not, an error message is shown to enter the IP address within the subnet range.


Sites with the threat remediation enabled instances are only listed, if the Group Type is Location. Select the check box beside the sites in the Available list and click the > icon to move them to the Selected list.

The endpoints in the Selected list will be included in the policy enforcement group.

You can create a policy enforcement group with subnets from different connectors based on how they have grouped their network segments. For example, If you have Junos Space EX switch with subnets HR: and Finance:, ClearPass connector with subnets HR: and Marketing:, Cisco ISE with subnets HR: and Finance: You can create a single policy enforcement group and name it as HR by choosing the following subnets: Junos Space EX HR:, ClearPass connector subnet HR:, and Cisco ISE connector subnet HR: