Threat Enforcement Configuration - Juniper SRX


The SafeConnect threat enforcement module allows for the ability to configure enforcement policies based on threats that are detected in a system external from SafeConnect. These policies can then be used with any device type and do not require the use of an agent running on the end-user device.

Once configured policies can be set to either audit or quarantine. With any quarantine policy, end-users will receive a browser-based message informing them of the issue. These messages can be customized with instructions on how to remediate and how long they will need to wait before the quarantine will be re-evaluated.

Configure Juniper SRX

In the firewall, the following commands should be run from the cli to enable IDP event syslog.

Enable the IDP even logging to syslog:

set security log mode event
set security log source-address
set system syslog host port 30514 any any
set system syslog host port 30514 match RT_IDP
set system syslog host port 30514 structured-data
set system syslog file idp any any
set system syslog file idp match RT_IDP
set system syslog file idp structured-data

Note: The source-address should be an interface IP of the firewall. The syslog host will be the SafeConnect appliance (In a cluster environment, this will be the manager IP).

Verify the configurations are in place:

show security log

Configure Threat Enforcement Input

After the threat detection system is configured, open the SafeConnect Configuration at ( can be replaced by the manager IP or a branded URL) and choose “Configuration Manager > Threat Enforcement”.

Enable the webapi:


From the dropdown, choose Juniper SRX and click ‘Add’.


After choosing the Vendor, at least one source must be defined. A source is simply the IP address of the threat detection system. If the threat detection system has multiple interfaces, the IP specified must be the IP that appears as the source address of the alerts. The name can be any descriptive name that is needed.


After clicking ‘Submit’, the Threat Detection source will appear in the list.

Configure Threat Enforcement Policies

After at least one source has been defined, Threat Detection policies can now be created. To create a policy, click the ‘Add’ button.


The first section is used to define what alerts SafeConnect will listen for. If alert details are not configured, SafeConnect will ignore the alert. The following values are applicable for Juniper SRX and will be ANDed together to find matching packets.

  • Threat Severity: A textual value indicating LOW, MEDIUM or HIGH

  • Attack Name: This field will always be a text value and also support regex matching. This field can be left blank to match all values.

  • Policy Name: This field will always be a text value and also support regex matching. This field can be left blank to match all values.


The next section defines how SafeConnect will react to the defined alert. Once configured, the policies will be available in the SafeConnect Policy Manager.

  • Policy Name: The name of the SafeConnect Policy. This value will be used to represent this policy in the Policy Manager and in the Device Manager.

  • Policy Duration: Defines how long SafeConnect will enforce the policy when an alert is recieved. Once this time expires, the policy will no longer be enforced unless a followup alert is received for the device.

  • Enforcement: Defines whether SafeConnect will block a device or simply report on the alert.

  • Web Message: The web message that will be displayed to blocked devices for the duration of the enforcement.

Once configured, click ‘Save’.


The resulting Threat Enforcement Policy will now appear in the list and will be available in the Policy Manger.


Add Policies to existing Policy Groups

After Threat Enforcement policies have been defined, they will be available in the Policy Manager. Threat Enforcement policies can be added to a Policy Container just like all other SafeConnect policies.