Licenses for Advanced Threat Prevention
Licenses for JATP Advanced Threat Prevention Appliance
Licensing and Platform Support information
The following sections provide information on licensing requirements and SRX Series device platform support.
JATP and SRX Series Integration Licensing
Unlike other Layer 7 features, there is no separate license required on the SRX Series device for integration with JATP. In this deployment, the JATP Core is the licensed component. If the Core has a valid license, then the SRX Series device can connect to the Core and enroll successfully. If not, the enrollment will fail.
For JATP license upload instructions, see Setting the Juniper ATP Appliance License Key.
AppSecure functionality on the SRX Series device is a pre-requisite for integrating with JATP. Depending on the SRX Series platform, a separate license may be required to enable AppSecure. Please consult the SRX Series platform data sheet for the most accurate information.
Supported SRX Series Devices
This section describes the hardware and software components that are compatible with JATP.
Platform | Hardware Requirements | Software Versions |
|---|---|---|
vSRX Series | Junos 18.2R1 and above | |
SRX Series | SRX320, SRX300 | Junos 18.3R1 and above |
SRX Series | SRX4100, SRX4200, SRX4600 | Junos 15.1X49-D65 and above for SRX4100 and SRX4200 Junos 17.4R1-S1 and above for SRX4600 |
SRX Series | SRX340, SRX345, SRX550m | Junos 15.1X49-D60 and above |
SRX Series | SRX5800, SRX5600, SRX5400 | Junos 15.1X49-D50 and above |
SRX Series | SRX1500 | Junos 15.1X49-D33 and above |
The following devices support scanning SMTP e-mail attachments:
SRX300 Series device
SRX320 Series device
SRX340 Series device
SRX345 Series device
SRX1500 Series device
SRX4100 Series device
SRX4200 Series device
SRX4600 Series device
SRX5400 Series device
SRX5600 Series device
SRX5800 Series device
vSRX Series
The following devices support scanning IMAP e-mail attachments:
SRX300 Series device
SRX320 Series device
SRX340 Series device
SRX345 Series device
SRX1500 Series device
SRX4100 Series device
SRX4200 Series device
SRX4600 Series device
SRX5400 Series device
SRX5600 Series device
SRX5800 Series device
vSRX Series
Setting the Juniper ATP Appliance License Key
Without a valid product license key, the Juniper ATP Appliance system will not work. Likewise, an expired product key, or an expired support or content license, prevents full operations and disables content or software updates.
Use the Config>System Profiles>Licensing configuration window to upload a License key to the Juniper ATP Appliance or software service. To license your system, you will need to upload the license using this configuration window and also use the CLI to get the system UUID.
License Keys are obtained from Juniper Customer Support.
To upload a product license key:
Navigate to the Config>System Profiles>Licensing page.
Click Add New Juniper ATP Appliance License button to upload a new license key file.
Click the Choose File button to select the license key for upload, then click Submit to apply the configuration.
Note A GSS connection is required in order for Juniper ATP Appliance to run regular licensing checks. Adding a license manually does not enable JATPsupport.
Licenses for Juniper Sky Advanced Threat Prevention (ATP)
Juniper Sky Advanced Threat Prevention License Types
Juniper Sky ATP has three service levels:
Free—The free model solution is available on all supported SRX Series devices (see the Supported Platforms Guide
Basic (feed only)—Includes executable file scanning and adds filtering using the following threat feed types: Command and Control, GeoIP, Custom Filtering, and Threat Intel feeds. Threat Intel feeds use APIs that allow you to injects feeds into Juniper Sky ATP.
Premium—Includes all features provided in the Free and Basic licenses, but provides deeper analysis. All supported file types are scanned and examined using several analysis techniques to give better coverage. Full reporting provides details about the threats found on your network.
On the Enrolled Devices page in the Juniper Sky ATP Web UI, the License Expiration column contains the status of your current license, including expiration information. There is a 60 day grace period after the license expires before the SRX Series device is disenrolled from Juniper Sky ATP. On the SRX Series device, you can run the > show system license command to view license details.
You do not need to download any additional software to run Juniper Sky ATP.
Table 1 shows a comparison between the free model and the premium model.
Free Model | Basic-Threat Feeds Model | Premium Model |
|---|---|---|
Management through cloud interface. Zero on-premise footprint beyond the SRX Series device. | Management through cloud interface. Zero on-premise footprint beyond the SRX Series device. | Management through cloud interface. Zero on-premise footprint beyond the SRX Series device. |
Inbound protection. | Inbound protection. | Inbound protection. |
Outbound protection. | Outbound protection. | Outbound protection. |
— | C&C feeds. | C&C feeds. |
— | GeoIP filtering. | GeoIP filtering. |
Custom feeds | Custom feeds | |
Infected host feed/endpoint quarantine | ||
Threat Intelligence APIs only | All APIs including File/Hash | |
— | — | C&C protection with event data returned to the Juniper Sky ATP cloud. |
— | — | Compromised endpoint dashboard. |
Inspects only executable file types. Executables go through the entire pipeline (cache, antivirus, static and dynamic). | Inspects only executable file types. Executables go through the entire pipeline (cache, antivirus, static and dynamic). | No restrictions on object file types inspected beyond those imposed by the Juniper Sky ATP service. You can specify which file types are sent to service for inspection. |
Reporting with rich detail on malware behaviors. | Reporting with rich detail on malware behaviors. | Reporting with rich detail on malware behaviors. |
For more information on analysis techniques, see How is Malware Analyzed and Detected?. For additional information on product options, see the Juniper Sky ATP datasheet
For more information on this and premium license SKUs, contact your local sales representative.
Additional License Requirements
AppSecure functionality on the SRX Series device is a pre-requisite for the Juniper Sky Advanced Threat Prevention feature. Depending on the SRX Series platform, a separate license may be required to enable AppSecure. Please consult the SRX Series platform datasheet for the most accurate information.
Managing the Juniper Sky Advanced Threat Prevention License
This topic describes how to install the Juniper Sky ATP premium license onto your SRX Series devices and vSRX deployments. You do not need to install the Juniper Sky ATP free license as these are included your base software. Note that the free license has a limited feature set (see Juniper Sky Advanced Threat Prevention License Types and Sky Advanced Threat Prevention File Limitations).
When installing the license key, you must use the license that is specific your device type. For example, the Juniper Sky ATP premium license available for the SRX Series device cannot be used on vSRX deployments.
Obtaining the Premium License Key
The Juniper Sky ATP premium license can be found on the Juniper Networks product price list. The procedure for obtaining the premium license entitlement is the same as for all other Juniper Network products. The following steps provide an overview.
- Contact your local sales office or Juniper Networks partner
to place an order for the Juniper Sky ATP premium license.
After your order is complete, an authorization code is e-mailed to you. An authorization code is a unique 16-digit alphanumeric used in conjunction with your device serial number to generate a premium license entitlement.
- (SRX Series devices only) Use the show chassis hardware CLI command to find the serial number of the SRX Series devices
that are to be tied to the Juniper Sky ATP premium license.
[edit] root@SRX# run show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis CM1915AK0326 SRX1500 Midplane REV 09 750-058562 ACMH1590 SRX1500 Pseudo CB 0 Routing Engine 0 BUILTIN BUILTIN SRX Routing Engine FPC 0 REV 08 711-053832 ACMG3280 FEB PIC 0 BUILTIN BUILTIN 12x1G-T-4x1G-SFP-4x10G
Look for the serial number associated with the chassis item. In the above example, the serial number is CM1915AK0326.
- Open a browser window and go to https://license.juniper.net.
- Click Login to Generate License Keys and follow the instructions.
Note You must have a valid Juniper Networks Customer Support Center (CSC) account to log in.
License Management and SRX Series Devices
Unlike other Juniper Networks products, Juniper Sky ATP does not require you to install a license key onto your SRX Series device. Instead, your entitlement for a specific serial number is automatically transferred to the cloud server when you generate your license key. It may take up to 24 hours for your activation to be updated in the Juniper Sky ATP cloud server.
Juniper Sky ATP Premium Evaluation License for vSRX
The 30-day Juniper Sky ATP countdown premium evaluation license allows you to protect your network from advanced threats with Juniper Sky ATP. The license allows you to use Juniper Sky ATP premium features for 30-days without having to install a license key. After the trial license expires, the connection to the Juniper Sky ATP cloud is broken and you will no longer be able to use any Juniper Sky ATP features.
Instructions for downloading the trial license are here: https://www.juniper.net/us/en/dm/free-vsrx-trial/.
The 30-day trial license period begins on the day you install the evaluation license.
To continue using Juniper Sky ATP features after the optional 30-day period, you must purchase and install the date-based license; otherwise, the features are disabled.
After installing your trial license, set up your realm and contact information before using Juniper Sky ATP. For more information, see Registering a Juniper Sky Advanced Threat Prevention Account.
License Management and vSRX Deployments
Unlike with physical SRX Series devices, you must install Juniper Sky ATP premium licenses onto your vSRX. Installing the Juniper Sky ATP license follows the same procedure as with most standard vSRX licenses.
The following instructions describe how to install a license key from the CLI. You can also add a new license key with J-Web (see Managing Licenses for vSRX.)
If you are reinstalling a Juniper Sky ATP license key on your vSRX, you must first remove the existing Juniper Sky ATP license. For information on removing licenses on the vSRX, see Managing Licenses for vSRX.
To install a license key from the CLI:
- Use the request system license add command
to manually paste the license key in the terminal.
user@vsrx> request system license add terminal[Type ^D at a new line to end input, enter blank line between each license key] JUNOS123456 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff JUNOS123456: successfully added add license complete (no errors)
Note You can save the license key to a file and upload the file to the vSRX file system through FTP or Secure Copy (SCP), and then use the request system license add file-name command to install the license.
- (Optional) Use the show system license command
to view details of the licenses.
Example of a premium license output:
root@host> show system license License identifier: JUNOS123456 License version: 4 Software Serial Number: 1234567890 Customer ID: JuniperTest Features: Sky ATP - Sky ATP: Cloud Based Advanced Threat Prevention on SRX firewalls date-based, 2016-07-19 17:00:00 PDT - 2016-07-30 17:00:00 PDTExample of a free license output:
root@host> show system license License identifier: JUNOS123456 License version: 4 Software Serial Number: 1234567890 Customer ID: JuniperTest Features: Virtual Appliance - Virtual Appliance permanent - The license key is installed and activated on your vSRX.
High Availability
Before enrolling your devices with the Juniper Sky ATP cloud, set up your HA cluster as described in your product documentation. For vSRX deployments, make sure the same license key is used on both cluster nodes. When enrolling your devices, you only need to enroll one node. The Juniper Sky ATP cloud will recognize this is an HA cluster and will automatically enroll the other node.
Troubleshooting Juniper Sky Advanced Threat Prevention: Checking the application-identification License
If you are using an SRX1500 Series device, you must have a have a valid application-identification license installed. Use the show services application-identification version CLI command to verify the applications packages have been installed. You must have version 2540 or later installed. For example:
user@host> show services application-identification
version
Application package version:
2540If you do not see the package or the package version is incorrect, use the request services application-identification download CLI command to download the latest application package for Junos OS application identification. For example:
user@host> request services application-identification
download
Please use command "request
services application-identification download status" to check status Then use the request services application-identification install CLI command to install the downloaded application signature package.
user@host> request services application-identification
install
Please use command "request
services application-identification install status" to check statusUse the show services application-identification application version CLI command again to verify the applications packages is installed.