Enroll an SRX Series Firewall Using the CLI
Starting in Junos OS Release 19.3R1, you can use the request services
advanced-anti-malware enroll
command on the SRX Series Firewall to enroll a
device to the Juniper ATP Cloud Web Portal. With this command, you do not have to
perform any enrollment tasks on the Web Portal. All enrollment is done from the CLI on
the SRX.
Enrollment establishes a secure connection between the Juniper ATP Cloud cloud server and the SRX Series Firewall. It also performs basic configuration tasks such as:
-
Downloads and installs certificate authorities (CAs) onto your SRX Series Firewall.
Note:-
You can enroll SRX1600, SRX2300 and SRX4300 firewalls with Trusted Platform Module (TPM)-based certificates for TLS-based authentication and a secure connection with the Juniper ATP Cloud. For more information about TPM, see Encryption with Trusted Platform Module. Since the TPM-based certificates are used for connections between the SRX Series Firewall and Juniper ATP Cloud, you must allow traffic to the junipersecurity.net domain on ports 8444 and 7444.
-
To enroll SRX300, SRX320, SRX340, SRX345, SRX380, SRX5400, SRX5600, and SRX5800 Series Firewalls with Juniper ATP Cloud, ensure that TPM-based encryption is not configured on these devices. Enrollment to Juniper ATP Cloud is not supported with TPM-based encryption.
-
Creates local certificates and enrolls these certificates with the cloud server.
Establishes a secure connection to the cloud server.
Juniper ATP Cloud requires that both your Routing Engine (control plane) and Packet Forwarding Engine (data plane) can connect to the Internet. You do not need to open any ports on the SRX Series Firewall to communicate with the cloud server. However, if you have a device in the middle, such as a firewall, then that device must have ports 80, 8080, and 443 open.
Also note, the SRX Series Firewall must be configured with DNS servers in order to resolve the cloud URL.
Using the device enrollment command request services advanced-anti-malware
enroll
on the SRX Series Firewall, you can enroll the device to an
existing realm or create a realm and then enroll to it.
Here is a sample that creates a realm and then enrolls to that realm.
You must log in as root (super user)
to perform the following
operations.
root@host> request services advanced-anti-malware enroll
You can use the show services advanced-anti-malware status
CLI command on your
SRX Series Firewall to verify that a connection has been made to the cloud server
from the SRX Series Firewall.
Once enrolled, the SRX Series Firewall communicates to the cloud through multiple, persistent connections established over a secure channel (TLS 1.2) and the SRX Series Firewall is authenticated using SSL client certificates.