- play_arrow Set Up
- play_arrow Juniper Advanced Threat Prevention Cloud Overview
- play_arrow Enroll SRX Series Firewalls to Juniper Advanced Threat Prevention Cloud
- play_arrow Configure Security Policies on SRX Series Firewall
- play_arrow Configure SRX Series Firewall
- Configure the SRX Series Firewall to Block Outbound Requests to a C&C Host
- Configure the SRX Series Firewall to Block Infected Hosts
- Configure Reverse Proxy on the SRX Series Firewall
- Configure the IMAP Emails Policy on the SRX Series Firewall
- Configure the SMTP Emails Policy on the SRX Series Firewall
-
- play_arrow Configure
- play_arrow Configure ATP Cloud Features on SRX Series Firewall
- Encrypted Traffic Insights Overview
- Configure Encrypted Traffic Insights
- Adaptive Threat Profiling Overview
- Configure and Deploy Adaptive Threat Profiling
- Adaptive Threat Profiling Use Cases
- Enable DNS SecIntel Detection
- DNS DGA Detection Overview
- Enable DNS DGA Detection
- DNS Tunnel Detection Overview
- Enable DNS Tunnel Detection
- DNS Sinkhole Overview
- Configure DNS Sinkhole
- DNS Security Logs
- Geolocation IPs and Juniper ATP Cloud
- Configure Juniper ATP Cloud with Geolocation IP
- Configure IPFilter Category
- Configure Reverse Shell Detection
- play_arrow Configure AI Predictive Threat Prevention on SRX Series Firewall
-
- play_arrow Configuration Statements and Operational Commands
- play_arrow SRX Series Firewall Commands to Configure Juniper ATP Cloud
-
- play_arrow Use Cases
- play_arrow SecIntel Feeds for MX Series Routers
- play_arrow Amazon Web Services GuardDuty with vSRX Virtual Firewall
- play_arrow Juniper ATP Cloud with Policy Enforcer
-
- play_arrow More Documentation
- play_arrow Additional Documentation on Juniper.net
-
Troubleshooting Juniper ATP Cloud: Checking Certificates
Use the show security pki local-certificate CLI command to check your local
certificates. Ensure that you are within the certificate’s valid dates. The
ssl-inspect-ca certificate is used for SSL proxy. Show below are some
examples. Your output might look different as these are dependent on your setup and
location.
show security pki local-certificate
Certificate identifier: ssl-inspect-ca
Issued to: www.juniper_self.net, Issued by: CN = www.juniper_self.net, OU = IT
, O = Juniper Networks, L = xxxxx, ST = xxxxx, C = IN
Validity:
Not before: 11-24-2015 22:33 UTC
Not after: 11-22-2020 22:33 UTC
Public key algorithm: rsaEncryption(2048 bits)
Certificate identifier: argon-srx-cert
Issued to: xxxx-xxxx_xxx, Issued by: C = US, O = Juniper Ne
tworks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.net) subCA for SRX dev
ices, emailAddress = xxx@juniper.net
Validity:
Not before: 10-30-2015 21:56 UTC
Not after: 01-18-2038 15:00 UTC
Public key algorithm: rsaEncryption(2048 bits)Use the show security pki ca-certificate command
to check your CA certificates. The argon-ca certificate
is the client certificate’s CA while the argon-secintel-ca is the server certificate’s CA. Ensure that you are within
the certificate’s valid dates.
root@host> show security pki ca-certificate
Certificate identifier: argon-ca
Issued to: SecIntel (junipersecurity.net) subCA for SRX devices, Issued by: C
= US, O = Juniper Networks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.ne
t) CA, emailAddress = xxx@juniper.net
Validity:
Not before: 05-19-2015 22:12 UTC
Not after: 05- 1-2045 15:00 UTC
Public key algorithm: rsaEncryption(2048 bits)
Certificate identifier: argon-secintel-ca
Issued to: SecIntel (junipersecurity.net) CA, Issued by: C = US, O = Juniper N
etworks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.net) CA, emailAddress
= xxx@juniper.net
Validity:
Not before: 05-19-2015 03:22 UTC
Not after: 05-16-2045 03:22 UTC
Public key algorithm: rsaEncryption(2048 bits)When you enroll an SRX Series Firewall, the ops script installs two CA certificates: one for the
client and one for the server. Client-side CA certificates are associated with serial numbers.
Use the show security pki local-certificate detail CLI command to get your
device’s certificate details and serial number.
show security pki local-certificate detail
Certificate identifier: aamw-srx-cert
Certificate version: 3
Serial number: xxxxxxxxxx
Issuer:
Organization: Juniper Networks Inc, Organizational unit: SecIntel, Country: US,
Common name: SecIntel (junipersecurity.net) subCA for SRX devices
Subject:
Organization: xxxxxxxxxx, Organizational unit: SRX, Country: US,
Common name: xxxxxxxxxx
Subject string:
C=US, O=xxxxxxxx, OU=SRX, CN=xxxxxxxx, emailAddress=secintel-ca@juniper.net
Alternate subject: secintel-ca@juniper.net, fqdn empty, ip empty
Validity:
Not before: 11-23-2015 23:08 UTC
Not after: 01-18-2038 15:00 UTC
Then use the show security pki crl detail CLI command to make sure your serial
number is not in the Certificate Revocation List (CRL). If your serial number is listed in the
CRL then that SRX Series Firewall cannot connect to the cloud server.
show security pki crl detail
CA profile: aamw-ca
CRL version: V00000001
CRL issuer: C = US, O = Juniper Networks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.net) subCA for SRX devices, emailAddress = secintel-ca@juniper.net
Effective date: 11-23-2015 23:16 UTC
Next update: 11-24-2015 23:16 UTC
Revocation List:
Serial number Revocation date
xxxxxxxxxxxxxxxxx 10-26-2015 17:43 UTC
xxxxxxxxxxxxxxxxx 11- 3-2015 19:07 UTC
...
