Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Loading a Root CA

After the Policy Enforcer virtual machine is configured and created and before creating any ATP policy, you must set up certificates on any Juniper ATP Cloud-supported SRX Series device. For a list of Juniper ATP Cloud- supported devices, see Juniper ATP Cloud Supported Platforms Guide.

Note:

The following is simply an example. You will need to modify the group name, profile and policy name to match your configuration.

To set up certificates for Policy Enforcer:

  1. Create the CA profile using the following CLI command. A CA profile configuration contains information specific to a CA.
  2. Configure the CA profile.
    Note:

    The CA profile name must be policyEnforcer.

  3. Load the default trusted CA.
  4. Enable HTTPS on the threat prevention policy.

    When creating your threat prevention policy (in Security Director, select Configure>Threat Prevention > Policy), enable the Scan HTTPS option to scan files downloaded over HTTPS. For more information on creating threat prevention policies, see the Security Director online help.

    When you enable HTTPS on the threat prevention policy, Policy Enforcer sends the following configuration to the devices:

  5. Export the locally generated certificate from the SRX Series device and install it on clients as a trusted CA to avoid some of the certificate errors that may occur.

    Each website or browser behaves slightly different. Some require exceptions to be added to your browser to display the content while others may not work because the local certificate is weak.

  6. (Optional) You can limit some certificate warning messages using the following CLI command: