Loading a Root CA
After the Policy Enforcer virtual machine is configured
and created and before creating any ATP policy, you must set up certificates
on any Juniper ATP Cloud-supported SRX Series device. For a list of
Juniper ATP Cloud- supported devices, see Juniper ATP Cloud Supported Platforms Guide
The following is simply an example. You will need to modify the group name, profile and policy name to match your configuration.
To set up certificates for Policy Enforcer:
- Create the CA profile using the following CLI command.
A CA profile configuration contains information specific to a CA.
root@host# request security pki generate-key-pair certificate-id ssl-inspect-ca size 2048 type rsa
root@host# request security pki local-certificate generate-self-signed certificate-id ssl-inspect-ca domain-name www.juniper.net subject "CN=www.juniper.net,OU=IT,O=Juniper Networks,L=Sunnyvale,ST=CA,C=US" email security-admin@juniper.net
- Configure the CA profile.
Note The CA profile name must be policyEnforcer.
root@host# set security pki policyEnforcer ssl-inspect-ca ca-identity ssl-inspect-ca
root@host# set security pki ca-profile policyEnforcer ca-identity ssl-profile-ca
- Load the default trusted CA.
root@host# request security pki ca-certificate ca-profile-group load ca-group-name All-Trusted-CA-Def filename default
- Enable HTTPS on the threat prevention policy.
When creating your threat prevention policy (in Security Director, select Configure>Threat Prevention > Policy), enable the Scan HTTPS option to scan files downloaded over HTTPS. For more information on creating threat prevention policies, see the Security Director online help.
When you enable HTTPS on the threat prevention policy, Policy Enforcer sends the following configuration to the devices:
##Security Firewall Policy : trust - untrust## set security policies from-zone trust to-zone untrust policy PolicyEnforcer-Rule1-1 then permit application-services ssl-proxy profile-name policyEnforcer ##Security Firewall Policy : global ## set security policies global policy PolicyEnforcer-Rule1-1 then permit application-services ssl-proxy profile-name policyEnforcer ##SSL Forward proxy Profile Configurations## set services ssl proxy profile policyEnforcer trusted-ca all set services ssl proxy profile policyEnforcer root-ca ssl-inspect-ca
- Export the locally generated certificate from the SRX
Series device and install it on clients as a trusted CA to avoid some
of the certificate errors that may occur.
Each website or browser behaves slightly different. Some require exceptions to be added to your browser to display the content while others may not work because the local certificate is weak.
root@host# request security pki local-certificate export certificate-id ssl-inspect-ca type pem filename ssl-inspect-ca.pem
- (Optional) You can limit some certificate warning messages
using the following CLI command:
root@host# set services ssl proxy profile policyEnforcer actions ignore-server-auth-failure