ATP Cloud Quick Start Guide
Use the instructions in this quick start to obtain your Juniper ATP Cloud license key, establish a secure connection between the ATP Cloud server and the SRX Series device, and configure ATP Cloud policies on the SRX Series device.
Obtain a License
Obtain a Premium or Basic License
Contact your local sales office or Juniper Networks partner to place an order for a ATP Cloud premium or basic license. Once the order is complete, an authorization code is e-mailed to you. You will use this code in conjunction with your SRX Series device serial number to generate a premium or basic license entitlement. (Use the show chassis hardware CLI command to find the serial number of the SRX Series device.)
- Go to https://www.juniper.net/generate_license/ and log in with your Juniper Networks Customer Support Center (CSC) credentials.
- In the Generate Licenses list, select J Series Service Routers and SRX Series Devices.
- Using your authorization code and SRX Series serial number, follow the instructions to generate your license key. (Note that you do not enter this license key anywhere.)
Once generated, your license key is automatically transferred to the cloud server. It can take up to 24 hours for your activation to be updated in the ATP Cloud server.
For vSRX: If you are using ATP Cloud with vSRX, the license is not automatically transferred. You must install the license. See License Management and vSRX Deployments for instructions.
Obtain a Free License
The free version does not require you to generate a license. The SRX Series device only needs to be enrolled to the cloud, and it will automatically be entitled to the free version.
Create an ATP Cloud Web Portal Login Account
- Go to https://sky.junipersecurity.net and select your region. On the next screen, click Create a security realm.
- Enter the following required information and continue
to click Next until you are finished:
Your single sign-on or Juniper Networks CSC credentials.
A security realm name — for example, Juniper-Mktg-Sunnyvale. Realm names can only contain alphanumeric characters and the dash (“-”) symbol.
Your contact information.
An e-mail address and password. This will be your login information to access the ATP Cloud management interface.
- When you click Finish, you are automatically logged in and taken to the ATP Cloud Web UI dashboard.
Enroll SRX Series Devices with ATP Cloud
Enrollment establishes a secure connection between the ATP Cloud server and the SRX Series device. It also performs basic configurations tasks such as:
Downloads and installs certificate authority (CAs) licenses onto your SRX Series device
Creates local certificates and enrolls them with the cloud server
Establishes a secure connection to the cloud server
Advanced Threat Prevention Cloud requires that both your Routing Engine (control plane) and Packet Forwarding Engine (data plane) can connect to the Internet. You do not need to open any ports on the SRX Series device to communicate with the cloud server. However, if you have a device in the middle, such as a firewall, then that device must have ports 8080 and 443 open.
- Go to https://sky.junipersecurity.net and log in.
- Navigate to Devices in the ATP Cloud Web UI and click the Enroll button.
- Run the provided command on the SRX Series device to enroll it.
You can use the show services advanced-anti-malware status CLI command on your SRX Series device to verify that a connection has been made to the cloud server from the SRX Series device.
Once enrolled, the SRX Series device communicates to the cloud through multiple, persistent connections established over a secure channel (TLS 1.2) and the SRX device is authenticated using SSL client certificates.
Configure the Advanced Anti-Malware Policy on the SRX Series Device
These instructions assume you are familiar with basic SRX Series device setup and configuration. For example, zone names must be configured before you proceed with the following sections. For that information, refer to the SRX Series documentation.
- Set the policy name and enter the threshold for blocking
set services advanced-anti-malware policy <policy_name> verdict-threshold <number or recommended>
Example: set services advanced-anti-malware policy aamw_policy1 verdict-threshold recommended
For threshold number, you can enter 1-10. If you don’t know what to enter, you can use “recommended” in place of a number, and the default (7) will be used.
- Configure an action to take when the verdict threshold
for a file has been reached, and log that action:
set services advanced-anti-malware policy <policy_name> <application> action <permit, deny> notification <log>
Example: set services advanced-anti-malware policy aamw_policy1 http action permit notification log
For the smtp protocol, the action is configured in the Web UI.
- Associate the policy with the device profile so files
are sent for inspection. (A default profile is shipped with ATP Cloud.
You can configure your own profile using the Web UI):
set services advanced-anti-malware policy <policy_name> <protocol> inspection-profile <profile-name>
Example: set services advanced-anti-malware policy aamw_policy1 http inspection-profile default_profile
- Enable the advanced anti-malware application policy in
the firewall policy:
set security policies from-zone <zone1> to-zone <zone2> policy <firewall-policy-name> then action <permit or block> application-service advanced-anti-malware policy <policy_name>
Example: set security policies from-zone zone1 to-zone zone2 policy firewall-policy1 match source-address any
set security policies from-zone zone1 to-zone zone2 policy firewall-policy1 match destination-address any
set security policies from-zone zone1 to-zone zone2 policy firewall-policy1 match application any
set security policies from-zone zone1 to-zone zone2 policy firewall-policy1 then permit application-services advanced-anti-malware-policy aamw_policy1
Configure the Security Intelligence Policy on the SRX Series Device
Define a policy for infected hosts.
- Define a profile:
set services security-intelligence profile <profile_name> category Infected-Hosts
Example: set services security-intelligence profile ih-profile category Infected-Hosts
- Define rules for the profile and set the action:
set services security-intelligence profile <profile_name> rule <rule-name> match threat-level [threat level]
set services security-intelligence profile <profile_name> rule <rule-name> match threat-level [action options]
Ten is the threat level category for infected hosts.
Examples: set services security-intelligence profile ih-profile rule secintelrule1 match threat-level 10
set services security-intelligence profile ih-profile rule secintelrule1 then action permit
- Define the security intelligence policy and link it with
set services security-intelligence policy <policy-name> Infected-Hosts <profile_name>
Example: set services security-intelligence policy secintelpolicy1 Infected-Hosts ih-profile
- Enable the security intelligence policy in the firewall
set security policies from-zone <source zone name> to-zone <destination zone name> policy <firewall policy name> then permit application-services security-intelligence-policy<SecIntel policy name>
Example: set security policies from-zone source-zone1 to-zone dest-zone2 policy firewall-policy1 match source-address any
set security policies from-zone source-zone1 to-zone dest-zone2 policy firewall-policy1 match destination-address any
set security policies from-zone source-zone1 to-zone dest-zone2 policy firewall-policy1 match application any
set security policies from-zone source-zone1 to-zone dest-zone2 policy firewall-policy1 then permit application-services securityintelligence-policy secintel-policy1
Once you have completed this quick start, refer to the expanded documentation for the following tasks:
Create profiles to group types of files to be scanned together under a common name. You can create multiple profiles based on the content you want scanned.
Update your administrator profile. You can also add additional administrator accounts.
ATP Cloud provides Command and Control and Geo IP filtering feeds that are only available with a premium or basic license. For more information on licensed features, see ATP Cloud Licensing.
Search Terms: Configuration Guide, Administration Guide, Onboarding, Licensing, Sample Configuration