SRX Services Gateway
Highlighted
SRX Services Gateway

SRX enrollment with skyATP

03.12.18   |  
‎03-12-2018 11:12 PM

Hi 

I try to enroll SRX device with SkyATP . 

But there is an error shown "error: [Error] Enrollment failed when communicating with cloud. Device has no license"

 

How I solve it? 

10 REPLIES
SRX Services Gateway

Re: SRX enrollment with skyATP

03.15.18   |  
‎03-15-2018 09:19 PM
Are you consistently seeing this issue? When did you install the licenses?

Can you share the output of

request services advanced-anti-malware diagnostic amer.sky.junipersecurity.net detail

Anand
SRX Services Gateway

Re: SRX enrollment with skyATP

[ Edited ]
03.15.18   |  
‎03-15-2018 10:02 PM

Hi 

 

The License was installed on SRX three days ago. This output as below

 

--------------------------------------------------------------------------
Time check : [OK]
[INFO] Try to get IP address for hostname amer.sky.junipersecurity.net
DNS check : [OK]
[INFO] Try to test SKYATP server connectivity
SKYATP reachability check : [OK]
[INFO] Try ICMP service in SKYATP
SKYATP ICMP service check : [OK]
[INFO] To-SKYATP connection is using ge-0/0/3.0, according to route
Interface configuration check : [OK]
Outgoing interface MTU is default value
[INFO] Check IP MTU with length 1472
IP Path MTU check : [OK]
IP Path MTU is 1472
SSL configuration consistent check : [Failure]
No SSL profile is configured for Advanced Anti-malware

 

Thank you

SRX Services Gateway

Re: SRX enrollment with skyATP

03.15.18   |  
‎03-15-2018 10:20 PM

"SSL configuration consistent check : [Failure]

No SSL profile is configured for Advanced Anti-malware"

 

 

SSL configuration consistency—Verifies that the SSL profile, client certificate and CA
exists in both the RE and the PFE

 

hence, pl follow the kb mentioned to create the SSL config, profile and Client cert with CA.

 

https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/reference/general/sky...

 

 


*************************************
HTH.
Accept this as solution if it resolved your issue.
Kudos would be appreciated too.
SRX Services Gateway

Re: SRX enrollment with skyATP

03.16.18   |  
‎03-16-2018 12:12 AM

After I configured the SSL profile 

I still face the same issues.

 

Is SSL profile nessessary for enroll SRX with SkyATP?

I think, SSL profile will be used when we need to detect the malware only

 

 

SRX Services Gateway

Re: SRX enrollment with skyATP

03.16.18   |  
‎03-16-2018 03:38 AM

you will be needing it while detecting malware in ssl based encryped traffc. 

 

can you paste your configuration?


*************************************
HTH.
Accept this as solution if it resolved your issue.
Kudos would be appreciated too.
SRX Services Gateway

Re: SRX enrollment with skyATP

05.07.18   |  
‎05-07-2018 10:02 AM

Similar problem also for me... unbelivable these problems for SkyATP connection..... :-|

Any help for me?

 

root@vSRX-xxxxxxxxxxx_SERVER> op url https://euapac.sky.junipersecurity.net/v1/skyatp/ui_api/bootstrap/enroll/4o14glhh4tq9hl6h/xxxxxxxxxxxxxbx.slax
Platform is supported by Sky ATP: VSRX.
License found with name: Sky ATP.
Enrolling with Sky ATP license serial number: xxxxxxxxxxxx.
Version JUNOS Software Release [17.3R1.10] is valid for bootstrapping.
Going to enroll single device for VSRX: xxxxxxxxx@xxxxxxxx with hostname vSRX-xxxx_SERVER.
Application Signature DB version on this device is: 3062. Using latest version of Application Signature DB is recommended.
[WARNING] Customized security-intelligence connection configurations detected. No changes will be made on existing security-intelligence configurations.
[WARNING] If you would like to enroll this device to Sky ATP cloudfeeds, please remove your customized security-intelligence URL and authentication configurations.
Remove related advanced-anti-malware service configurations...
Remove related SSL service configurations...
Remove related PKI configurations...
Clear local certificate aamw-srx-cert...
Clear key pair: aamw-srx-cert...
Clear CA profile aamw-cloud-ca...
Clear CA profile aamw-secintel-ca...
Configure CA...
Request aamw-secintel-ca CA...
Wait aamw-secintel-ca CA download status...
Load aamw-secintel-ca CA...
Request aamw-cloud-ca CA...
Wait aamw-cloud-ca CA download status...
Load aamw-cloud-ca CA...
Retrieve CA profile aamw-ca...
CA certificate ready: aamw-ca...
CA certificate ready: aamw-cloud-ca...
CA certificate ready: aamw-secintel-ca...
Generate key pair: aamw-srx-cert...
Communicate with cloud...
error: [Error] Enrollment failed when communicating with cloud. Device has no license: xxxxxxxxxxx@xxxxxxxxxxxxx
Please contact JTAC for help.

License is active and just installed...
SkyATP in the cloud is logged in... :-\
I don't know in any way....

Many regards in advance

SRX Services Gateway

Re: SRX enrollment with skyATP

05.08.18   |  
‎05-08-2018 08:29 AM

Any feedback and helps about that?

SRX Services Gateway

Re: SRX enrollment with skyATP

05.22.18   |  
a month ago

Hi there,

 

Juniper Networks’ User Experience team is conducting user research on Sky Advanced Threat Prevention (Sky ATP). To ensure that we build a simple, reliable, and efficient interface, we need your input. If you have experience with SkyATP,  please join our study.

 

Study Details:

  • The usability study will last 1.5 hours, and we will use GoToMeeting to hold the study remotely
  • It will take place at your convenience between May 23rd – June 11th
  • You will receive a $100 Amazon gift card as a token of our appreciation for your participation (subject to your company’s gift policy)

 

To participate in the study, please select a convenient time!

 

Thanks,

Natasha

 

 

Natasha Shimuk

User Experience Researcher | Juniper Networks

SRX Services Gateway

Re: SRX enrollment with skyATP

05.22.18   |  
a month ago

Hello,

 

Can you tell me if the Sky ATP license is evaluation or a demo license?

What is the output of diagnostic commands that the originator of this thread posted?

 

Regards,

 

Rushi

SRX Services Gateway

Re: SRX enrollment with skyATP

06.07.18   |  
2 weeks ago

Problem has been solved with collaboration of jtac.

Because they "manually update their skyATP infrastracture" to allow my SRX to be enrolled.

 

In some of these case then..... only JTAC can help