Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Enroll an SRX Series Firewall Using the CLI

Starting in Junos OS Release 19.3R1, you can use the request services advanced-anti-malware enroll command on the SRX Series Firewall to enroll a device to the Juniper ATP Cloud Web Portal. With this command, you do not have to perform any enrollment tasks on the Web Portal. All enrollment is done from the CLI on the SRX Series Firewall.

Before You Begin

  • If the IPv6 dual-stack (both IPv4 and IPv6) support is enabled on your SRX Series Firewall, run the following CLI commands:

    1. set services advanced-anti-malware connection protocol-family inet6—Configure the IPv6 protocol for AAMW connection.

    2. (Optional) set services advanced-anti-malware connection proxy-profile proxy-profile-name—Configure a proxy profile name if you have configured a proxy server and your Internet access goes through it.

    3. (Optional) set services advanced-anti-malware connection routing-instance routing-instance-name—Configure a routing instance name if you plan to route using a specific routing instance.

Enrollment establishes a secure connection between the Juniper ATP Cloud cloud server and the SRX Series Firewall. It also performs basic configuration tasks such as:

  • Downloads and installs certificate authorities (CAs) onto your SRX Series Firewall.

    Note:

    • You must allow traffic to the junipersecurity.net domain on ports 8444 and 7444 since the Trusted Platform Module (TPM)-based certificates are used for connections between the SRX Series Firewall and Juniper ATP Cloud. To determine if a feature is supported by a specific platform or Junos OS release, see Feature Explorer. For more information about using TPM on SRX Series Firewalls, see Trusted Platform Module Overview.

    • For newly enrolled TPM and non-TPM-based devices, traffic must be allowed to the junipersecurity.net domain only on port 443.

  • Creates local certificates and enrolls these certificates with the cloud server.

  • Establishes a secure connection to the cloud server.

Note:

Juniper ATP Cloud requires that both your Routing Engine (control plane) and Packet Forwarding Engine (data plane) can connect to the Internet. You do not need to open any ports on the SRX Series Firewall to communicate with the cloud server. However, if you have a device in the middle, such as a firewall, then that device must have port 443 open.

Also note, the SRX Series Firewall must be configured with DNS servers in order to resolve the cloud URL.

Using the device enrollment command request services advanced-anti-malware enroll on the SRX Series Firewall, you can enroll the device to an existing realm or create a realm and then enroll to it.

Here is a sample that creates a realm and then enrolls to that realm.

Note:

You must log in as root (super user) to perform the following operations.

request services advanced-anti-malware enroll

  1. Enroll the SRX Series Firewall to Juniper ATP Cloud (CLI only):

    request services advanced-anti-malware enroll

    Please select geographical region from the list:

    1. North America

    2. European Region

    3. Canada

    4. Asia Pacific

    Your choice: 1

  2. Select an existing realm or create a realm:

    Enroll SRX to:

    1. A new SkyATP security realm (you will be required to create it first)

    2. An existing SkyATP security realm

    If you select option 1 to create a realm, the steps are as follows:

    • You are going to create a new Sky ATP realm, please provide the required information:

    • Please enter a realm name (This should be a name that is meaningful to your organization. A realm name can only contain alphanumeric characters and the dash symbol. Once a realm is created, it cannot be changed):

      Real name: example-company-a

    • Please enter your company name:

      Company name: Example Company A

    • Please enter your e-mail address. This will be your username for your Sky ATP account:

      Email: me@example-company-a.com

    • Please setup a password for your new Sky ATP account (It must be at least 8 characters long and include both uppercase and lowercase letters, at least one number, at least one special character):

      Password: **********

      Verify: **********

    • Please review the information you have provided:

      Region: North America

      New Realm: example-company-a

      Company name: Example Company A

      Email: me@example-company-a.com

    • Create a new realm with the above information? [yes,no]

      yes

      Device enrolled successfully!

    If you select option 2 to use an existing realm, the steps are as follows:

    Note:

    You must enter a valid username and password for the existing realm as part of the enrollment procedure.

    • Enter the name of the existing realm:

      Please enter a realm name.

      Realm name: example-company-b

    • Please enter your company name:

      Company name: Example Company B

    • Enter your email address/username for the realm. This is the email address that was previously created when setting up the realm.

      Please enter your e-mail address. This will be your username for your Sky ATP account:

    • Enter the password for the realm. This is the password that was previously created when setting up the realm.

      Password:********

    • Enroll device to the realm above? [yes,no] yes

      Device enrolled successfully!

You can use the show services advanced-anti-malware status CLI command on your SRX Series Firewall to verify that a connection has been made to the cloud server from the SRX Series Firewall.

Once enrolled, the SRX Series Firewall communicates to the cloud through multiple, persistent connections established over a secure channel (TLS 1.2) and the SRX Series Firewall is authenticated using SSL client certificates.

Use the CLI command request services advanced-anti-malware disenroll to disenroll a device from the Juniper ATP Cloud Web Portal.