Hi,
I think that is the first post on this forum about SRX enroled with JATP.
I follow documentation here: https://www.juniper.net/documentation/en_US/release-independent/jatp/topics/concept/jatp-srx-integration-getting-started.html
OP script seems works perfectly, in fact I see on the SRX setting on JATP my SRX enabled, but NOT online.
And here is the problem.
Checking "show services advanced-threat-detection- status" show "disconnect due HTTP error.
Too much generic message and I don't find anywhere solutions.
Here the extract of op script:
root@vSRX-HQ> op url "https://10.20.20.166:443/cyadmin/cgi-bin/srx_enrollment?operation=enroll&api_key=d315e3ceea71sssssccbc28a9aa&config=.slax"
Platform is supported by JATP: VSRX.
[WARNING] More than 1 license found with name: Sky ATP. Invalid licenses might cause enrolling/disenrolling failure. Please remove invalid licenses.
Enrolling with Sky ATP license serial number: 91730sss217.
Version JUNOS Software Release [15.1X49-D140.3] is valid for bootstrapping.
Going to enroll single device for VSRX: 2514Csss7C@91730D0ss17 with hostname vSRX-HQ.
Clear CA profile aamw-ca...
Clear CA profile aamw-cloud-ca...
Clear CA profile aamw-secintel-ca...
Start downloading Application Signature DB update...
Configure CA...
Request aamw-secintel-ca CA...
Load aamw-secintel-ca CA...
Retrieve CA profile aamw-ca...
CA certificate ready: aamw-ca...
CA certificate ready: aamw-secintel-ca...
Clear local certificate aamw-srx-cert with CA server...
Clear key pair: aamw-srx-cert...
Generate key pair: aamw-srx-cert...
Enroll local certificate aamw-srx-cert with CA server #1...
Configure advanced-anti-malware services...
Configuration added successfully for advanced-anti-malware services.
Checking configuration on SRX...
SSL profile: [OK]
SecIntel CA: [OK]
Client cert found: [OK]
SSL profile action: [OK]
URL for advanced-anti-malware: [OK]
Profile for advanced-anti-malware: [OK]
URL for security-intelligence: [OK]
Profile for security-intelligence: [OK]
All SRX configurations are correct for enrollment.
Communicate with JATP server...
SRX status changed to Registered successfully...
Checking Application Signature DB download status...
Wait for Application Signature DB signature download status #1...
Start installing Application Signature DB update...
Wait for Application Signature DB signature install status #1...
Wait for Application Signature DB signature install status #2...
Wait for Application Signature DB signature install status #3...
Wait for Application Signature DB signature install status #4...
Wait for Application Signature DB signature install status #5...
Wait for aamw connection status #1...
Wait for aamw connection status #2...
Wait for aamw connection status #3...
Wait for aamw connection status #4...
Wait for aamw connection status #5...
Enroll SRX is finished. However aamw connection status is incorrect: Disconnected because of HTTP error (expecting 'Connected').
Please check your network connection and other configuration. Running diagnostics process is recommended.
Please run diagnostic process with the following cli command:
request services advanced-anti-malware diagnostics 10.20.20.166/ detail pre-detection
[WARNING] Failed to update Application Identification Signature package.
This package is necessary for latest Sky ATP features. Please update it manually.
For more information, please see: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/services-application-package-manually-updating.html
Interesting here the last thing about "excepting connected" on HTTP error.
If i start the test diagnostic:
root@vSRX-HQ> request services advanced-anti-malware diagnostics jatpdfdfdfb.italy.local detail pre-detection
[INFO] Try to get IP address for hostname jatpdfdfdfb.italy.local
DNS check : [OK]
[INFO] Try to test SKYATP server connectivity
[INFO] Successfully connected to jatpdfdfdfb.italy.local443
[INFO] Successfully connected to ca.junipersecurity.net:8080
[INFO] Successfully connected to va.junipersecurity.net:80
SKYATP reachability check : [OK]
[INFO] Time difference between SKYATP server and this device: 19 second(s)
Time check : [OK]
[INFO] Configuration checking passed: PKI
[INFO] Configuration checking passed: SSL
[INFO] Configuration checking passed: AAMW Connection
[INFO] Configuration checking passed: SecIntel URL
[INFO] Configuration checking passed: SecIntel Authentication
Configuration activation check : [OK]
[INFO] Try ICMP service in SKYATP
SKYATP ICMP service check : [OK]
[INFO] To-SKYATP connection is using ge-0/0/2.0, according to route
Interface configuration check : [OK]
Outgoing interface MTU is default value
[INFO] Check IP MTU with length 1472
IP Path MTU is 1472
[INFO] VSRX detected. Checking system licenses
VSRX License check : [OK]
Everything seems correct!
But from services advanced-anti-malware-status:
root@vSRX-HQ> show services advanced-anti-malware status
Server connection status:
Server hostname: 10.20.20.166
Server port: 443
Control Plane:
Connection time: 2019-03-29 10:52:39 CET
Connection status: Requesting client certificate
Service Plane:
fpc0
Connection active number: 0
Connection retry statistics: 0
root@vSRX-HQ> show services advanced-anti-malware status
Server connection status:
Server hostname: 10.20.20.166
Server port: 443
Control Plane:
Connection time: 2019-03-29 10:52:40 CET
Connection status: Disconnected because of HTTP error
Service Plane:
fpc0
Connection active number: 0
Connection retry statistics: 0
NOPE.
From JATP enrol page:
Any suggestion?
Many regards