Step 2: Up and Running

Create a Web Portal Login Account for Juniper ATP Cloud

Now that you’ve got the SRX Series Firewall ready to work with Juniper ATP Cloud, let’s log in to the Juniper ATP Cloud Web Portal and enroll your SRX Series Firewall. You'll need to create a Juniper ATP Cloud Web Portal login account, and then enroll your SRX Series Firewall in Juniper ATP Cloud Web Portal.

Have the following information handy before you start enrollment:

Your single sign-on or Juniper Networks Customer Support Center (CSC) credentials.
A security realm name. For example, Juniper-Mktg-Sunnyvale. Realm names can contain only alphanumeric characters and the dash (“—”) symbol.
Your company name.
Your contact information.
An email address and password. This will be your login information to access the Juniper ATP Cloud management interface.

Let's get going!

Open a Web browser and connect to the Juniper ATP Cloud Web Portal at https://sky.junipersecurity.net. Select your geographical region— North America, Canada, European Union, or Asia Pacific and click Go.

You can also connect to the ATP Cloud Web Portal using the customer portal URL for your location as shown below.

Table 1: Customer Portal URLs
Location	Customer Portal URL
United States	https://amer.sky.junipersecurity.net
European Union	https://euapac.sky.junipersecurity.net
APAC	https://apac.sky.junipersecurity.net
Canada	https://canada.sky.junipersecurity.net

The login page opens.

Click Create a Security Realm.
Click Continue.
To create the security realm, follow the wizard on the screen to enter the following information:
- Your single sign-on or Juniper Networks Customer Support Center (CSC) credentials
- A security realm name
- Your company name
- Your contact information
- The login credentials for logging into ATP Cloud
Click OK.

You are automatically logged in and returned to the Juniper ATP Cloud Web Portal. The next time you visit the Juniper ATP Cloud Web Portal, you can log in using the credentials and security realm you just created.

Enroll Your SRX Series Firewall

Now that you've created an account, let's enroll your SRX Series Firewall in Juniper ATP Cloud. In this guide, we show you how to enroll your device using the Juniper ATP Cloud Web Portal hosted by Juniper. However, you can also enroll your device using the Junos OS CLI, the J-Web Portal, or the Junos Space Security Director Web Portal. Choose the configuration tool that's right for you:

Juniper ATP Cloud Web Portal—The ATP Cloud Web Portal is hosted by Juniper Networks in the cloud. You don’t need to download or install Juniper ATP Cloud on your local system.
CLI commands—Starting in Junos OS Release 19.3R1, you can enroll a device to the Juniper ATP Cloud using the Junos OS CLI on your SRX Series Firewall. See Enroll an SRX Series Firewall Using the CLI.
J-Web Portal—The J-Web Portal comes preinstalled on the SRX Series Firewall and can also be used to enroll an SRX Series Firewall to Juniper ATP Cloud. For details, watch this video:
Security Director Policy Enforcer—If you are a licensed Junos Space Security Director Policy Enforcer user, you can use Security Director Policy Enforcer to set up and use Juniper ATP Cloud. For more information about using Security Director with Juniper ATP Cloud, see How to Enroll Your SRX Series Firewall in Juniper Advanced Threat Prevention (ATP) Cloud Using Policy Enforcer.

When you enroll an SRX Series Firewall, you establish a secure connection between the Juniper ATP Cloud server. Enrollment also:

Downloads and installs certificate authority (CA) licenses onto your SRX Series Firewall

Note:
You can enroll SRX1600 and SRX2300 firewalls with Trusted Platform Module (TPM)-based certificates for TLS-based authentication and a secure connection with the Juniper ATP Cloud. For more information about TPM, see Encryption with Trusted Platform Module. Since the TPM-based certificates are used for connections between the SRX Series Firewall and Juniper ATP Cloud, you must allow traffic to the junipersecurity.net domain on ports 8444 and 7444.
Creates local certificates
Enrolls local certificates with the cloud server

Note:

Juniper ATP Cloud requires that both your Routing Engine (control plane) and Packet Forwarding Engine (data plane) are connected to the Internet. You don’t need to open any ports on the SRX Series Firewall to communicate with the cloud server. However, if you have a device in between, such as a firewall, then that device must have ports 80, 8080, and 443 open.

Also, the SRX Series Firewall must be configured with DNS servers in order to resolve the cloud URL.

Enroll Your SRX Series Firewall in Juniper ATP Cloud Web Portal

Here's how to enroll your SRX Series Firewall in Juniper ATP Cloud Web Portal:

Log in to the Juniper ATP Cloud Web Portal.
The Dashboard page displays.
Click Devices to open the Enrolled Devices page.
Click Enroll to open the Enroll page.
Based on the Junos OS version that you are running, copy the CLI command from the page and run the command on the SRX Series Firewall to enroll it.

Note:
You must run the op url command from operational mode. Once generated, the op url command is valid for 7 days. If you generate a new op url command within that time period, the old command is no longer valid. (Only the most recently generated op url command is valid.)
Log in to your SRX Series Firewall. The SRX Series CLI opens on your screen.
Run the op url command that you previously copied from the pop-up window. Simply paste the command into the CLI and press Enter.

The SRX Series Firewall will make a connection to the ATP Cloud server and begin downloading and running the op scripts. The status of the enrollment appears on screen.
(Optional) Run the following command to view additional information:

request services advanced-anti-malware diagnostics customer-portal detail

Example

request services advanced-anti-malware diagnostics amer.sky.junipersecurity.net detail

You can use the show services advanced-anti-malware status CLI command on your SRX Series Firewall to verify that a connection has been made to the cloud server from the SRX Series Firewall. After it’s enrolled, the SRX Series Firewall communicates with the cloud through multiple, persistent connections established over a secure channel (TLS 1.2). The SRX Series Firewall is authenticated using SSL client certificates.

Enroll Your SRX Series Firewall in J-Web Portal

You can also enroll an SRX Series Firewall to Juniper ATP Cloud using J-Web. This is the Web interface that comes up on the SRX Series Firewall.

Before enrolling a device:

Decide which region the realm you create will cover because you must select a region when you configure a realm.
Ensure the device is registered in the Juniper ATP Cloud Web Portal.
In CLI mode, configure set security forwarding-process enhanced-services-mode on your SRX300, SRX320, SRX340, SRX345, and SRX550M devices to open ports and get the device ready to communicate with Juniper ATP Cloud.

Here's how to enroll your SRX Series Firewall using J-Web Portal.

Log in to J-Web. For more information, see Start J-Web.
(Optional) Configure a proxy profile.
1. In the J-Web UI, navigate to Device Administration > ATP Management > Enrollment.
  
  The ATP Enrollment page opens.
2. Use either of the following methods to configure the proxy profile:
  - Select an existing proxy profile from the Proxy Profile list.
    Note:
    
    The list displays the existing proxy profiles created using the Proxy Profile page (Security Policies & Objects > Proxy Profiles).
    
    The SRX Series Firewall and Juniper ATP Cloud communicate through the proxy server if a proxy profile is configured. Otherwise, they directly communicate with each other
  - Click Create Proxy to create a proxy profile.
    
    The Create Proxy Profile page appears.
    
    Complete the configuration:
    - Profile Name—Enter a name for the proxy profile.
    - Connection Type—Select the connection type server (from the list) that the proxy profile uses:
      - Server IP—Enter the IP address of the proxy server.
      - Host Name—Enter the name of the proxy server.
    - Port Number—Select a port number for the proxy profile. Range is 0 through 65,535.
  Click OK.
  
  A new proxy profile is created.
3. Click Apply Proxy.
  
  Applying proxy enables the SRX Series Firewall and Juniper ATP Cloud to communicate through the proxy server.
Enroll your device to Juniper ATP Cloud.
1. Click Enroll to open the ATP Enrollment page.
  
  Note:
  If there are any existing configuration changes, a message appears for you to commit the changes and then to proceed with the enrollment process.
2. Complete the configuration:
  - Create New Realm—By default, this option is disabled if you have a Juniper ATP Cloud account with an associated license. Enable this option to add a new realm if you do not have a Juniper ATP Cloud account with an associated license.
  - Location—By default, the region is set as Others. Enter the region URL.
  - Email—Enter your e-mail address.
  - Password—Enter a unique string at least eight characters long. Include both uppercase and lowercase letters, at least one number, and at least one special character; no spaces are allowed, and you cannot use the same sequence of characters that are in your e-mail address.
  - Confirm Password—Reenter the password.
  - Realm—Enter a name for the security realm. This should be a name that is meaningful to your organization. A realm name can contain only alphanumeric characters and the dash symbol. Once created, this name cannot be changed.
3. Click OK.
  
  The status of the SRX Series Firewall enrollment process is displayed.

Note:

Click Diagnostics to troubleshoot any enrollment errors.

Configure Security Polices on the SRX Series Firewall to Use Cloud Feeds

Security policies, such as anti-malware and security-intelligence policies, use Juniper ATP Cloud threat feeds to inspect files and quarantine hosts that have downloaded malware. Let's create a security policy, aamw-policy, for an SRX Series Firewall.

Configure the anti-malware policy.

user@host# set services advanced-anti-malware policy aamw-policy verdict-threshold 7

user@host# set services advanced-anti-malware policy aamw-policy http inspection-profile default

user@host# set services advanced-anti-malware policy aamw-policy http action permit

user@host# set services advanced-anti-malware policy aamw-policy http notification log

user@host# set services advanced-anti-malware policy aamw-policy smtp inspection-profile default

user@host# set services advanced-anti-malware policy aamw-policy smtp notification log

user@host# set services advanced-anti-malware policy aamw-policy imap inspection-profile default

user@host# set services advanced-anti-malware policy aamw-policy imap notification log

user@host# set services advanced-anti-malware policy aamw-policy fallback-options notification log

user@host# set services advanced-anti-malware policy aamw-policy default-notification log

user@host# commit
(Optional) Configure the anti-malware source interface.

The source interface is used to send files to the cloud. If you configure the source-interface but not the source-address, the SRX Series Firewall uses the IP address from the specified interface for connections. If you are using a routing instance, you must configure the source interface for the anti-malware connection. If you are using a nondefault routing instance, you don’t have to complete this step on the SRX Series Firewall.

user@host# set services advanced-anti-malware connection source-interface ge-0/0/2

Note:
For Junos OS Release 18.3R1 and later, we recommend that you use a management routing instance for fxp0 (dedicated management interface to the routing-engine of the device) and the default routing instance for traffic.
Configure the security-intelligence policy.

user@host# set services security-intelligence profile secintel_profile category CC

user@host# set services security-intelligence profile secintel_profile rule secintel_rule match threat-level [ 7 8 9 10 ]

user@host# set services security-intelligence profile secintel_profile rule secintel_rule then action block drop

user@host# set services security-intelligence profile secintel_profile rule secintel_rule then log

user@host# set services security-intelligence profile secintel_profile default-rule then action permit

user@host# set services security-intelligence profile secintel_profile default-rule then log

user@host# set services security-intelligence profile ih_profile category Infected-Hosts

user@host# set services security-intelligence profile ih_profile rule ih_rule match threat-level [ 10 ]

user@host# set services security-intelligence profile ih_profile rule ih_rule then action block drop

user@host# set services security-intelligence profile ih_profile rule ih_rule then log

user@host# set services security-intelligence policy secintel_policy Infected-Hosts ih_profile

user@host# set services security-intelligence policy secintel_policy CC secintel_profile

user@host# commit
Note:
If you wish to inspect HTTPs traffic, you must optionally enable SSL-Proxy in your security policies. To configure SSL-Proxy, refer to Step 4 and Step 5.

Configuring these features will impact the performance of the traffic traversing the applied security policies.

(Optional) Generate public/private key pairs and self-signed certificates, and install CA certificates.

user@host> request security pki generate-key-pair certificate-id ssl-inspect-ca size 2048 type rsa

user@host> request security pki local-certificate generate-self-signed certificate-id ssl-inspect-ca domain-name www.juniper.net subject "CN=www.juniper.net,OU=IT,O=Juniper Networks,L=Sunnyvale,ST=CA,C=US" email security-admin@juniper.net

user@host> request security pki ca-certificate ca-profile-group load ca-group-name trusted-ca-* filename default

Note:
The internal clients must trust certificates generated by the SRX Series Firewall. Therefore, you must import the root CA as a trusted CA into client browsers. This is required for the client browsers to trust the certificates signed by the SRX Series Firewall. See Importing a Root CA Certificate into a Browser.
(Optional) Configure the SSL forward proxy profile (SSL forward proxy is required for HTTPS traffic in the data plane).

user@host# set services ssl proxy profile ssl-inspect-profile-dut root-ca ssl-inspect-ca

user@host# set services ssl proxy profile ssl-inspect-profile-dut actions log all

user@host# set services ssl proxy profile ssl-inspect-profile-dut actions ignore-server-auth-failure

user@host# set services ssl proxy profile ssl-inspect-profile-dut trusted-ca all

user@host# commit
Configure the security firewall policy.

user@host# set security policies from-zone trust to-zone untrust policy 1 match source-address any

user@host# set security policies from-zone trust to-zone untrust policy 1 match destination-address any

user@host# set security policies from-zone trust to-zone untrust policy 1 match application any

user@host# set security policies from-zone trust to-zone untrust policy 1 then permit application-services ssl-proxy profile-name ssl-inspect-profile-dut

user@host# set security policies from-zone trust to-zone untrust policy 1 then permit application-services advanced-anti-malware-policy aamw-policy

user@host# set security policies from-zone trust to-zone untrust policy 1 then permit application-services security-intelligence-policy secintel_policy

user@host# commit and-quit

Congratulations! You've completed the initial configuration for Juniper ATP Cloud on your SRX Series Firewall!

ON THIS PAGE

Step 2: Up and Running

Create a Web Portal Login Account for Juniper ATP Cloud

Enroll Your SRX Series Firewall

Configure Security Polices on the SRX Series Firewall to Use Cloud Feeds