Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Juniper Advanced Threat Prevention Cloud (ATP Cloud) Juniper ATP Cloud User Guide Overview Juniper Advanced Threat Cloud Prevention Setup

Juniper ATP Cloud User Guide

keyboard_arrow_up
close
keyboard_arrow_left
Juniper ATP Cloud User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Download and Run the Juniper ATP Cloud Script

date_range 03-Dec-24
arrow_backward
arrow_forward

The Juniper ATP Cloud uses a Junos OS op script to help you configure your SRX Series Firewall to connect to the Juniper ATP Cloud cloud service. This script performs the following tasks:

  • Downloads and installs certificate authority (CAs) licenses onto your SRX Series Firewall.

    Note:

    • You can enroll SRX1600, SRX2300 and SRX4300 firewalls with Trusted Platform Module (TPM)-based certificates for TLS-based authentication and a secure connection with the Juniper ATP Cloud. For more information about TPM, see Encryption with Trusted Platform Module. Since the TPM-based certificates are used for connections between the SRX Series Firewall and Juniper ATP Cloud, you must allow traffic to the junipersecurity.net domain on ports 8444 and 7444.

    • To enroll SRX300, SRX320, SRX340, SRX345, SRX380, SRX5400, SRX5600, and SRX5800 Series Firewalls with Juniper ATP Cloud, ensure that TPM-based encryption is not configured on these devices. Enrollment to Juniper ATP Cloud is not supported with TPM-based encryption.

  • Creates local certificates and enrolls these certificates with the cloud server.

  • Performs basic Juniper ATP Cloud configuration on the SRX Series Firewall.

  • Establishes a secure connection to the cloud server.

Note:

  • Juniper ATP Cloud requires that both your Routing Engine (control plane) and Packet Forwarding Engine (data plane) can connect to the Internet.

  • The data plane connection should not go through the management interface, for example, fxp0. You do not need to open any ports on the SRX Series Firewall to communicate with the cloud server. However, if you have a device in the middle, such as a firewall, then that device must have ports 8080 and 443 open.

  • The SRX Series Firewall uses the default inet.0 routing table and an interface part of inet.0 as source-interface for control-plane connection from SRX Series Firewall to ATP Cloud. If the only Internet-facing interface on SRX Series Firewall is part of a routing instance, then we recommend that you add a static route pointing to the routing instance. Else, the control connection will fail to establish.

  • Juniper ATP Cloud requires that your SRX Series Firewall hostname contains only alphanumeric ASCII characters (a-z, A-Z, 0-9), the underscore symbol (_) and the dash symbol (-).

For SRX300, SRX320, SRX340, SRX345, SRX380 and SRX550 Series firewalls, you must run the set security forwarding-process enhanced-services-mode command and reboot the device before running the op script or before running the request services advanced-anti-malware enroll command.

content_copy zoom_out_map
set security forwarding-process enhanced-services-mode

To download and run the Juniper ATP Cloud scripts:

Note:

Starting in Junos OS Release 19.3R1, you can use the request services advanced-anti-malware enroll command on the SRX Series Firewall to enroll a device to the Juniper ATP Cloud Web Portal. With this command, you do not have to perform any enrollment tasks on the Web Portal. All enrollment is done from the CLI on the SRX Series Firewall. See Enroll an SRX Series Firewall Using the CLI.

  1. In the Web UI, click Devices and then click Enroll.

    The Enroll window appears. See Figure 1.

    Figure 1: Enrolling Your SRX Series Firewall Enrolling Your SRX Series Firewall
  2. Copy the highlighted contents to your clipboard and click OK.
    Note:

    When enrolling devices, Juniper ATP Cloud generates a unique op script for each request. Each time you click Enroll, you’ll get slightly different parameters in the op script. The screenshot above is just an example. Do not copy the above example onto your SRX Series Firewall. Instead, copy and paste the output you receive from your Web UI and use that to enroll your SRX Series Firewalls.

  3. Paste this command into the Junos OS CLI of the SRX Series Firewall you want to enroll with Juniper ATP Cloud. Press Enter. Your screen will look similar to the following.
    content_copy zoom_out_map
    root@mysystem> request services advanced-anti-malware enroll https://amer.sky.junipersecurity.net/v2/skyatp/ui_api/bootstrap/enroll/mt8zlb8xwl0vmg5x/8tajwglnz54sdhkn.slax
Version JUNOS Software Release [15.1-X49] is valid for bootstrapping.
Going to enroll single device for SRX1500: P1C_00000067 with hostname mysystem...
Updating Application Signature DB...
Wait for Application Signature DB download status #1...
Communicate with cloud...
Configure CA...
Request aamw-secintel-ca CA...
Load aamw-secintel-ca CA...
Request aamw-cloud-ca CA...
Load aamw-cloud-ca CA...
Retrieve CA profile aamw-ca...
Generate key pair: aamw-srx-cert...
Enroll local certificate aamw-srx-cert with CA server #1...
Configure advanced-anti-malware services...
Communicate with cloud...
Wait for aamwd connection status #1...
SRX was enrolled successfully!
    Note:

    If for some reason the ops script fails, disenroll the device (see Remove an SRX Series Firewall From Juniper Advanced Threat Prevention Cloud) and then re-enroll it.

  4. In the Juniper ATP Cloud Web portal, click Devices.

    The SRX Series Firewall you enrolled now appears in the table. See Figure 2.

    Figure 2: Example Enrolled SRX Series Firewall Example Enrolled SRX Series Firewall
  5. (optional) Use the show services advanced-anti-malware status CLI command to verify that connection is made to the cloud server from the SRX Series Firewall. Your output will look similar to the following.
    content_copy zoom_out_map
    root@host> show services advanced-anti-malware status 
Server connection status:
  Server hostname:  https://amer.sky.junipersecurity.net/   Server port:     443
    Control Plane:
      Connection Time: 2015-11-23 12:09:55 PST
      Connection Status: Connected
    Service Plane:
      fpc0
        Connection Active Number: 0
        Connection Failures: 0

Once configured, the SRX Series Firewall communicates to the cloud through multiple persistent connections that are established over a secure channel (TLS 1.2). The SRX Series Firewall is authenticated using SSL client certificates.

As stated earlier, the script performs basic Juniper ATP Cloud configuration on the SRX Series Firewall. These configurations include:

Note:

You should not copy and run the following examples on your SRX Series Firewall. The list here is simply to show you what is being configured by the op script. If you run into any issues, such as certificates, rerun the op script again.

  • Creating a default profile.

  • Establishing a secured connection to the cloud server. The following is an example. Your exact URL is determined by your geographical region. See table.

    Table 1: Customer Portal URLs

    Location

    Customer Portal URL

    United States

    Customer Portal: https://amer.sky.junipersecurity.net

    European Union

    Customer Portal: https://euapac.sky.junipersecurity.net

    APAC

    Customer Portal: https://apac.sky.junipersecurity.net

    Canada

    Customer Portal: https://canada.sky.junipersecurity.net

    content_copy zoom_out_map
    set services advanced-anti-malware connection url 
 https://amer.sky.junipersecurity.net (this URL is only an example and will not work for all locations).
 set services advanced-anti-malware connection authentication tls-profile aamw-ssl

  • Configuring the SSL proxy.

    content_copy zoom_out_map
    set services ssl initiation profile aamw-ssl trusted-ca aamw-secintel-ca
set services ssl initiation profile aamw-ssl client-certificate aamw-srx-cert
set services security-intelligence authentication tls-profile aamw-ssl
set services advanced-anti-malware connection authentication tls-profile aamw-ssl
set services ssl initiation profile aamw-ssl trusted-ca aamw-cloud-ca

  • Configuring the cloud feeds (allowlists, blocklists and so on.)

    content_copy zoom_out_map
    set services security-intelligence url https://cloudfeeds.sky.junipersecurity.net/
api/manifest.xml
set services security-intelligence authentication tls-profile aamw-ssl

Juniper ATP Cloud uses SSL forward proxy as the client and server authentication. Instead of importing the signing certificate and its issuer’s certificates into the trusted-ca list of client browsers, SSL forward proxy now generates a certificate chain and sends this certificate chain to clients. Certificate chaining helps to eliminate the need to distribute the signing certificates of SSL forward proxy to the clients because clients can now implicitly trust the SSL forward proxy certificate.

The following CLI commands load the local certificate into the PKID cache and load the certificate-chain into the CA certificate cache in PKID, respectively.

content_copy zoom_out_map
user@root> request security pki local-certificate load filename ssl_proxy_ca.crt key sslserver.key certificate-id ssl-inspect-ca
content_copy zoom_out_map
user@root> request security pki ca-certificate ca-profile-group load ca-group-name ca-group-name filename certificate-chain

Where:

ssl_proxy_ca.crt (Signing certificate)

Is the SSL forward proxy certificate signed by the administrator or by the intermediate CA.

sslserver.key

Is the keypair.

ssl-inspect-ca

Is the certificate ID that SSL forward proxy uses in configuring the root-ca in the SSL forward proxy profile.

certificate-chain

Is the file containing the chain of certificates.

The following is an example of SSL forward proxy certificate chaining used by the op script.

content_copy zoom_out_map
request security pki local-certificate enroll certificate-id aamw-srx-cert ca-profile aamw-ca challenge-password *** subject CN=4rrgffbtew4puztj:model:sn email email-address
request security pki ca-certificate enroll ca-profile aamw-ca

Note that you cannot enroll the SRX Series Firewall to Juniper ATP Cloud if the SRX Series Firewall is in FIPS mode due to a PKI limitation.

To check your certificates, see Troubleshooting Juniper Advanced Threat Prevention Cloud: Checking Certificates. We recommend that you re-run the op script if you are having certificate issues.

arrow_backward PREVIOUS Register a Juniper Advanced Threat Prevention Cloud Account
NEXT arrow_forward Juniper ATP Cloud Web UI Overview
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top