There are many pre-requisites for the successful enrollment of the SRX/vSRX device into SKY-ATP. This article discusses the common issues seen during enrollment and provides recommendations and workarounds.
This article is a general guide for troubleshooting typical problems you may encounter on Sky Advanced Threat Prevention enrollment.
-
Verify that the SRX/vSRX is running on the supported OS version. Please check the Sky Advanced Threat Prevention Supported Platforms Guide.
-
Verify the DNS can resolve Sky ATP servers to an IP address on the SRX. The following domain names should be resolvable on the device.
For US - amer.sky.junipersecurity.net & srxapi.us-west-2.sky.junipersecurity.net
For EU - euapac.sky.junipersecurity.net & srxapi.eu-west-1.sky.junipersecurity.net
For Canada - canada.sky.junipersecurity.net & srxapi.ca-central-1.sky.junipersecurity.net
For APAC - apac.sky.junipersecurity.net & srxapi.ap-northeast-1.sky.junipersecurity.net
Enrollment - ca.junipersecurity.net & va.junipersecurity.net
-
Verify the device time is correct. It is recommended to have an NTP to sync time.
-
Verify routing from RE and PFE to SKY ATP cloud servers. Ping from the firewall to the server in the region you are enrolling to confirm the connectivity.
For US:
root@srx> ping connect.us-west-2.sky.junipersecurity.net
For EU:
root@srx> ping connect.eu-west-1.sky.junipersecurity.net
For Canada
root@srx> ping connect.ca-central-1.sky.junipersecurity.net
For APAC
root@srx>ping connect.ap-northeast-1.sky.junipersecurity.net
-
Verify the ports 80, 8080 and 443 are open to the internet from the firewall. You can telnet from the SRX on these ports to the SKYATP servers.
-
To verify that different daemons are working properly on the firewall, please check the following connectivity:
-
For aamw-ca daemon, verify connectivity to ca.junipersecurity.net port 8080
root@srx% cd /var/tmp
root@srx% fetch -v -o cacert.testfile "http://ca.junipersecurity.net:8080/ejbca/publicweb/apply/scep/SRX/pkiclient.exe?operation=GetCACert"
This will download a file from the CA server. Some firewalls can block this URL because it contains '.exe'. It is normal to receive an HTTP 400 Message. 'Timeout' indicates there is a connectivity issue which needs to be fixed.
-
For aamw-secintel-ca, verify connectivity to va.junipersecurity.net port 80
root@srx% cd /var/tmp
root@srx% fetch http://va.junipersecurity.net/ca/SecInteljunipersecuritynetCA.pem
-
For aamw-cloud-ca daemons, verify connectivity to va.junipersecurity.net port 80
root@srx% cd /var/tmp
root@srx% fetch http://va.junipersecurity.net/ca/SecInteljunipersecuritynetsubCAforCloud.pem
-
When you enroll an SRX/vSRX Series device, the ops script installs two CA certificates: one for the client(SRX/vSRX) and one for the server(cloud). Client-side CA certificates are associated with serial numbers. Use the CLI command to get your device’s certificate details and serial number.
show security pki local-certificate
show security pki ca-certificate
show security pki crl detail
show security pki local-certificate detail
-
Verify that the services are running on the firewall:
show services advanced-anti-malware status
Note: Ideally the output should be:
root@srx> show services advanced-anti-malware status
Server connection status:
Server connection status:
Server hostname: juniper.cloud.com
Server port: 443
Control Plane:
Connection Time: 2017-05-25 02:30:20 UTC
Connection Status: Connected
Service Plane:
fpc0
Connection Active Number: 16
Connection Failures : 41
If all of the above points are correct and the enrollment still fails, please run the diagnostics and contact JTAC for further assistance.