- play_arrow Overview of Policy Enforcer and Juniper ATP Cloud
- play_arrow Installing Policy Enforcer
- Policy Enforcer Installation Overview
- Deploying and Configuring the Policy Enforcer with OVA files
- Installing Policy Enforcer with KVM
- Policy Enforcer Ports
- Identifying the Policy Enforcer Virtual Machine In Security Director
- Obtaining a Juniper ATP Cloud License
- Creating a Juniper ATP Cloud Web Portal Login Account
- Loading a Root CA
- Upgrading Your Policy Enforcer Software
- play_arrow Configuring Policy Enforcer Settings, Connectors, and Backup
- Policy Enforcer Settings
- Policy Enforcer Connector Overview
- Creating a Policy Enforcer Connector for Public and Private Clouds
- Creating a Policy Enforcer Connector for Third-Party Switches
- Editing and Deleting a Connector
- Viewing VPC or Projects Details
- Integrating ForeScout CounterACT with Juniper Networks Connected Security
- ClearPass Configuration for Third-Party Plug-in
- Cisco ISE Configuration for Third-Party Plug-in
- Integrating Pulse Policy Secure with Juniper Networks Connected Security
- Policy Enforcer Backup and Restore
- play_arrow Guided Setup for Juniper ATP Cloud with Juniper Connected Security
- play_arrow Guided Setup for Juniper ATP Cloud
- play_arrow Guided Setup for No Juniper ATP Cloud (No Selection)
- play_arrow Configuring Juniper ATP Cloud with Juniper Connected Security(without Guided Setup)
- Configuring Juniper ATP Cloud with Juniper Connected Security (Without Guided Setup) Overview
- Creating Juniper ATP Cloud Realms and Enrolling Devices or Associating Sites
- Secure Fabric Overview
- Adding Enforcement Points
- Creating Secure Fabric and Sites
- Editing or Deleting a Secure Fabric
- Logical System and Virtual Routing and Forwarding Instance Overview
- About the Secure Fabric Tenants Page
- Create Secure Fabric Tenants
- Policy Enforcement Groups Overview
- Creating Policy Enforcement Groups
- Threat Prevention Policy Overview
- Creating Threat Prevention Policies
- Threat Policy Analysis Overview
- Geo IP Overview
- Creating Geo IP Policies
- play_arrow Configuring Juniper ATP Cloud (without Guided Setup)
- play_arrow Configuring Cloud Feeds Only
- play_arrow Configuring No Juniper ATP Cloud (No Selection) (without Guided Setup)
- Secure Fabric Overview
- Creating Secure Fabric and Sites
- Logical System and Virtual Routing and Forwarding Instance Overview
- About the Secure Fabric Tenants Page
- Create Secure Fabric Tenants
- Creating Policy Enforcement Groups
- Creating Custom Feeds
- Threat Prevention Policy Overview
- Creating Threat Prevention Policies
- play_arrow Threat Prevention - Configure
- Juniper ATP Cloud Realm Overview
- Juniper ATP Cloud Email Management Overview
- Juniper ATP Cloud Malware Management Overview
- File Inspection Profiles Overview
- Custom Feed Sources Overview
- About the Feed Sources Page
- Creating Juniper ATP Cloud Realms and Enrolling Devices or Associating Sites
- Modifying Juniper ATP Cloud Realm
- Juniper ATP Cloud Email Management: SMTP Settings
- Creating Allowlist for Juniper ATP Cloud Email and Malware Management
- Creating Blocklists for Juniper ATP Cloud Email and Malware Management
- Configure IMAP Settings
- Creating File Inspection Profiles
- Add JATP Server
- Edit or Delete a JATP Server
- Creating Custom Feeds
- Example: Creating a Dynamic Address Custom Feed and Firewall Policy
- Configuring Settings for Custom Feeds
- Implementing Threat Policy on VMWare NSX
- Implement Threat Policy on VMWare NSX-T
- play_arrow Threat Prevention- Monitor
- Policy Enforcer Dashboard Widgets
- Infected Hosts Overview
- Infected Host Details
- Command and Control Servers Overview
- Command and Control Server Details
- HTTP File Download Overview
- HTTP File Download Details
- SMTP Quarantine Overview
- Email Attachments Scanning Overview
- Email Attachments Scanning Details
- IMAP Block Overview
- File Scanning Limits
- All Hosts Status Details
- Device Feed Status Details
- DDoS Feeds Status Details
- play_arrow Troubleshooting
- play_arrow Migration Instructions for Spotlight Secure Customers
- play_arrow Downloads
Policy Enforcer Components and Dependencies
The Policy Enforcer management interface is a component of Junos Space Security Director and requires the following to be configured and deployed:
Junos Space Platform—Junos Space is a comprehensive network management solution that simplifies and automates management of Juniper Networks switching, routing, and security devices. Junos Space Virtual Appliance includes the complete Junos Space software package as well as the Junos OS operating system. It requires users to create a virtual machine (VM) in order to deploy the appliance.
Security Director—Junos Space Security Director provides centralized and orchestrated security policy management through a web-based interface. Security administrators can use Security Director to manage all phases of the security policy life cycle for every SRX Series physical and virtual device.
Policy Enforcer—Policy Enforcer itself is installed on a VM and uses RESTful APIs to communicate with both Security Director and Juniper Networks Advanced Threat Prevention Cloud (Juniper ATP Cloud). Policy Enforcer contains two components:
Policy Controller—Defines the logical grouping of the network into secure fabric, automates the enrollment of SRX Series devices with Juniper ATP Cloud, and configures the SRX firewall policies.
Feed Connector—Aggregates the cloud and customer feeds and is the server for SRX Series devices to download feeds.
Juniper ATP Cloud—Juniper ATP Cloud employs a pipeline of technologies in the cloud to identify varying levels of risk, and provides a higher degree of accuracy in threat protection. It integrates with SRX Series gateways to deliver deep inspection, inline malware blocking, and actionable reporting.
Juniper ATP Cloud’s identification technology uses a variety of techniques to quickly identify a threat and prevent an impending attack, including:
Rapid cache lookups to identify known files.
Dynamic analysis that involves unique deception techniques applied in a sandbox to trick malware into activating and self-identifying.
Machine-learning algorithms to adapt to and identify new malware.
SRX Series device—SRX Series gateways provide security enforcement and deep inspection across all network layers and applications. Users can be permitted or prohibited from accessing specific business applications and Web applications, regardless of the network ports and protocols that are used to transmit the applications.
Figure 1 illustrates how the components in the Policy Enforcer Deployment Model interact.
Figure 2 shows an example infected endpoint scenario to illustrate how some of the components work together.
Step | Action |
---|---|
1 | A user downloads a file from the Internet. |
2 | Based on user-defined policies, the file is sent to the Juniper ATP Cloud cloud for malware inspection. |
3 | The inspection determines this file is malware and informs Policy Enforcer of the results. |
4 | The enforcement policy is automatically deployed to the SRX Series device and switches. |
5 | The infected endpoint is quarantined. |
Policy Enforcer can track the infected endpoint and automatically quarantine it or block it from accessing the Internet if the user moves from one campus location to another. See Figure 3.
In this example, Juniper ATP Cloud identifies the endpoint as having an IP address of 192.168.10.1 and resides in SVL-A. The EX Series switch quarantines it because it has been labeled as an infected host by Juniper ATP Cloud. Suppose the infected host physically moves from location SVL-A to location SVL-B. The EX Series switch (in SVL-B) microservice tracks the MAC address to the new IP address and automatically quarantines it. Policy Enforcer then informs Juniper ATP Cloud of the new MAC address-to-IP address binding.
Policy Enforcer can also quarantine infected hosts even if those hosts are connected to third-party switches, as shown in Figure 4.
For Policy Enforcer to provide threat remediation to endpoints connecting through third-party devices, it must be able to authenticate those devices and determine their state. It does this using a tracking and accounting threat remediation plug-in to gather information from a RADIUS server and enforce policies such as terminate session and quarantine. For more information, see Policy Enforcer Connector Overview
Step | Action |
---|---|
1 | An end-user authenticates to the network through IEEE 802.1X or through MAC-based authentication. |
2 | Juniper ATP Cloud detects the end point is infected with malware and adds it to the infected host feed. |
3 | Policy Enforcer downloads the infected host feed. |
4 | Policy Enforcer enforces the infected host policy using the Connector. See Policy Enforcer Connector Overview. |
5 | The Connector queries the RADIUS server for the infected host endpoint details and initiates a Change of Authorization (CoA) for the infected host. |
6 | The CoA can be either block or quarantine the infected host. |
7 | The enforcement occurs on the NAC device the infected host is authenticated with. |
8 | Policy Enforcer communicates the infected host details back to Juniper ATP Cloud. |