Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Enroll an SRX Series Firewall Using the CLI

Starting in Junos OS Release 19.3R1, you can use the request services advanced-anti-malware enroll command on the SRX Series Firewall to enroll a device to the Juniper ATP Cloud Web Portal. With this command, you do not have to perform any enrollment tasks on the Web Portal. All enrollment is done from the CLI on the SRX.

Enrollment establishes a secure connection between the Juniper ATP Cloud cloud server and the SRX Series Firewall. It also performs basic configuration tasks such as:

  • Downloads and installs certificate authorities (CAs) onto your SRX Series Firewall.

    Note:
    • You can enroll SRX1600, SRX2300 and SRX4300 firewalls with Trusted Platform Module (TPM)-based certificates for TLS-based authentication and a secure connection with the Juniper ATP Cloud. For more information about TPM, see Encryption with Trusted Platform Module. Since the TPM-based certificates are used for connections between the SRX Series Firewall and Juniper ATP Cloud, you must allow traffic to the junipersecurity.net domain on ports 8444 and 7444.

    • To enroll SRX300, SRX320, SRX340, SRX345, SRX380, SRX5400, SRX5600, and SRX5800 Series Firewalls with Juniper ATP Cloud, ensure that TPM-based encryption is not configured on these devices. Enrollment to Juniper ATP Cloud is not supported with TPM-based encryption.

  • Creates local certificates and enrolls these certificates with the cloud server.

  • Establishes a secure connection to the cloud server.

Note:

Juniper ATP Cloud requires that both your Routing Engine (control plane) and Packet Forwarding Engine (data plane) can connect to the Internet. You do not need to open any ports on the SRX Series Firewall to communicate with the cloud server. However, if you have a device in the middle, such as a firewall, then that device must have ports 80, 8080, and 443 open.

Also note, the SRX Series Firewall must be configured with DNS servers in order to resolve the cloud URL.

Using the device enrollment command request services advanced-anti-malware enroll on the SRX Series Firewall, you can enroll the device to an existing realm or create a realm and then enroll to it.

Here is a sample that creates a realm and then enrolls to that realm.

Note:

You must log in as root (super user) to perform the following operations.

root@host> request services advanced-anti-malware enroll

  1. Enroll the SRX Series Firewall to Juniper ATP Cloud (CLI only):

    request services advanced-anti-malware enroll

    Please select geographical region from the list:

    1. North America

    2. European Region

    3. Canada

    4. Asia Pacific

    Your choice: 1

  2. Select an existing realm or create a realm:

    Enroll SRX to:

    1. A new SkyATP security realm (you will be required to create it first)

    2. An existing SkyATP security realm

    If you select option 1 to create a realm, the steps are as follows:

    • You are going to create a new Sky ATP realm, please provide the required information:

    • Please enter a realm name (This should be a name that is meaningful to your organization. A realm name can only contain alphanumeric characters and the dash symbol. Once a realm is created, it cannot be changed):

      Real name: example-company-a

    • Please enter your company name:

      Company name: Example Company A

    • Please enter your e-mail address. This will be your username for your Sky ATP account:

      Email: me@example-company-a.com

    • Please setup a password for your new Sky ATP account (It must be at least 8 characters long and include both uppercase and lowercase letters, at least one number, at least one special character):

      Password: **********

      Verify: **********

    • Please review the information you have provided:

      Region: North America

      New Realm: example-company-a

      Company name: Example Company A

      Email: me@example-company-a.com

    • Create a new realm with the above information? [yes,no]

      yes

      Device enrolled successfully!

    If you select option 2 to use an existing realm, the steps are as follows:

    Note:

    You must enter a valid username and password for the existing realm as part of the enrollment procedure.

    • Enter the name of the existing realm:

      Please enter a realm name.

      Realm name: example-company-b

    • Please enter your company name:

      Company name: Example Company B

    • Enter your email address/username for the realm. This is the email address that was previously created when setting up the realm.

      Please enter your e-mail address. This will be your username for your Sky ATP account:

    • Enter the password for the realm. This is the password that was previously created when setting up the realm.

      Password:********

    • Enroll device to the realm above? [yes,no] yes

      Device enrolled successfully!

You can use the show services advanced-anti-malware status CLI command on your SRX Series Firewall to verify that a connection has been made to the cloud server from the SRX Series Firewall.

Once enrolled, the SRX Series Firewall communicates to the cloud through multiple, persistent connections established over a secure channel (TLS 1.2) and the SRX Series Firewall is authenticated using SSL client certificates.