Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Related Documentation


    Sky Advanced Threat Prevention Overview

    Juniper Networks Sky Advanced Threat Prevention is a security framework that protects all hosts in your network against evolving security threats by employing cloud-based threat detection software with a next-generation firewall system.

    Figure 1: Sky Advanced Threat Prevention Overview

    Sky Advanced Threat Prevention Overview

    Sky Advanced Threat Prevention protects your network by performing the following tasks:

    • The SRX Series device extracts potentially malicious objects and files and sends them to the cloud for analysis.
    • Known malicious files are quickly identified and dropped before they can infect a host.
    • Multiple techniques identify new malware, adding it to the known list of malware.
    • Correlation between newly identified malware and known Command and Control (C&C) sites aids analysis.
    • The SRX Series device blocks known malicious file downloads and outbound C&C traffic.

    The Web UI is hosted by Juniper Networks in the cloud. The tabs across the top of the web UI provide workspaces in which an administrator can perform specific tasks. Table 1 shows the names of the tabs along with brief descriptions of what is accessible in that workspace.

    Table 1: Tabs and What Their Workspaces Access

    Tab Name



    Provides graphical widgets that can be added, removed, and rearranged on a per-user basis. These widgets offer each user a customized view of malware detection categorized in a variety of ways.


    Provides information on the following:

    • Malware detection status for registered hosts
    • C&C servers that have attempted to contact and compromise hosts on your network.
    • Files downloaded by hosts that are suspicious


    Lists all devices that have been registered with Sky ATP. From here you can:

    • Enroll new devices
    • Disenroll devices
    • Search for devices in the list by their serial number


    Configure the following:

    • Whitelists—Add your own trusted IP addresses, URLs, and domains to the global items in the whitelist.
    • Blacklists—Add your own untrusted IP addresses, URLs, and domains to the global items in the blacklist.
    • Devices profiles—Group types of files to be scanned together under a common name.


    Edit your user profile and create new user profiles. You can also:

    • Change user passwords
    • Set a global alert threshold level, which when reached, triggers an alert to all listed e-mail addresses

    Sky Advanced Threat Prevention Features

    Sky Advanced Threat Prevention is a cloud-based solution. Cloud environments are flexible and scalable, and a shared environment ensures that everyone benefits from new threat intelligence in near real-time. Your sensitive data is secured even though it is in a cloud shared environment. Security analysts can update their defense when new attack techniques are discovered and distribute the threat intelligence with very little delay.

    In addition, Sky Advanced Threat Prevention offers the following features:

    • Integrated with the SRX Series device to simplify deployment and enhance the anti-threat capabilities of the firewall.
    • Delivers protection against “zero-day” threats using a combination of tools to provide robust coverage against sophisticated, evasive threats.
    • Checks inbound and outbound traffic with policy enhancements that allow users to stop malware, quarantine compromised systems, prevent data exfiltration, and disrupt lateral movement. High availability provides uninterrupted service.
    • Scalable to handle increasing loads that require more computing resources, increased network bandwidth to receive more customer submissions, and a large storage for malware.
    • Provides deep inspection, actionable reporting, and inline malware blocking

    Sky Advanced Threat Prevention Components

    The following table describes how the components of the Sky Advanced Threat Prevention solution work together.

    Table 2: Sky Advanced Threat Prevention Components



    Security intelligence cloud feeds

    A feed distribution point that delivers feeds to the SRX Series device. These include:

    • C&C
    • Compromised hosts
    • GeoIP
    • Whitelists and blacklists

    C&C feeds are essentially a list of servers that are known Command and Control servers for botnets. The list also includes servers that are known sources for malware downloads.

    Compromised hosts, or infected hosts, indicate local devices that are potentially compromised because they appear to be part of a C&C network or exhibit other symptoms.

    GeoIP feeds is an up-to-date mapping of IP addresses to geographical regions. This gives you the ability to filter traffic to and from specific geographies in the world.

    A whitelist is a list of known IP addresses that you trust, and a blacklist is a list that you do not trust.

    Note: C&C and GeoIP filtering feeds are only available with a Premium license. For information on licensed features, see Sky ATP Licensing.

    SRX Series device

    Submits extracted file content for analysis and detected C&C hits inside the customer network.

    Performs inline blocking based on verdicts from the analysis cluster.

    Malware inspection pipeline

    Performs malware analysis and threat detection.

    Internal compromise detection

    Inspects files,metadata, and other information.

    Service portal (Web UI)

    Graphics interface displaying information about detected threats inside the customer network.

    Configuration management tool where customers can fine-tune which file categories can be submitted into the cloud for processing.


    Related Documentation


    Modified: 2016-07-28