Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Enroll an SRX Series Firewall Using Juniper ATP Cloud Web Portal

Before enrolling a device, check whether the device is already enrolled. To do this verification, use the Devices page or the Device Lookup option in the Web UI. See Search for SRX Series Firewalls Within Juniper ATP Cloud.

To enroll a device in Juniper ATP Cloud using the Web Portal:

  1. Click the Enroll button on the Devices page.

  2. Copy the command to your clipboard and click OK.

  3. Paste the command into the Junos OS CLI of the SRX Series Firewall you want to enroll with Juniper ATP Cloud and press Enter. (Note that this command must be run in operational mode.)

If the script fails, disenroll the device (see instructions for disenrolling devices) and then re-enroll it.

(Optional) Use the show services advanced-anti-malware status CLI command to verify that a connection is made to the cloud server from the SRX Series Firewall.

Once configured, the SRX Series Firewall communicates to the cloud through multiple persistent connections that are established over a secure channel (TLS 1.2) and the SRX Series Firewall is authenticated using SSL client certificates.

In the Enrolled Devices page, basic connection information for all enrolled devices is provided. This information includes serial number, model number, tier level enrollment status in Juniper ATP Cloud, last telemetry activity, and last activity seen. Click the serial number for more details. In addition to Enroll, the following buttons are available:

Table 1: Button Actions

Actions

Definition

Enroll

Use the Enroll button to obtain an enroll command to run on eligible SRX Series Firewalls. This command enrolls these devices in Juniper ATP Cloud and the enrollment is valid for 7 days. Once enrolled, SRX Series Firewall appears in the Devices and Connections list.

Disenroll

Use the Disenroll button to obtain a disenroll command to run on SRX Series Firewalls currently enrolled in Juniper ATP Cloud. This command removes those devices from Juniper ATP Cloud enrollment and is valid for 7 days.
Note:

When you run the Enroll or Disenroll command, the SRX Series Firewall commits any uncommitted configuration changes.
Note:

Generating a new Enroll command or Disenroll command invalidates any previously generated commands.
Device Lookup

Use the Device Lookup button to search for the device serial number(s) in the licensing database to determine the tier of the device. For this search, the device does not have to be currently enrolled in Juniper ATP Cloud.

Remove

Removing an SRX Series Firewall is different than disenrolling it. Use the Remove option only when the associated SRX Series Firewall is not responding (for example, hardware failure). Removing it, disassociates it from the cloud without running the Junos OS op script on the device (see Enrolling and Disenrolling Devices). You can later enroll it using the Enroll option when the device is again available.

For HA configurations, you only need to enroll the cluster primary. The cloud will detect that this is a cluster and will automatically enroll both the primary and backup as a pair. Both devices, however, must be licensed accordingly.

Note:

Juniper ATP Cloud supports both active/active and active/passive cluster configurations. The passive (non-active) node does not establish a connection to the cloud until it becomes the active node.
Note:

The License Expiration column contains the status of your current license, including expiration information. There is a 60 day grace period after the license expires before the SRX Series Firewall is disenrolled from Juniper ATP Cloud.

Only devices enrolled with Juniper ATP Cloud can send files for malware inspection.

If a device is already enrolled in an organization and you enroll it in a new organization, none of the device data or configuration information is propagated to the new organization. This information includes history, infected hosts feeds, logging, API tokens, and administrator accounts.

In the Enrolled Devices page, you can view the organization with which the device is associated. From the Organization Management page, you can change that organization association or attach new organizations. See Organization Management for configuration details.

Starting in Junos OS Release 19.3R1, you can use the request services advanced-anti-malware enroll command on the SRX Series Firewall to enroll a device to the Juniper ATP Cloud Web Portal. With this command, you do not have to perform any enrollment tasks on the Web Portal. All enrollment is done from the CLI on the SRX Series Firewall. See Enroll an SRX Series Firewall Using the CLI.

Juniper ATP Cloud uses a Junos OS op script to help you configure your SRX Series Firewall to connect to the Juniper ATP Cloud service. This script performs the following tasks:

  • Downloads and installs certificate authority (CA) licenses onto your SRX Series Firewall.

    Note:

    • You must allow traffic to the junipersecurity.net domain on ports 8444 and 7444 since the Trusted Platform Module (TPM)-based certificates are used for connections between the SRX Series Firewall and Juniper ATP Cloud. To determine if a feature is supported by a specific platform or Junos OS release, see Feature Explorer. For more information about using TPM on SRX Series Firewalls, see Using Trusted Platform Module to Bind Secrets on SRX Series Firewalls.

    • For newly enrolled TPM and non-TPM-based devices, traffic must be allowed to the junipersecurity.net domain only on port 443.

  • Creates local certificates and enrolls these certificates with the cloud server.

  • Performs basic Juniper ATP Cloud configuration on the SRX Series Firewall.

  • Establishes a secure connection to the cloud server.

Note:

  • Juniper ATP Cloud requires that both your Routing Engine (control plane) and Packet Forwarding Engine (data plane) can connect to the Internet.

  • The data plane connection should not be sourced from the management or loopback interface, such as fxp0 or lo0. You do not need to open any ports on the SRX Series Firewall to communicate with the cloud server. However, if you have a device in the middle, such as a firewall, then that device must have port 443 open.

  • The SRX Series Firewall uses the default inet.0 routing table and an interface part of inet.0 as source-interface for control-plane connection from SRX Series Firewall to Juniper ATP Cloud. If the only Internet-facing interface on SRX Series Firewall is part of a routing instance, then we recommend that you add a static route pointing to the routing instance. Else, the control connection will fail to establish.

  • Juniper ATP Cloud requires that your SRX Series Firewall hostname contains only alphanumeric ASCII characters (a-z, A-Z, 0-9), the underscore symbol (_) and the dash symbol (-).
Warning:

If you are configuring explicit web proxy support for SRX Series Firewall/Juniper ATP Cloud connections, you must enroll SRX Series Firewalls to Juniper ATP Cloud using a slightly different process. See Explicit Web Proxy for Juniper ATP Cloud.

Enroll devices using Juniper Security Director Cloud Portal

You can enroll SRX Series Firewalls in the Juniper ATP Cloud using the Juniper Security Director Cloud Portal. In the Enrolled Devices page, the devices enrolled through the Juniper Security Director Cloud Portal display (SDC) next to their hostnames.. For more information, see Juniper Security Director Cloud User Guide.

Related Documentation