Enable Juniper ATP Cloud for Encrypted HTTPS Connections
If you have not already done so, you need to configure ssl-inspect-ca which is used for ssl forward proxy and for detecting malware in HTTPs. Shown below is just one example for configuring ssl forward proxy. For complete information, see Configuring SSL Proxy.
From operational mode, generate a PKI public/private key pair for a local digital certificate.
request security pki generate-key-pair certificate-id certificate-id size size type type
For example:
request security pki generate-key-pair certificate-id ssl-inspect-ca size 2048 type rsa
From operational mode, define a self-signed certificate. Specify certificate details such as the certificate identifier (generated in the previous step), a fully qualified domain name for the certificate, and an e-mail address of the entity owning the certificate.
request security pki local-certificate generate-self-signed certificate-id certificate-id domain-name domain-name subject subject email email-id
For example:
request security pki local-certificate generate-self-signed certificate-id ssl-inspect-ca domain-name www.juniper.net subject "CN=www.juniper.net,OU=IT,O=Juniper Networks,L=Sunnyvale,ST=CA,C=US" email security-admin@juniper.net
Once done, you can configure the SSL forward proxy to inspect HTTPs traffic. For example:
set services ssl proxy profile ssl-inspect-profile root-ca ssl-inspect-caset security policies from-zone trust to-zone untrust policy firewall-policy1 then permit application-services ssl-proxy profile-name ssl-inspect-profile
For a more complete example, see Configure Juniper Advanced Threat Prevention Cloud Policy.