Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Juniper Advanced Threat Prevention Cloud (ATP Cloud) Juniper ATP Cloud User Guide Configure Juniper ATP Cloud Features Misc Configurations

Juniper ATP Cloud User Guide

keyboard_arrow_up
close
keyboard_arrow_left
Juniper ATP Cloud User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Tenant Systems: Security-Intelligence and Anti-Malware Policies

date_range 08-Apr-25
arrow_backward
arrow_forward

Tenant systems allow you to allocate virtual system resources, such as memory and CPU, into logical groupings to create multiple virtual firewalls. Each virtual firewall can then identify itself as a stand-alone system within one computing system. Starting in Junos OS 18.4, SRX Series Firewalls support tenant systems for anti-malware and security-intelligence (SecIntel) policies. When you associate a tenant system with a realm in Juniper ATP Cloud, that tenant system receives the threat management features configured for the realm. The SRX Series Firewall will then perform policy enforcement based on tenant system and the associated Juniper ATP Cloud realm.

Note:

For information about using tenant systems with SRX Series Firewalls, please see the Junos documentation.

Tenant System Support for SecIntel Feeds

Starting in Junos OS 18.4, you can configure SecIntel profiles for tenant systems.

Tenant systems enroll to ATP Cloud when the associated SRX Series Firewall is enrolled. All tenant systems with enabled anti-malware or SecIntel policies appear in the ATP Cloud “Enrolled Devices” page with other SRX Series Firewalls.

Warning:

Unlike physical devices, which automatically make submissions to the realm they are enrolled in, tenant system submissions are ignored until they are associated with a realm using the Realm Management page in the Juniper ATP Cloud Web UI. See Realm Management for those instructions.

Note that root-logical-system is automatically associated with the realm to which the SRX Series Firewall is enrolled. Only root-logical-system can make submissions by default. Therefore you do not need to make an association for root-logical-system.

Here is an example of the CLI commands for a tenant system SecIntel policy configuration. The tenant system used in this example (TSYS1) must be associated with the correct realm in Juniper ATP Cloud for the policy to get applied to the intended device:

content_copy zoom_out_map
set logical-systems TSYS1 services security-intelligence profile secintel_profile category CC
set logical-systems TSYS1 services security-intelligence profile secintel_profile rule secintel_rule match threat-level 10
set logical-systems TSYS1 services security-intelligence profile secintel_profile rule secintel_rule match threat-level 9
set logical-systems TSYS1 services security-intelligence profile secintel_profile rule secintel_rule then action block close
set logical-systems TSYS1 services security-intelligence profile secintel_profile rule secintel_rule then log
set logical-systems TSYS1 services security-intelligence profile secintel_profile default-rule then action permit
set logical-systems TSYS1 services security-intelligence profile secintel_profile default-rule then log
set logical-systems TSYS1 services security-intelligence policy p1 CC secintel_profile
set logical-systems TSYS1 services security-intelligence profile pf1 category Infected-Hosts
set logical-systems TSYS1 services security-intelligence profile pf1 default-rule then action block drop
set logical-systems TSYS1 services security-intelligence profile pf1 default-rule then log
set logical-systems TSYS1 services security-intelligence policy p1 Infected-Hosts pf1

Use the following commands to create a security policy on the SRX Series Firewall for the inspection profiles.

content_copy zoom_out_map
set logical-systems TSYS1 security policies from-zone trust to-zone untrust policy 1 match source-address any
set logical-systems TSYS1 security policies from-zone trust to-zone untrust policy 1 match destination-address any
set logical-systems TSYS1 security policies from-zone trust to-zone untrust policy 1 match application any
set logical-systems TSYS1 security policies from-zone trust to-zone untrust policy 1 then permit application-services ssl-proxy profile-name ssl-inspect-profile-dut
set logical-systems TSYS1 security policies from-zone trust to-zone untrust policy 1 then permit application-services security-intelligence-policy p1

Use the following example commands to view the infected hosts feed for a tenant system:

content_copy zoom_out_map
root@SRX> show security dynamic-address category-name Infected-Hosts logical-system TSYS1
No.      IP-start        IP-end          Feed             Address
1        10.1.32.131     10.1.32.131     Infected-Hosts/1 ID-2150001a
2        10.1.32.148     10.1.32.148     Infected-Hosts/1 ID-2150001a
3        10.1.32.183     10.1.32.183     Infected-Hosts/1 ID-2150001a
4        10.1.32.201     10.1.32.201     Infected-Hosts/1 ID-2150001a

Or use the following:

content_copy zoom_out_map
User1@SRX:TSYS1> show security dynamic-address category-name Infected-Hosts
No.      IP-start        IP-end          Feed             Address
1        10.1.32.131     10.1.32.131     Infected-Hosts/1 ID-2150001a
2        10.1.32.148     10.1.32.148     Infected-Hosts/1 ID-2150001a
3        10.1.32.183     10.1.32.183     Infected-Hosts/1 ID-2150001a
4        10.1.32.201     10.1.32.201     Infected-Hosts/1 ID-2150001a

Tenant System Support for AAMW

Starting in Junos OS 18.4, you can also configure anti-malware policies on a per tenant system basis. Here is an example of a tenant system anti-malware policy configuration:

As stated previously, the tenant system used in this example (TSYS1) must be associated with the correct realm in ATP Cloud for the policy to get applied to the intended device. See Realm Management for ATP Cloud Web UI configuration details.

content_copy zoom_out_map
set logical-systems TSYS1 services advanced-anti-malware policy LP1 http inspection-profile ldom_profile
set logical-systems TSYS1 services advanced-anti-malware policy LP1 http action block
set logical-systems TSYS1 services advanced-anti-malware policy LP1 http notification log
set logical-systems TSYS1 services advanced-anti-malware policy LP1 smtp inspection-profile default_profile
set logical-systems TSYS1 services advanced-anti-malware policy LP1 smtp notification log
set logical-systems TSYS1 services advanced-anti-malware policy LP1 imap inspection-profile default_profile
set logical-systems TSYS1 services advanced-anti-malware policy LP1 imap notification log
set logical-systems TSYS1 services advanced-anti-malware policy LP1 verdict-threshold 3

Use the following command to view anti-malware policies for a tenant system.

root@SRX> show services advanced-anti-malware policy logical-systems TSYS1

content_copy zoom_out_map
Advanced-anti-malware configuration:
 Policy Name: LP11
  Default-notification  : Log
  Whitelist-notification: Log
  Blacklist-notification: Log
  Fallback options:
    Action: block
    Notification: No Log
  Inspection-profile: ldom_profile
  Applications: HTTP
  Verdict-threshold: 3
  Action: block
  Notification: Log

Or use the following:

User1@SRX:TSYS1> show services advanced-anti-malware policy

content_copy zoom_out_map
Advanced-anti-malware configuration:
 Policy Name: LP1
  Default-notification  : Log
  Whitelist-notification: Log
  Blacklist-notification: Log
  Fallback options:
    Action: block
    Notification: No Log
  Inspection-profile: ldom_profile
  Applications: HTTP
  Verdict-threshold: 3
  Action: block
  Notification: Log

Security Profile CLI

Administrators can configure a single security profile to assign resources to a specific tenant system, use the same security profile for more than one tenant system, or use a mix of both methods. You can configure up to 32 security profiles on an SRX Series Firewall running logical systems.

Security profiles allow you to dedicate various amounts of a resource to the tenant systems and allow them to compete for use of the free resources. They also protect against one logical system exhausting a resource that is required at the same time by other tenant systems.

The following commands are added to the security-profile CLI.

  • aamw-policy

    For example: set system security-profile <name> aamw-policy maximum 32

  • secintel-policy

    For example: set system security-profile <name> secintel-policy maximum 32

Use the following command to view the security profiles:

show system security-profile all-resource

Note:

For more information about the set system security-profile command for logical systems, see the Junos documentation.

Related Documentation

arrow_backward PREVIOUS Realm Management
NEXT arrow_forward Enable Logging
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top