Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Policy Enforcer Settings

To configure your Policy Enforcer, perform the following actions.

Before You Begin

  • Policy Enforcer Release version and Security Director Release version must be compatible. The Settings page shows the current release version of Policy Enforcer. If there is an incompatibility, an error message is shown that there is a mismatch between Security Director and Policy Enforcer release versions. To know more about the supported software versions, see Policy Enforcer Release Notes.

    You cannot proceed further if the Policy Enforcer and Security Director Release versions are incompatible.

  • A valid Policy Enforcer VM password is required to have a fully functional Policy Enforcer. If the password is valid, a message is shown at the top of the Settings page that the Policy Enforcer Space user (pe_user) password is currently valid and the date by when the password expires. The pe_user has the same capabilities as the super user.

    If the password is invalid, an error message is shown at the top of the Settings page. To fix this issue, login to the Policy Enforcer VM, change the root password, and then enter the new root password in the Settings page.

  • Policy Enforcer with Security Director can be used in four different configuration types. For each configuration type, certain features are available. Read the following topic: Juniper ATP Cloud Configuration Type Overview before you make a Juniper ATP Cloud or Juniper Advanced Threat Prevention (JATP) Configuration Type selection on the Policy Enforcer Settings page.

  • If you are using Juniper ATP Cloud or JATP without Juniper Connected Security or Cloud Feeds only, you must still download Policy Enforcer and create a policy enforcer virtual machine.

  • Juniper ATP Cloud license and account are needed for three of the configuration types (Juniper ATP Cloud or JATP with Juniper Connected Security, Juniper ATP Cloud or JATP, and Cloud Feeds only), but not for the default mode (No Selection). If you do not have a Juniper ATP Cloud license, contact your local sales office or Juniper Networks partner to place an order for a Juniper ATP Cloud premium license. If you do not have a Juniper ATP Cloud account, when you configure Juniper ATP Cloud, you are redirected to the Juniper ATP Cloud server to create one. Please obtain a license before you try to create a Juniper ATP Cloud account. Refer to Policy Enforcer Installation Overview for instructions on obtaining a Juniper ATP Cloud premium license.

To set up ATP Cloud or JATP Configuration Type, you must do the following:

  1. Select Security Director>Administration>Policy enforcer>Settings.

  2. Enter the IP address for the policy enforcer virtual machine. (This is the IP address you configured during the PE VM installation. You can locate this IP address in the vSphere Center portal.)

  3. Enter the password for the policy enforcer virtual machine. (This is the same password you use to login to the VM with your root credentials. Note that the username defaults to root )


    Refer to Deploying and Configuring the Policy Enforcer with OVA files for instructions on downloading Policy Enforcer and creating your policy enforcer virtual machine.

  4. If you want to use certificate based authentication, enable the Certificate Based Authentication option.

    Browse the X509 certificate file and X509 certificate Key file.

  5. Select ATP Cloud Configuration Type. If you do not select a type, Policy Enforcer works in default mode. (See Sky ATP Configuration Type Overview for more information.)

    Refer Table 1 to understand the supported threat prevention types for different Policy Enforcer modes:

    Table 1: Supported Threat Prevention Types for Different PE Modes

    Threat Prevention Type

    No Selection (Default)

    Cloud Feeds Only

    ATP Cloud or JATP

    ATP Cloud or JATP with Juniper Connected Security

    Custom feeds





    Command and Control (C&C) feeds





    Infected Host feed





    Malware inspection





    Enforcement on EX Series and QFX Series switches or using 3rd party Connectors





    You cannot change or modify a higher configuration to a basic mode. For example, you cannot change:

    • Juniper ATP Cloud or JATP ->Cloud feeds only

    • Juniper ATP Cloud or JATP with Juniper Connected Security ->Cloud feeds only

    • Juniper ATP Cloud or JATP ->No Selection (Default)


    If you change to a lower mode, you must reinstall Security Director and Policy Enforcer.

    However, you can change or modify your configuration to a higher mode. For example you can change:

    • Cloud feeds only-> Juniper ATP Cloud or JATP

    • Cloud feeds only ->Juniper ATP Cloud with Juniper Connected Security

    • Juniper ATP Cloud or JATP -> Juniper ATP Cloud with Juniper Connected Security

  6. Polling timers affect how often the system polls to discover endpoints. There are two polling timers, one that polls network wide and one that polls site wide. They each have default settings, but you can change those defaults to poll more or less often.

    • Network wide polling interval (value in hours): The default is 24 hours. You can set this range from between 1 to 48 hours. This timer polls all endpoints added to the secure fabric.

    • Site wide polling interval (value in minutes): The default is 5 minutes. You can set this range from 1 minute to 60 minutes. This timer polls infected endpoints moving within the sites that are a part of Secure fabric.

  7. Click Enable Feeds Purge to enable the purge option. You can purge the feeds that are older than a specified number of days.

  8. The Purge History determines the number of days you can preserve the history of the feeds in Policy Enforcer. You can set a range between 300 to 600 days. The default is 365 days.

    The purge job runs every day at 12:00 PM and makes sure that the data set on the purge history is maintained.

  9. Click the Download button to view or save Policy Enforcer data logs to your local system. These logs are in a compressed file format.