Downloading and Running the Juniper Sky Advanced Threat Prevention Script
The Juniper Sky ATP uses a Junos OS operation (op) script to help you configure your SRX Series device to connect to the Juniper Sky ATP cloud service. This script performs the following tasks:
Downloads and installs certificate authority (CAs) licenses onto your SRX Series device.
Creates local certificates and enrolls them with the cloud server.
Performs basic Juniper Sky ATP configuration on the SRX Series device.
Establishes a secure connection to the cloud server.
Juniper Sky ATP requires that both your Routing Engine (control plane) and Packet Forwarding Engine (data plane) can connect to the Internet but the “to-cloud” connection should not go through the management interface, for example, fxp0. You do not need to open any ports on the SRX Series device to communicate with the cloud server. However, if you have a device in the middle, such as a firewall, then that device must have ports 8080 and 443 open.
Juniper Sky ATP requires that your SRX Series device host name contain only alphanumeric ASCII characters (a-z, A-Z, 0-9), the underscore symbol ( _ ) and the dash symbol ( - ).
For SRX340, SRX345 and SRX500M Series devices, you must run the set security forwarding-process enhanced-services-mode command and reboot the device before running the op script or before running the request services advanced-anti-malware enroll command.
user@host# set security forwarding-process enhanced-services-mode
To download and run the Juniper Sky ATP script:
As of Junos Release 19.3R1, there is another way to enroll the SRX series device without having to interact with the Sky ATP Web Portal. You run the “enroll” command from the SRX and it performs all the necessary enrollment steps. See Enrolling an SRX Series Device without the Juniper Sky ATP Web Portal
- In the Web UI, click Devices and then click Enroll.
The Enroll window appears. See Figure 1.
- Copy the highlighted contents to your clipboard and click OK.
When enrolling devices, Juniper Sky ATP generates a unique op script for each request. Each time you click Enroll, you’ll get slightly different parameters in the ops script. The screenshot above is just an example. Do not copy the above example onto your SRX device. Instead, copy and paste the output you receive from your Web UI and use that to enroll your SRX devices.
- Paste this command into the Junos OS CLI of the SRX Series
device you want to enroll with Juniper Sky ATP and press Enter. Your screen will look similar to the following.
root@mysystem> op url http://skyatp.argon.junipersecurity.net/bootstrap/
enroll/6e797dc797d26129dae46f17a7255650/jpz1qkddodlcav5g.slax Version JUNOS Software Release [15.1-X49] is valid for bootstrapping. Going to enroll single device for SRX1500: P1C_00000067 with hostname mysystem... Updating Application Signature DB... Wait for Application Signature DB download status #1... Communicate with cloud... Configure CA... Request aamw-secintel-ca CA... Load aamw-secintel-ca CA... Request aamw-cloud-ca CA... Load aamw-cloud-ca CA... Retrieve CA profile aamw-ca... Generate key pair: aamw-srx-cert... Enroll local certificate aamw-srx-cert with CA server #1... Configure advanced-anti-malware services... Communicate with cloud... Wait for aamwd connection status #1... SRX was enrolled successfully!
If for some reason the ops script fails, disenroll the device (see Disenrolling an SRX Series Device from Juniper Sky Advanced Threat Prevention) and then re-enroll it.
- In the management interface, click Devices.
The SRX Series device you enrolled now appears in the table. See Figure 2.
- (optional) Use the show services advanced-anti-malware
status CLI command to verify that connection is made to the
cloud server from the SRX Series device. Your output will look similar
to the following.
root@host> show services advanced-anti-malware status Server connection status: Server hostname: https://skyatp.argon.junipersecurity.net Server port: 443 Control Plane: Connection Time: 2015-11-23 12:09:55 PST Connection Status: Connected Service Plane: fpc0 Connection Active Number: 0 Connection Failures: 0
Once configured, the SRX Series device communicates to the cloud through multiple persistent connections established over a secure channel (TLS 1.2) and the SRX device is authenticated using SSL client certificates.
As stated earlier, the script performs basic Juniper Sky ATP configuration on the SRX Series device. These include:
You should not copy the following examples and run them on your SRX Series device. The list here is simply to show you what is being configured by the ops script. If you run into any issues, such as certificates, rerun the ops script again.
Creating a default profile.
Establishing a secured connection to the cloud server. The following is an example. Your exact URL is determined by your geographical region. Refer to this table.
Customer Portal URL
Customer Portal: https://amer.sky.junipersecurity.net
Customer Portal: https://euapac.sky.junipersecurity.net
Customer Portal: https://apac.sky.junipersecurity.net
Customer Portal: https://canada.sky.junipersecurity.net
set services advanced-anti-malware connection url
https://amer.sky.junipersecurity.net (this URL is only an example and will not work for all locations). set services advanced-anti-malware connection authentication tls-profile aamw-ssl
Configuring the SSL proxy.
set services ssl initiation profile aamw-ssl trusted-ca aamw-secintel-ca set services ssl initiation profile aamw-ssl client-certificate aamw-srx-cert set services security-intelligence authentication tls-profile aamw-ssl set services advanced-anti-malware connection authentication tls-profile aamw-ssl set services ssl initiation profile aamw-ssl trusted-ca aamw-cloud-ca
Configuring the cloud feeds (whitelists, blacklists and so forth.)
set services security-intelligence url https://cloudfeeds.sky.junipersecurity.net/
api/manifest.xml set services security-intelligence authentication tls-profile aamw-ssl
Juniper Sky ATP uses SSL forward proxy as the client and server authentication. Instead of importing the signing certificate and its issuer’s certificates into the trusted-ca list of client browsers, SSL forward proxy now generates a certificate chain and sends this certificate chain to clients. Certificate chaining helps to eliminate the need to distribute the signing certificates of SSL forward proxy to the clients because clients can now implicitly trust the SSL forward proxy certificate.
The following CLI commands load the local certificate into the PKID cache and load the certificate-chain into the CA certificate cache in PKID, respectively.
user@root> request security pki local-certificate load filename ssl_proxy_ca.crt key sslserver.key certificate-id ssl-inspect-ca
user@root> request security pki ca-certificate ca-profile-group load ca-group-name ca-group-name filename certificate-chain
The following is an example of SSL forward proxy certificate chaining used by the op script.
request security pki local-certificate enroll certificate-id aamw-srx-cert ca-profile aamw-ca challenge-password *** subject CN=4rrgffbtew4puztj:model:sn email email-address
request security pki ca-certificate enroll ca-profile aamw-ca
Note that you cannot enroll the SRX Series device to Juniper Sky ATP if the SRX device is in FIPS mode due to a PKI limitation.
To check your certificates, see Troubleshooting Juniper Sky Advanced Threat Prevention: Checking Certificates. We recommend that you re-run the op script if you are having certificate issues.