Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Spotlight Secure Connector Profile Overview


Spotlight Secure Connector profiles are configured on the Security Intelligence > Profiles page. See Figure 1. Profiles define the actions to take for a specific data feed and for a specific threat level.

Figure 1: Example Spotlight Secure Connector Profiles
Example Spotlight Secure Connector

By default, a global allowlist and global blocklist are provided.

Allowlist and blocklists have higher priority over other Spotlight Secure profiles and are evaluated first in security rules.

About Threat Levels

Every attacker is assigned a name and each incident is recorded along with a threat level based on their intent and skill. The severity of the alert matches the threat level; higher severity attacks result in a higher threat level. Spotlight Secure Connector defines default actions but you can customize at what threat level to start logging events and the action to take (permit, reject, redirect) per threat level when creating the profile. See Figure 2.

Figure 2: Threat Level Settings
Threat Level Settings

Spotlight Secure Connector uses a scale of 1 (most aggressive) to 10 (least aggressive) to define the action to take depending on the threat level. When setting the threat level, attacks with threat numbers equal to and higher than the selected are blocked. For example, if you set the threat level to 4, all threat levels with a score of 4 and higher are blocked. A more aggressive threat level blocks more traffic but also creates more false positives. When you move the slider, the graphs show a general representation of the likelihood of false positives and your security level. The default setting is threat level 6.

As part of the overall Spotlight Secure solution, WebApp Secure sends information on malicious cookies and IP addresses to Spotlight Secure Connector. WebApp Secure also recommends a threat level for the session cookie or IP address, based on a set of criteria, including how malicious the associated attacker is deemed to be. Note that not all sessions are sent to the connector--only those marked as malicious.

Table 1: Mapping WebApp Secure Threat Levels to Spotlight Secure Connector Threat Levels

WebApp Secure Threat Level


Spotlight Secure Connector Threat Level


Low threat levels incorporate IP addresses and hosts where the threat is not as severe, the malicious activity has not been seen for a long period of time, or there is evidence of both malicious and non-malicious activity on the same host. For example, requesting server configuration files, non-standard HTTP requests, attempting to locate files not linked by the web server.



Medium threat levels represent a moderate threat and are unlikely to be non-malicious. For example, tampering with cookies, attempting to defeat tracking techniques, manipulating honeypot code.



High threat levels represent severe threats at a very high level of certainty. For example, attempting to crack passwords, session spoofing attacks, attempting to defeat WebApp Secure counter-responses.


To view session cookies and locations sent to the connector, in the WebApp Secure Web UI, navigate to Juniper Spotlight > Spotlight Connector. There you will find a Session Cookies tab and a Locations tab. See Figure 3.

Verifying Profiles On the SRX Series Device

Use the show configuration CLI command or the Device Configuration View in Network Management Platform to verify profiles are pushed to the SRX Series device. A profile section is created as shown in the following example.

In the example above, a profile named JWAS-Fingerprints now resides on the SRX Series device and uses the default recommended actions.