- play_arrow Overview of Policy Enforcer and Juniper ATP Cloud
- play_arrow Concepts and Configuration Types to Understand Before You Begin
- Policy Enforcer Components and Dependencies
- Policy Enforcer Configuration Concepts
- Juniper ATP Cloud Configuration Type Overview
- Features By Juniper ATP Cloud Configuration Type
- Available UI Pages by Juniper ATP Cloud Configuration Type
- Comparing the Juniper Connected Security and non-Juniper Connected Security Configuration Steps
- play_arrow Installing Policy Enforcer
- Policy Enforcer Installation Overview
- Deploying and Configuring the Policy Enforcer with OVA files
- Installing Policy Enforcer with KVM
- Policy Enforcer Ports
- Identifying the Policy Enforcer Virtual Machine In Security Director
- Obtaining a Juniper ATP Cloud License
- Creating a Juniper ATP Cloud Web Portal Login Account
- Loading a Root CA
- Upgrading Your Policy Enforcer Software
- play_arrow Configuring Policy Enforcer Settings, Connectors, and Backup
- Policy Enforcer Settings
- Policy Enforcer Connector Overview
- Creating a Policy Enforcer Connector for Public and Private Clouds
- Creating a Policy Enforcer Connector for Third-Party Switches
- Editing and Deleting a Connector
- Viewing VPC or Projects Details
- Integrating ForeScout CounterACT with Juniper Networks Connected Security
- ClearPass Configuration for Third-Party Plug-in
- Cisco ISE Configuration for Third-Party Plug-in
- Integrating Pulse Policy Secure with Juniper Networks Connected Security
- Policy Enforcer Backup and Restore
- play_arrow Guided Setup for Juniper ATP Cloud with Juniper Connected Security
- play_arrow Guided Setup for Juniper ATP Cloud
- play_arrow Guided Setup for No Juniper ATP Cloud (No Selection)
- play_arrow Configuring Juniper ATP Cloud (without Guided Setup)
- play_arrow Configuring Cloud Feeds Only
- play_arrow Threat Prevention - Configure
- Juniper ATP Cloud Realm Overview
- Juniper ATP Cloud Email Management Overview
- Juniper ATP Cloud Malware Management Overview
- File Inspection Profiles Overview
- Custom Feed Sources Overview
- About the Feed Sources Page
- Creating Juniper ATP Cloud Realms and Enrolling Devices or Associating Sites
- Modifying Juniper ATP Cloud Realm
- Juniper ATP Cloud Email Management: SMTP Settings
- Creating Allowlist for Juniper ATP Cloud Email and Malware Management
- Creating Blocklists for Juniper ATP Cloud Email and Malware Management
- Configure IMAP Settings
- Creating File Inspection Profiles
- Add ATP Appliance Server
- Edit or Delete a ATP Appliance Server
- Creating Custom Feeds
- Example: Creating a Dynamic Address Custom Feed and Firewall Policy
- Configuring Settings for Custom Feeds
- Implementing Threat Policy on VMWare NSX
- Implement Threat Policy on VMWare NSX-T
- play_arrow Threat Prevention- Monitor
- Policy Enforcer Dashboard Widgets
- Infected Hosts Overview
- Infected Host Details
- Command and Control Servers Overview
- Command and Control Server Details
- HTTP File Download Overview
- HTTP File Download Details
- SMTP Quarantine Overview
- Email Attachments Scanning Overview
- Email Attachments Scanning Details
- IMAP Block Overview
- File Scanning Limits
- All Hosts Status Details
- Device Feed Status Details
- DDoS Feeds Status Details
- play_arrow Troubleshooting
- play_arrow Migration Instructions for Spotlight Secure Customers
Creating Policy Enforcement Groups
You can create policy enforcement groups from the policy enforcement groups page.
Before You Begin
Know what type of endpoints you are including in your policy enforcement group: IP address/subnet, or location.
Determine what endpoints you will add to the group based on how you will configure threat prevention according to location, users and applications, or threat risk.
Keep in mind that endpoints cannot belong to multiple policy enforcement groups.
To create a policy enforcement group:
- Select Configure>Shared Objects>Policy Enforcement Groups.
- Click the + icon.
- Complete the configuration by using the guidelines in the Table 1 below.
- Click OK.
Field | Description |
|---|---|
Name | Enter a unique string that must begin with an alphanumeric character and can include only dashes and underscores; no spaces allowed; 32-character maximum. |
Description | Enter a description; maximum length is 64 characters. You should make this description as useful as possible for all administrators. |
Group Type | Select a group type from the available choices. IP Address/Subnet or Location. |
Connector IPs | This field is available only if the Group Type field is IP Address/Subnet The subnets of all connectors added in the Connector page are dynamically listed in the Available column. If the Group Type is IP Address/Subnet, the subnets within the connector instances that have the threat remediation enabled are only listed. When using Junos Space, Policy Enforcer is able to dynamically discover subnets configured on Juniper switches. Policy Enforcer does not have the same insight with third-party devices. Therefore you can add subnets to your connector configuration and select them here. This allows you to selectively apply policies to those subnets. If you have not configured a connector, you will see only Junos Space subnets discovered by Policy Enforcer. If you have a connector configured, you can see the subnets of a connector in the Available column. Hover over subnets to view the description for these subnets entered during the connector creation. You will not see any description if it is not entered during creating a connector. The description will show “No description available” for subnets that come from Junos Space. The Available and Selected columns have filters listed with connectors or Space. You can choose a connector and filter only the subnets belonging to that particular connector. The result shows the name of a device to which the subnet belongs and also the type of the device. You can also use the search bar to search and filter the result based on subnet, name of the device, or type of the device. Click Refresh Available IPs to refresh the available IP addresses or subnets. If you edit any selected items in the Selected column, the list is refreshed to the initial selected list after the refresh. A progress bar is shown with the refresh progress in percentage. In a scenario where there are no IP addresses or subnets, the refresh will still be successful. A message is displayed showing that the refresh was successful but there are no IP addresses or subnets found. |
Additional IP | This field is available only if the Group Type field is IP Address/Subnet Enter an IP address and select the connector type from the list to add to PEG. The IP address must be within the subnet range of the selected connector. Click Add to add the additional IP address to the Selected column of the Connector IPs field. A validation is performed to check if the additional IP address is within the subnet range of the selected connector. If not, an error message is shown to enter the IP address within the subnet range. |
Sites | Sites with the threat remediation enabled instances are only listed, if the Group Type is Location. Select the check box beside the sites in the Available list and click the > icon to move them to the Selected list. The endpoints in the Selected list will be included in the policy enforcement group. |
You can create a policy enforcement group with subnets from different connectors based on how they have grouped their network segments. For example, If you have Junos Space EX switch with subnets HR: 1.1.1.1/24 and Finance: 2.2.2.2/24, ClearPass connector with subnets HR: 1.1.1.1/24 and Marketing: 2.2.2.2/24, Cisco ISE with subnets HR: 1.1.1.1/24 and Finance: 2.2.2.2/24. You can create a single policy enforcement group and name it as HR by choosing the following subnets: Junos Space EX HR: 1.1.1.1/24, ClearPass connector subnet HR: 1.1.1.1/24, and Cisco ISE connector subnet HR: 1.1.1.1/24.
