Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Example- Configure IoT Device Discovery and Policy Enforcement

SUMMARY In this example, you'll configure your security device for IoT device discovery and security policy enforcement.


To get started with IoT device discovery in your network, all you need is a security device connected to Juniper ATP Cloud. Figure 1 shows the topology used in this example.

Figure 1: IoT Device Discovery and Policy Enforcement Topology IoT Device Discovery and Policy Enforcement Topology

As shown in the topology, the network includes some IoT devices connected to an SRX Series device through wireless access point (AP). The security device is connected to the Juniper Cloud ATP server, and to a host device.

The security device collects IoT device metadata and streams the relevant information to the Juniper ATP Cloud. To enable streaming of IoT metadata, you'll need to create security metadata streaming policies and attach these policies to security policies. Streaming of the IoT device traffic pauses automatically when Juniper Cloud server has sufficient details to classify the IoT device.

Juniper ATP cloud discovers and classifies IoT devices. Using the inventory of discovered IoT devices, you'll create threat feeds in the form of dynamic address groups. Once the security device downloads dynamic address groups, you can use the dynamic address groups to create and enforce security policies for the IoT traffic.

Table 1 and Table 2 provide details of the parameters used in this example.

Table 1: Security Zone Configuration Parameters
Zones Interfaces Connected To
trust ge-0/0/2.0 Client device
untrust ge-0/0/4.0 and ge-0/0/3.0 Access points to manage IoT traffic
cloud ge-0/0/1.0 Internet (to connect to Juniper ATP cloud)
Table 2: Security Policy Configuration Parameters
Policy Type Application
P1 Security policy Allows traffic from trust zone to untrust zone
P2 Security policy Allows traffic from untrust zone to trust zone
P3 Security policy Allows traffic from trust zone to cloud zone
p1 Metadata streaming Policy Streams untrust zone to trust zone traffic metadata
p2 Metadata streaming Policy Streams trust zone to clod zone traffic metadata
Unwanted_Applications Global Security Policy Prevents IoT traffic based on the threat feed and security policy at global-context


We've verified and tested the configuration using a vSRX instance with Junos OS Release 22.1R1.


Get Your SRX Series Device Ready to Work with Juniper ATP Cloud

You’ll need to configure your SRX Series device to communicate with the Juniper ATP Cloud Web Portal. Ensure your SRX Series device is connected to Internet. Ensure that you complete the following initial configuration to set your SRX Series device to Internet.

  1. Configure the interface. In this example, we're using the interface ge-0/0/1.0 as Internet-facing interface on SRX Series device.
  2. Add the interface to a security zones.
  3. Configure DNS.
  4. Configure NTP.

Once your SRX Series can reach the Internet through the ge-0/0/1.0 interface, proceed with next steps.

Check Required Licenses and Application Signature Package

  • Ensure that you have an appropriate Juniper ATP cloud license. Use the show system license command to check the license status.
  • Ensure your device has the latest application signature pack on your security device.
    • Verify the application identification license is installed on your device.
    • Download latest version of application signature pack.
    • Check the download status.
    • Install the application identification signature pack.
    • Check the installed application signature pack version.

Enroll Security Device with Juniper ATP Cloud

Lets start with enrolling the security device with Juniper ATP cloud. If you've already enrolled your device, you can skip this step and jump directly to Configure IoT Traffic Streaming Settings. If not, use one of the following method for device enrollment.

Method 1: Enrolling Security Device Using CLI

  1. On your SRX Series device, run the following command to initiate the enrollment process.
  2. Select an existing realm or create a new realm.

    Select option 1 to create a realm. Use the following steps:

    You can also use an existing realm for enrolling your SRX Series with Juniper ATP Cloud.

  3. Use the show services advanced-anti-malware status CLI command to confirm that your SRX Series device is connected to the cloud server.

Method 2: Enrolling Security Device in Juniper ATP Cloud Web Portal

You can use a Junos OS operation (op) script to configure your SRX Series device to connect to the Juniper Advanced Threat Prevention Cloud service.

  1. On Juniper ATP Cloud Web portal, click the Enroll button on the Devices page.
  2. Copy the command to your clipboard and click OK.
  3. Paste the command into the Junos OS CLI of the SRX Series device in operational mode.
  4. Use the show services advanced-anti-malware status command to verify that a connection is made to the cloud server from the SRX Series device. The server host name in the following sample is an example only.

    In the sample, the connection status indicates that the cloud server is connected to your security device.

  5. You can also view the enrolled devices in Juniper ATP Cloud portal. Go to Devices > All Devices page. The page lists all the enrolled devices.

Configure IoT Traffic Streaming Settings

In this procedure, you'll create metadata streaming policies and enable security services on your security device.

  1. Complete cloud connection configuration.
  2. Create a security metadata streaming policy.

    We'll later attach these security metadata streaming policy to security policies to enable the IoT traffic streaming for the session.

  3. Enable security services such as application tracking, application identification, and PKI.

Configure SRX Series Device

Use this procedure to configure interfaces, zones, policies enable IoT packet filtering and streaming services on your security device.

  1. Configure interfaces.

  2. Configure security zones and enable application traffic for each configured zone.

    As shown in the topology, the untrust zone receives transit and host-bound traffic from IOT devices in network. The client device is in trust zone and the Juniper ATP Cloud is in cloud zone.

  3. Configure security policy P1.

    This configuration allows traffic from trust zone to untrust zone.

  4. Configure security policy P2.

    The configuration allows traffic from untrust zone to trust zone and applies the security metadata streaming policy p1 to enable IoT traffic streaming for the session.

  5. Configure security policy P3.

    This configuration allows traffic from trust zone to cloud zone and applies the security metadata streaming policy p2 to enable IoT traffic streaming for the session.

  6. Commit the configuration. Now your security device is ready to stream IoT traffic to Juniper ATP Cloud.

Lets check all the discovered IoT devices in Juniper ATP Cloud portal.

Viewing Discovered IOT Devices in ATP Cloud

To view discovered IoT devices in Juniper ATP Cloud portal, navigate to Minotor > IoT Devices page.

You can click and filter the IoT devices based on device category, manufacturer, type of operating system.

In the following image, we're filtering devices with Android OS.

The page lists IoT devices with details such as IP address, type, manufacturer, models, and so on. Using these details, you can monitor and create threat feeds to enforce security policy.

Create Threat Feeds

Once Juniper ATP Cloud identifies IoT devices, you can create threat feeds. When your security device downloads threat feeds in the form of dynamic address groups, you can use the feed your security policies to take enforcement actions on the inbound and outbound traffic on these IoT devices.

  1. Go to Minotor > IoT Devices page and click Create Feeds option.
  2. Click the plus sign (+). The Add New Feed page appears.

    In this example, we will use the feed name android_phone_user with a time-to-live (TTL) of seven days.

    Complete the configuration for the following fields:
    • Feed Name:

      Enter a unique name for the threat feed. The feed name must begin with an alpha-numeric character and can include letters, numbers, and underscores; no spaces are allowed. The length is 8–63 characters.

    • Type: Select the content type of the feed as IP.

    • Data Source: Select the data source for creating the feed as IOT.

    • Time to Live: Enter the number of days for the required feed entry to be active. After the feed entry crosses the time to live (TTL) value, the feed entry is automatically removed. The available range is 1–365 days.

  3. Click OK to save the changes.
  4. Go to Configure > Adaptive Threat Profiling. The page displays all threat feeds created. You can see the threat feed android_phone_user listed on the page.

    Click on the threat feed to display the IP address included in the threat feed.

  5. Ensure that your security device has downloaded the feed. Downloading happens automatically at regular intervals but can take a few minutes.

    You can manually download the threat feeds using the following command:

Lets proceed with creating security policies with the downloaded threat feeds.

Create Security Policy Using Adaptive Threat Profiling Feeds

Once your security device downloads the threat feed, you can refer it as dynamic address group in a security policy. A dynamic address is a group of IP addresses of IoT devices belonging to a specific domain.

In this example, we create a policy that detects traffic from android phones and blocks the traffic.

  1. Define security policy match criteria.
  2. Define security policy action.

In this example, when you commit the configuration, your security device blocks HTTP traffic for the IoT devices belonging to the specific domain.

For more information, see Configure Adaptive Threat Profiling.


From configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Check security zones.

show services

If you are done configuring the feature on your device, enter commit from configuration mode.


Check Feed Summary and Status

Purpose: Verify if your security device is receiving IP address feeds in the form of dynamic address groups.

Action: Run the following command:

Meaning The output displays the connection status and other details of the Juniper ATP Cloud server.