Download and Run the Juniper ATP Cloud Script
The Juniper ATP Cloud uses a Junos OS op script to help you configure your SRX Series Firewall to connect to the Juniper ATP Cloud cloud service. This script performs the following tasks:
-
Downloads and installs certificate authority (CAs) licenses onto your SRX Series Firewall.
Note:-
You can enroll SRX1600, SRX2300 and SRX4300 firewalls with Trusted Platform Module (TPM)-based certificates for TLS-based authentication and a secure connection with the Juniper ATP Cloud. For more information about TPM, see Encryption with Trusted Platform Module. Since the TPM-based certificates are used for connections between the SRX Series Firewall and Juniper ATP Cloud, you must allow traffic to the junipersecurity.net domain on ports 8444 and 7444.
-
To enroll SRX300, SRX320, SRX340, SRX345, SRX380, SRX5400, SRX5600, and SRX5800 Series Firewalls with Juniper ATP Cloud, ensure that TPM-based encryption is not configured on these devices. Enrollment to Juniper ATP Cloud is not supported with TPM-based encryption.
-
Creates local certificates and enrolls these certificates with the cloud server.
Performs basic Juniper ATP Cloud configuration on the SRX Series Firewall.
Establishes a secure connection to the cloud server.
-
Juniper ATP Cloud requires that both your Routing Engine (control plane) and Packet Forwarding Engine (data plane) can connect to the Internet.
-
The data plane connection should not go through the management interface, for example, fxp0. You do not need to open any ports on the SRX Series Firewall to communicate with the cloud server. However, if you have a device in the middle, such as a firewall, then that device must have ports 8080 and 443 open.
-
The SRX Series Firewall uses the default inet.0 routing table and an interface part of inet.0 as source-interface for control-plane connection from SRX Series Firewall to ATP Cloud. If the only Internet-facing interface on SRX Series Firewall is part of a routing instance, then we recommend that you add a static route pointing to the routing instance. Else, the control connection will fail to establish.
-
Juniper ATP Cloud requires that your SRX Series Firewall hostname contains only alphanumeric ASCII characters (a-z, A-Z, 0-9), the underscore symbol (_) and the dash symbol (-).
For SRX300, SRX320, SRX340, SRX345, SRX380 and SRX550 Series firewalls, you must run the
set security forwarding-process enhanced-services-mode
command and reboot
the device before running the op script or before running the request services
advanced-anti-malware enroll
command.
set security forwarding-process enhanced-services-mode
To download and run the Juniper ATP Cloud scripts:
Starting in Junos OS Release 19.3R1, you can use the request services
advanced-anti-malware enroll
command on the SRX Series Firewall to enroll a
device to the Juniper ATP Cloud Web Portal. With this command, you do not have to perform
any enrollment tasks on the Web Portal. All enrollment is done from the CLI on the
SRX Series
Firewall.
See Enroll an SRX Series Firewall Using the CLI.
Once configured, the SRX Series Firewall communicates to the cloud through multiple persistent connections that are established over a secure channel (TLS 1.2). The SRX Series Firewall is authenticated using SSL client certificates.
As stated earlier, the script performs basic Juniper ATP Cloud configuration on the SRX Series Firewall. These configurations include:
You should not copy and run the following examples on your SRX Series Firewall. The list here is simply to show you what is being configured by the op script. If you run into any issues, such as certificates, rerun the op script again.
-
Creating a default profile.
-
Establishing a secured connection to the cloud server. The following is an example. Your exact URL is determined by your geographical region. See table.
Table 1: Customer Portal URLs Location
Customer Portal URL
United States
Customer Portal: https://amer.sky.junipersecurity.net
European Union
Customer Portal: https://euapac.sky.junipersecurity.net
APAC
Customer Portal: https://apac.sky.junipersecurity.net
Canada
Customer Portal: https://canada.sky.junipersecurity.net
set services advanced-anti-malware connection url https://amer.sky.junipersecurity.net (this URL is only an example and will not work for all locations). set services advanced-anti-malware connection authentication tls-profile aamw-ssl
-
Configuring the SSL proxy.
set services ssl initiation profile aamw-ssl trusted-ca aamw-secintel-ca set services ssl initiation profile aamw-ssl client-certificate aamw-srx-cert set services security-intelligence authentication tls-profile aamw-ssl set services advanced-anti-malware connection authentication tls-profile aamw-ssl set services ssl initiation profile aamw-ssl trusted-ca aamw-cloud-ca
-
Configuring the cloud feeds (allowlists, blocklists and so on.)
set services security-intelligence url https://cloudfeeds.sky.junipersecurity.net/ api/manifest.xml set services security-intelligence authentication tls-profile aamw-ssl
Juniper ATP Cloud uses SSL forward proxy as the client and server authentication. Instead of importing the signing certificate and its issuer’s certificates into the trusted-ca list of client browsers, SSL forward proxy now generates a certificate chain and sends this certificate chain to clients. Certificate chaining helps to eliminate the need to distribute the signing certificates of SSL forward proxy to the clients because clients can now implicitly trust the SSL forward proxy certificate.
The following CLI commands load the local certificate into the PKID cache and load the certificate-chain into the CA certificate cache in PKID, respectively.
user@root> request security pki local-certificate load filename ssl_proxy_ca.crt key sslserver.key certificate-id ssl-inspect-ca
user@root> request security pki ca-certificate ca-profile-group load ca-group-name ca-group-name filename certificate-chain
Where:
ssl_proxy_ca.crt (Signing certificate) |
Is the SSL forward proxy certificate signed by the administrator or by the intermediate CA. |
sslserver.key |
Is the keypair. |
ssl-inspect-ca |
Is the certificate ID that SSL forward proxy uses in configuring the root-ca in the SSL forward proxy profile. |
certificate-chain |
Is the file containing the chain of certificates. |
The following is an example of SSL forward proxy certificate chaining used by the op script.
request security pki local-certificate enroll certificate-id aamw-srx-cert ca-profile aamw-ca challenge-password *** subject CN=4rrgffbtew4puztj:model:sn email email-address
request security pki ca-certificate enroll ca-profile aamw-ca
Note that you cannot enroll the SRX Series Firewall to Juniper ATP Cloud if the SRX Series Firewall is in FIPS mode due to a PKI limitation.
To check your certificates, see Troubleshooting Juniper Advanced Threat Prevention Cloud: Checking Certificates. We recommend that you re-run the op script if you are having certificate issues.