Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Enabling Juniper Sky ATP for Encrypted HTTPS Connections

 

If you have not already done so, you need to configure ssl-inspect-ca which is used for ssl forward proxy and for detecting malware in HTTPs. Shown below is just one example for configuring ssl forward proxy. For complete information, see Configuring SSL Proxy.

  1. From operational mode, generate a PKI public/private key pair for a local digital certificate.
    user@host > request security pki generate-key-pair certificate-id certificate-id size size type type

    For example:

    user@host > request security pki generate-key-pair certificate-id ssl-inspect-ca size 2048 type rsa
  2. From operational mode, define a self-signed certificate. Specify certificate details such as the certificate identifier (generated in the previous step), a fully qualified domain name for the certificate, and an e-mail address of the entity owning the certificate.
    user@host > request security pki local-certificate generate-self-signed certificate-id certificate-id domain-name domain-name subject subject email email-id

    For example:

    user@host > request security pki local-certificate generate-self-signed certificate-id ssl-inspect-ca domain-name www.juniper.net subject "CN=www.juniper.net,OU=IT,O=Juniper Networks,L=Sunnyvale,ST=CA,C=US" email security-admin@juniper.net

Once done, you can configure the SSL forward proxy to inspect HTTPs traffic. For example:

For a more complete example, see Example: Configuring a Juniper Sky Advanced Threat Prevention Policy Using the CLI.