Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


MCM Configuration

Use the CLI command line in “cm” mode, available for MCM device types, to configure a manager of distributed central managers (MCM). It is recommended that an admin begin by converting a CM to an MCM via the CLI, and then set up each individual, distributed CMs to register to the configured MCM in order to sync incidents.


Communication between the MCM and the secondary CMs takes place on port 443 which must be set bidirectionally if the CMs and MCM communicate across a firewall boundary.

From the CLI “cm” mode, configure an MCM IP address and a shared secret/passphrase. When the MCM CLI is used, a Web UI MCM account is created via this passphrase which is used as the API key, which means that client CMs connected to the MCM can use this passphrase to perform a “login” API call to the management CM (MCM).


The secret passphrase must be configured on all distributed CM and MCM devices to allow communications.


In MCM configurations, all systems must be either be in FIPS mode or not in FIPS mode. This is due to differences in how the device keys are calculated between modes.

To convert a CM to an MCM

Use the following procedure to convert a CM to an MCM. A sample CLI sequence follows.

  1. Set the IP of the CM device that is to become an MCM to point to loopback IP address to indicate that this is now the MCM.
  2. Set a passphrase that is used for secure sync of incidents from each CM to the MCM. Set this same passphrase on the individual CMs that are to point and report to the MCM.

    The “remove” command converts an MCM back to a CM by removing all the MCM configuration. This will also delete all incidents from the MCM and deregisters all connected CMs that were registered to the MCM, so use this command with caution.

  3. Verify MCM configuration by logging into the Web UI on the and noting that there are just two tabs - Incidents and Config, instead of the full Central Manager Web UI seen on a CM.

    The “resync” command is specific to connected CMs only. This command has no effect when executed on an MCM.

Sample MCM CLI Configuration Sequence

To Register and Sync Incidents from Distributed CMs to an MCM

Use this procedure to register and syn incidents on distributed CMs to a configured MCM. A sample CLI sequence follows.

  1. Set the MCM IP on a distributed CM.
  2. Set the passphrase; this must be same passphrase configured on the MCM.
  3. Set the username with the API key already configured to be used for communication between each CM and the MCM.

The “remove” command deletes the MCM configuration entirely. However, this command when executed on a CM does not remove any incidents unlike when executed on an MCM.

Use the “resync” command on a CM to force a resync of all incidents from this CM to the MCM.

After configuring the parameters described above, incidents are immediately synced to the configured MCM.

Sample CLI Sequence for CM Registering and Syncing to an MCM

Using the MCM Web UI

As mentioned in the introduction, the MCM Web UI management view displays two tabs: the Incidents and Config Tabs.

Use the Incidents tab to view all incidents reported from distributed CMs.

Figure 1: Incidents TabIncidents Tab

The Uploads button is not available from the MCM Web UI. Be aware also that there is a new column in MCM for the originating CM per incident, and that the Core/CM IP and hostname are displayed in the Summary section. Also: no benign incidents are communicate to the MCM. Lastly, CMs cannot be deleted from the MCM.


Refer to the Juniper ATP Appliance Operator’s Guide for more information about use of the Incidents tab.

On an MCM, the Details section for a selected incident displays the mitigation options as in a CM, and all options are available from the MCM.

Use the Config tab to add or modify MCM settings.

The Config Tab options on an MCM are reduced to System Profiles settings only, as follows:

  • Password Reset

  • Roles

  • Users

  • SAML Settings

  • RADIUS Settings

  • System Settings

  • Certificate Management

  • GSS Settings

  • Secondary CMs

  • Licensing

  • Backup/Restore


Refer to the Juniper ATP Appliance Operator’s Guide for more information about use of the Config tab System Profiles configuration options.