Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Creating a Policy Enforcer Connector for Third-Party Switches

Before You Begin

Perform the following actions to create connectors for the third-party switches.

To configure threat remediation for third-party devices, you must install and register the threat remediation plug-in with Policy Enforcer as follows:

  1. Select Administration > Policy Enforcer > Connectors.

    The Connectors page appears.

  2. Click the create icon (+).

    The Create Connector page appears.

  3. Complete the configuration using the information in Table 1.
  4. Click OK.
    Note:

    Once configured, you select the connector name as an Enforcement Point in your Secure Fabric.

Table 1: Fields on the Create Connector Page

Field

Description

General

Name

Enter a unique string that must begin with an alphanumeric character and can include underscores; no spaces allowed; 63 characters maximum.

Description

Enter a description; maximum length is 1024 characters. You should make this description as useful as possible for all administrators.

Connector Type

Select the required third-party network of devices to connect to your secure fabric and create policies for this network. The available connectors are Cisco ISE, HP ClearPass, Pulse Secure, and ForeScout CounterACT.

IP Address/URL

Enter the IP (IPv4 or IPv6) address of the product management server.

Port

Select the port to be used from the list. When this is left blank, port 443 is used as the default.

Username

Enter the username of the server for the selected connector type.

Password

Enter the password of the server for the selected connector type.

DEX User Role

(For ForeScout connector type only)

Enter the Data Exchange (DEX) user role information to authenticate and connect to the ForeScout connector. See Integrating ForeScout CounterACT with Juniper Networks SDSN.

Network Details

Subnets

Connector Type: ClearPass, ForeScout CounterACT, Pulse Secure, and Cisco ISE

Add subnet information to the connector configuration so you can include those subnets in groups and then apply policies to the groups. When using Junos Space, Policy Enforcer is able to dynamically discover subnets configured on Juniper switches. Policy Enforcer does not have the same insight with third-party devices.

When you add subnets as part of the connector configuration, those subnets become selectable in Policy Enforcement Groups.

To add subnet information, do one of the following:

  • Click Upload File to upload a text file with an IP address list.

    Note that the file you upload must contain only one item per line (no commas or semi colons). All items are validated before being added to the list.

    OR

  • Manually enter the IP addresses. For example: 192.168.0.1/24.

    Click the add icon (+) to add more IP addresses.

Note:

It is mandatory to add at least one IP subnet to a connector. You cannot proceed to next step without adding a subnet.

Configuration

Configuration

Provide any additional information required for this particular connector connection. After the successful completion, the subnet you have created is mapped to that particular connector instance.

Note:

For ClearPass and Cisco ISE connectors no additional configuration information are required.

Note:
  • You can associate ClearPass, Cisco ISE, Pulse Secure, or Forescout connector to a site only in your Secure Fabric.

  • When a connector is added to the site, Policy Enforcer discovers the vSRX Series associated with the connector and assigns it to the site. Hover over the connector name to view the corresponding vSRX with its IP address as a tool tip.

Warning:

Ensure that the correct credentials are provided for the ClearPass, Cisco ISE, Pulse Secure, and ForeScout identity servers. If the initial connection fails, an error message is shown only at that time. Once that message disappears, the status of connectivity to the identity server is not shown in Policy Enforcer. Note that the identity servers are only queried on-demand.