Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


request services advanced-anti-malware diagnostic



Use this command before you enroll your SRX Series Firewall with Juniper Advanced Threat Prevention Cloud to verify your Internet connection to the cloud. If you already enrolled your SRX Series Firewall, you can still use this command and the request services aamw data-connection CLI command to check and troubleshoot your connection to the cloud.

This CLI command checks the following:

  • DNS lookup—Performs a forward DNS lookup of the cloud hostname to verify it returns an IP address. The examining process is terminated if it cannot get an interface name to the cloud. This issue may be caused by a connection error. Please check your network connection.

  • Route to cloud—Tests your network connection using telnet.

  • Whether server is live—Uses the telnet and ping commands to verify connection with the cloud.

  • Outgoing interface—Checks that both the Routing Engine (RE) and the Packet Forwarding Engine (PFE) can connect to the Internet.

  • IP path MTU—Determines the maximum transmission unit (MTU) size on the network path between the SRX Series Firewall and the cloud server. The examining process is terminated if the outgoing interface MTU is less than 1414. As a workaround, set the outgoing interface MTU to the default value or to a value greater than 1414.

    A warning message appears if the path MTU is less than the outgoing interface MTU. This is a minor issue and you can ignore the message. A higher path MTU is recommended but a low path MTU will work.

  • SSL configuration consistency—Verifies that the SSL profile, client certificate and CA exists in both the RE and the PFE.

  • Client and server clock check—When you run this CLI command, it first checks the difference between the server time and the local time. The time difference is expected to be less than one minute. If the time difference is more than one minute, an error message is displayed. See Table 1.



URL to the Juniper Advanced Threat Prevention Cloud server.


(optional) Debug mode that provides more verbose output.

pre-detection url

(optional) Pre-detection mode where you can test your connection to the cloud server prior to actually enrolling your SRX Series Firewall.

To use this option, in the Web UI, click Devices and then click Enroll. You will receive an ops script similar to this:

Use the root URL from the ops script as the url for the pre-detection option. For example, using the above ops script run the command as:


(optional) Routing instance used during enrollment. Specifying this option lets you diagnose the data plane connection to the Juniper ATP Cloud server with a customized routing instance. If you add routing-instance ? to the command line and press Enter, a list of known routing instances is displayed.

Additional Information

Table 1 lists the error conditions detected by this CLI command.

Table 1: aamw-diagnostics Script Error Messages

Error Message


URL unreachable is detected, please make sure URL url port port is reachable.

Could not access the cloud server.

SSL profile ssl profile name is inconsistent between PFE and RE.

The SSL profile exists in the RE but does not exist in the PFE.

SSL profile ssl profile name is empty.

The SSL profile has neither trusted CA nor client certificate configured.

SSL local certificate local certificate is inconsistent between PFE and RE.

The SSL client certificate does not exist in PFE.

SSL CA ca name is inconsistent between PFE and RE.

The SSL CA exists in the RE but does not exist in the PFE.

DNS lookup failure is detected, please check your DNS configuration.

The IP address of the cloud server could not be found.

If this test fails, check to make sure your Internet connection is working properly and your DNS server is configured and has an entry for the cloud URL.

To-SKYATP connection through management interface is detected. Please make sure to-SKYATP connection is through packet forwarding plane.

The test detected that the Internet connection to the cloud server is through the management interface. This may result in your PFE connection to the cloud server failing.

To correct this, change the Internet connection to the cloud to be through the PFE and not the management interface.

Unable to get server time.

Could not retrieve the server time.

Time difference is too large between server and this device.

The difference between the server time and the local SRX Series Firewall’s time is more than a minute.

To correct this, ensure that the clock on the local SRX Series Firewall is set correctly. Also, verify that you are using the correct NTP server.

Unable to perform IP path MTU check since ICMP service is down.

Unable to connect to the Juniper ATP Cloud server.

Required ICMP session not found.

Unable to establish an ICMP session with the specified URL. Check that you have specified a valid URL.

Required Privilege Level


Sample Output

request services advanced-anti-malware diagnostic

request services advanced-anti-malware diagnostic detail

request services advanced-anti-malware diagnostic pre-detection

Release Information

Command introduced in Junos OS Release 15.1X49-D60. The interface name to cloud check, MTU warning, and client and server clock check added in Junos OS Release 15.1X49-D90. routing-instance option added in Junos OS Release 15.1X49-D100.