Enroll an SRX Series Firewall Using the CLI
Starting in Junos OS Release 19.3R1, you can use the request services
advanced-anti-malware enroll
command on the SRX Series Firewall to enroll a
device to the Juniper ATP Cloud Web Portal. With this command, you do not have to
perform any enrollment tasks on the Web Portal itself. All enrollment is done from the
CLI on the SRX.
Enrollment establishes a secure connection between the Juniper ATP Cloud cloud server and the SRX Series Firewall. It also performs basic configuration tasks such as:
Downloads and installs certificate authorities (CAs) onto your SRX Series Firewall
Creates local certificates and enrolls them with the cloud server
Establishes a secure connection to the cloud server
Juniper Advanced Threat Prevention Cloud requires that both your Routing Engine (control plane) and Packet Forwarding Engine (data plane) can connect to the Internet. You do not need to open any ports on the SRX Series Firewall to communicate with the cloud server. However, if you have a device in the middle, such as a firewall, then that device must have ports 80, 8080, and 443 open.
Also note, the SRX Series Firewall must be configured with DNS servers in order to resolve the cloud URL.
Using the device enrollment command on the SRX Series Firewall, request services
advanced-anti-malware enroll
, you can enroll the device to an existing
realm or create a new realm and then enroll to it.
Here is an example configuration that creates a new realm and then enrolls to that realm.
You must log in as root (super user)
to perform the following
operations.
root@host> request services advanced-anti-malware enroll
You can use the show services advanced-anti-malware status
CLI command on your
SRX Series Firewall to verify that a connection has been made to the cloud server
from the SRX Series Firewall.
Once enrolled, the SRX Series Firewall communicates to the cloud through multiple, persistent connections established over a secure channel (TLS 1.2) and the SRX Series Firewall is authenticated using SSL client certificates.