request services advanced-anti-malware diagnostic
Syntax
request services advanced-anti-malware diagnostic url (detail | pre-detection url | routing-instance instance-name)
Description
Use this command before you enroll your SRX Series Firewall with Juniper Advanced Threat
Prevention Cloud to verify your Internet connection to the cloud. If you already
enrolled your SRX Series Firewall, you can still use this command and the
request services aamw data-connection CLI command to check and
troubleshoot your connection to the cloud.
This CLI command checks the following:
DNS lookup—Performs a forward DNS lookup of the cloud hostname to verify it returns an IP address. The examining process is terminated if it cannot get an interface name to the cloud. This issue may be caused by a connection error. Please check your network connection.
Route to cloud—Tests your network connection using telnet.
Whether server is live—Uses the telnet and ping commands to verify connection with the cloud.
Outgoing interface—Checks that both the Routing Engine (RE) and the Packet Forwarding Engine (PFE) can connect to the Internet.
IP path MTU—Determines the maximum transmission unit (MTU) size on the network path between the SRX Series Firewall and the cloud server. The examining process is terminated if the outgoing interface MTU is less than 1414. As a workaround, set the outgoing interface MTU to the default value or to a value greater than 1414.
A warning message appears if the path MTU is less than the outgoing interface MTU. This is a minor issue and you can ignore the message. A higher path MTU is recommended but a low path MTU will work.
SSL configuration consistency—Verifies that the SSL profile, client certificate and CA exists in both the RE and the PFE.
Client and server clock check—When you run this CLI command, it first checks the difference between the server time and the local time. The time difference is expected to be less than one minute. If the time difference is more than one minute, an error message is displayed. See Table 1.
Options
| url | URL to the Juniper Advanced Threat Prevention Cloud server. |
| detail | (optional) Debug mode that provides more verbose output. |
| pre-detection url | (optional) Pre-detection mode where you can test your connection to the cloud server prior to actually enrolling your SRX Series Firewall. To use this option, in the Web UI, click Devices and then click Enroll. You will receive an ops script similar to this: op url https://abc.def.junipersecurity.net/bootstrap/enroll/AaBbCc/DdEeFf.slax Use the root URL from the ops script as the url for the pre-detection option. For example, using the above ops script run the command as: request services advanced-anti-malware diagnostic pre-detection abc.def.junipersecurity.net |
| routing-instance | (optional)
Routing instance used during enrollment. Specifying this option lets
you diagnose the data plane connection to the Juniper ATP Cloud server
with a customized routing instance. If you add |
Additional Information
Table 1 lists the error conditions detected by this CLI command.
Error Message |
Description |
|---|---|
URL unreachable is detected, please make sure URL url port port is reachable. |
Could not access the cloud server. |
SSL profile ssl profile name is inconsistent between PFE and RE. |
The SSL profile exists in the RE but does not exist in the PFE. |
SSL profile ssl profile name is empty. |
The SSL profile has neither trusted CA nor client certificate configured. |
SSL local certificate local certificate is inconsistent between PFE and RE. |
The SSL client certificate does not exist in PFE. |
SSL CA ca name is inconsistent between PFE and RE. |
The SSL CA exists in the RE but does not exist in the PFE. |
DNS lookup failure is detected, please check your DNS configuration. |
The IP address of the cloud server could not be found. If this test fails, check to make sure your Internet connection is working properly and your DNS server is configured and has an entry for the cloud URL. |
To-SKYATP connection through management interface is detected. Please make sure to-SKYATP connection is through packet forwarding plane. |
The test detected that the Internet connection to the cloud server is through the management interface. This may result in your PFE connection to the cloud server failing. To correct this, change the Internet connection to the cloud to be through the PFE and not the management interface. |
Unable to get server time. |
Could not retrieve the server time. |
Time difference is too large between server and this device. |
The difference between the server time and the local SRX Series Firewall’s time is more than a minute. To correct this, ensure that the clock on the local SRX Series Firewall is set correctly. Also, verify that you are using the correct NTP server. |
Unable to perform IP path MTU check since ICMP service is down. |
Unable to connect to the Juniper ATP Cloud server. |
Required ICMP session not found. |
Unable to establish an ICMP session with the specified URL. Check that you have specified a valid URL. |
Required Privilege Level
View
Sample Output
- request services advanced-anti-malware diagnostic
- request services advanced-anti-malware diagnostic detail
- request services advanced-anti-malware diagnostic pre-detection
request services advanced-anti-malware diagnostic
user@host> request services advanced-anti-malware diagnostic abc.def.junipersecurity.net Time check : [OK] DNS check : [OK] SKYATP reachability check : [OK] SKYATP ICMP service check : [OK] Interface configuration check : [OK] Outgoing interface MTU is default value IP Path MTU check : [OK] IP Path MTU is 1472 SSL configuration consistent check : [OK]
request services advanced-anti-malware diagnostic detail
user@host> request services advanced-anti-malware diagnostic abc.def.junipersecurity.net detail
Time check : [OK]
[INFO] Try to get IP address for hostname abc.def.junipersecurity.net
DNS check : [OK]
[INFO] Try to test SKYATP server connectivity
SKYATP reachability check : [OK]
[INFO] Try ICMP service in SKYATP
SKYATP ICMP service check : [OK]
[INFO] To-SKYATP connection is using ge-0/0/3.0, according to route
Interface configuration check : [OK]
Outgoing interface MTU is default value
[INFO] Check IP MTU with length 1472
IP Path MTU check : [OK]
IP Path MTU is 1472
SSL configuration consistent check : [OK]
request services advanced-anti-malware diagnostic pre-detection
user@host> request services advanced-anti-malware diagnostic pre-detection abc.def.junipersecurity.net Time check : [OK] DNS check : [OK] SKYATP reachability check : [OK] SKYATP ICMP service check : [OK] Interface configuration check : [OK] Outgoing interface MTU is default value IP Path MTU check : [OK] IP Path MTU is 1472
Release Information
Command introduced in Junos OS Release
15.1X49-D60. The interface name to cloud check, MTU warning, and client
and server clock check added in Junos OS Release 15.1X49-D90. routing-instance option added in Junos OS Release 15.1X49-D100.