Which license tier includes the infected-host SecIntel feed on Juniper SRX?

Correct: c. The infected-host feed is enabled for ALL ATP Cloud license tiers, including the base tier. This is a key differentiation from the C2, domain and URL feeds, which require a standard or premium subscription.

Why does SecIntel block known-bad C2 traffic without a cloud round-trip at match time?

Correct: b. SecIntel feeds are downloaded and stored in SRX memory ahead of time. At match time the data plane enforces them locally at line rate with no cloud dependency per packet — that is the design intent.

ATP Cloud returns a verdict of 9 for a downloaded file. Your threat policy sets 7–10 = drop. What happens next?

Correct: b. A verdict of 9 falls in the 7–10 = drop range. The SRX terminates the session, writes a security log entry, and caches the file hash so future encounters with the same file are blocked immediately without another cloud submission.

A SRX firewall is licensed for ATP Cloud but 'show advanced-anti-malware statistics' shows zero file submissions. What is the most likely cause?

Correct: c. Zero file submissions almost always means the SRX is not extracting files from sessions. Check that the AppID profile matches the traffic type and that the file extraction policy covers the relevant file types and application. SecIntel feed issues appear separately in 'show security intelligence feed status'.

An interviewer asks why Adaptive Threat Profiling is valuable in a multi-branch enterprise. Best answer?

Correct: a. Adaptive Threat Profiling turns the SRX fleet into a self-improving threat sensor. New threats observed at any branch are consolidated by ATP Cloud into custom feeds distributed to all SRX devices, giving the whole enterprise the benefit of each site's telemetry.

What is the strongest reason to configure a hold buffer for files in transit to ATP Cloud?

Correct: c. Hold mode ensures the session waits for the cloud verdict before the file reaches the endpoint. Without it, the file is delivered and the verdict only drives retrospective action. Hold mode closes the first-encounter gap for zero-day files at the cost of added latency.

Juniper SRX ATP Cloud — Sandboxing, SecIntel & Threat Feeds (2026)

Q: Which statement best describes Juniper ATP Cloud on the SRX?

Correct: b. ATP Cloud is a two-pillar system: cloud sandboxing + ML verdict for unknowns, and SecIntel feeds pushed to the SRX data plane for line-rate blocking of known-bad infrastructure. Neither alone is the full picture.

Q: What is the highest possible ATP Cloud file verdict score, indicating maximum malicious confidence?

Correct: b. ATP Cloud scores files from 0 (clean) to 10 (highly malicious). This numeric scale is what threat policy thresholds are set against on the SRX.

Q: An inside host is connecting to a known C2 server. Which SecIntel feed should block this session at line rate?

Correct: c. The C2 feed contains known command-and-control server IPs and is enforced by the SRX data plane at line rate. The infected-host feed identifies already-compromised hosts (the source), not the C2 destination.

Q: The SRX is not sending files to ATP Cloud. Which is the most likely first place to check?

Correct: a. The most common reason files are not sent to ATP Cloud is a missing or mismatched AppID profile or the file type not covered by the extraction policy. Check show advanced-anti-malware statistics to confirm no files are being extracted before looking further.

Most engineers think…

Most people picture SRX threat prevention as 'signature-based antivirus that catches known malware'. That picture fails in an interview and gets you killed in production by zero-days.

Juniper ATP Cloud is a cloud-delivered analysis brain: the SRX extracts suspicious files and sends them to a multi-stage cloud sandbox that uses deception, multiple AV engines and machine learning to score the file 0–10. Simultaneously, SecIntel feeds — C2 server IPs, infected-host IPs, malicious domains and URLs — are pushed to the SRX data plane and enforced at line rate, so known-bad traffic is blocked without ever hitting the cloud. Understanding that split — cloud analysis for unknowns, on-box feeds for knowns — is what lets you design, size and troubleshoot ATP deployments correctly.

① What Juniper ATP Cloud actually is — cloud brain, on-box feeds

The single most important idea: ATP Cloud (formerly Sky ATP) is not antivirus on the SRX. The SRX is the enforcement point; the intelligence lives in the cloud. When the SRX intercepts a file matching the configured policy, it sends a copy to the ATP Cloud service, which analyses it and returns a verdict score of 0–10. The SRX then takes the configured action — permit, drop, or quarantine — based on that score.

The second pillar is SecIntel. Rather than waiting for a cloud round-trip on every packet, the ATP Cloud service continuously pushes curated threat feeds to the SRX. The SRX data plane holds these feeds in memory and blocks matching traffic at line rate — no latency, no dependency on cloud reachability at the moment a packet arrives. The two pillars are complementary: cloud analysis catches unknown threats; on-box feeds stop known-bad infrastructure instantly.

Figure 1 — ATP Cloud end-to-end flow

The SRX extracts the file, ATP Cloud analyses it, the verdict comes back, and SecIntel feeds block knowns at line rate in parallel.

Quick check · Q1 of 10 · Understand

Which statement best describes Juniper ATP Cloud on the SRX?

a) An on-box signature database updated daily via USBb) A cloud analysis engine that returns a file verdict, paired with on-box SecIntel feeds for line-rate blockingc) A standalone IPS module with no cloud dependencyd) An email spam filter for SRX

Correct: b. ATP Cloud is a two-pillar system: cloud sandboxing + ML verdict for unknowns, and SecIntel feeds pushed to the SRX data plane for line-rate blocking of known-bad infrastructure. Neither alone is the full picture.

👉 So far: Juniper ATP Cloud = two pillars: cloud sandbox analysis (file → 0–10 verdict) for unknowns, and SecIntel on-box feeds (C2, infected-host, domain, URL) for line-rate blocking of known-bad infrastructure.

② The malware analysis pipeline — sandbox, ML and the 0–10 verdict

When the SRX sends a file to ATP Cloud, it passes through a multi-stage pipeline. First, the file is triaged by multiple antivirus engines running in parallel. Files that survive initial screening enter the cloud sandbox, a controlled execution environment that uses deception techniques — simulated mouse movement, realistic keystrokes, installed common software — to trick evasive malware into revealing its true behaviour. Results from both stages feed a machine-learning model that produces the final 0–10 verdict, balancing all signals to reduce false positives.

Acting on the verdict

The verdict is returned to the SRX along with a file cache entry so the same hash is never sent twice. You configure threat policy thresholds: for example, verdict 8–10 = drop, 5–7 = quarantine and notify, 0–4 = permit. Files in flight while analysis runs can be held in a hold buffer or permitted and retrospectively actioned when the verdict arrives — a trade-off between security and latency you tune per profile.

Figure 2 — ATP Cloud malware analysis pipeline

Each stage feeds the next; ML at the top combines all signals into the final 0–10 verdict.

☁️

ATP Cloud sandbox

tap to flip

A deception-based cloud execution environment that tricks evasive malware with simulated mouse movements, keystrokes and installed software, then feeds results to the ML verdict engine.

🔢

Verdict score 0–10

tap to flip

The combined output of multi-AV triage, sandbox analysis and ML scoring. 0 = clean, 10 = highly malicious. You configure per-profile thresholds to set the SRX action.

📡

SecIntel C2 feed

tap to flip

A continuously updated list of known command-and-control server IPs pushed to the SRX data plane. Matching outbound sessions are dropped at line rate — no cloud lookup needed.

🦠

Infected-host feed

tap to flip

IPs of devices that have already called home to a C2 server, published by ATP Cloud and pushed to every SRX in the estate. Enabled across all ATP license tiers for automatic quarantine.

Cache the hash, not the file

ATP Cloud stores the verdict against a file hash. The second time the same file appears anywhere in your estate — any branch, any SRX — the SRX matches the cached verdict locally and acts immediately without sending the file to the cloud again. This collapses latency for repeat encounters and is why ATP Cloud scales across large estates without proportional cloud traffic growth.

Quick check · Q2 of 10 · Remember

What is the highest possible ATP Cloud file verdict score, indicating maximum malicious confidence?

a) 100b) 10c) 5d) Critical

Correct: b. ATP Cloud scores files from 0 (clean) to 10 (highly malicious). This numeric scale is what threat policy thresholds are set against on the SRX.

👉 So far: Malware pipeline: multi-AV triage → deception sandbox → ML verdict 0–10 → returned to SRX file cache → threat policy action (permit / drop / quarantine).

③ SecIntel feeds — C2, infected-host, domain and URL at line rate

SecIntel is the on-box intelligence layer. ATP Cloud (and Juniper Threat Labs plus curated third-party sources) publishes four feed types that the SRX downloads and enforces at line rate without cloud round-trips.

C&C (Command & Control) feed — IP addresses of known C2 servers. When an inside host tries to reach one, the SRX drops the session and raises a security event.
Infected-host feed — IP addresses of hosts that have already called home to a C2. Enabled for all ATP license tiers; lets you quarantine compromised devices automatically.
Malicious domain feed — DNS-level blocking of domains associated with malware distribution, phishing and C2 infrastructure.
Malicious URL feed — HTTP/HTTPS URL matching for known-bad download paths and exploit kits.

Adaptive Threat Profiling (ATP) adds a fifth capability: the SRX acts as a feed aggregator for your own organisation, building custom feeds from observed behaviour and sharing them with all other SRX firewalls in your estate at regular intervals — turning your network into a self-improving threat sensor.

Figure 3 — SecIntel — one cloud, four feeds, one data plane

ATP Cloud pushes four feed types to the SRX data plane; all blocking happens at line rate with no cloud round-trip per packet.

'SecIntel is only for premium ATP licenses'

The infected-host feed is enabled for ALL ATP Cloud license tiers, including the base tier. The misconception that SecIntel is a premium-only feature costs teams easy wins. The C2, malicious-domain and malicious-URL feeds require a standard or premium subscription, but infected-host coverage is always on.

▶ Watch a malicious download get caught end-to-end

A user downloads a file that ATP Cloud identifies as malware. Press Play for the healthy detection path, then Break it to see the most common field failure.

① HTTP downloadA user inside the network downloads a ZIP file. The SRX application-identifies it as HTTP file transfer and extracts the file object per the ATP Cloud profile.

▼

② Send to cloudThe SRX sends a copy of the file to the ATP Cloud tenant. The session is held in the buffer while analysis runs; the user sees a slight delay.

▼

③ Sandbox verdictATP Cloud runs multi-AV triage, executes the file in the deception sandbox, feeds results to ML, and returns verdict = 8 (high risk) to the SRX.

▼

④ Drop + logThe SRX threat policy threshold is 7–10 = drop. The session is terminated, a security log entry is written, and the file hash is cached so future encounters are immediate.

Press Play to step through the healthy detection path. Then press Break it.

Quick check · Q3 of 10 · Apply

An inside host is connecting to a known C2 server. Which SecIntel feed should block this session at line rate?

a) The malicious URL feedb) The infected-host feedc) The C2 (Command and Control) IP feedd) The Adaptive Threat Profiling feed

Correct: c. The C2 feed contains known command-and-control server IPs and is enforced by the SRX data plane at line rate. The infected-host feed identifies already-compromised hosts (the source), not the C2 destination.

👉 So far: Four SecIntel feeds: C2 IP (drop outbound C2 sessions), infected-host IP (quarantine compromised devices), malicious domain (DNS block), malicious URL (HTTP/S block). All enforced at line rate on the SRX data plane.

④ Configuration, tuning and failure diagnosis

ATP Cloud configuration on the SRX has three logical steps. First, create an ATP Cloud profile that points the SRX at your ATP Cloud tenant (realm + token). Second, define threat policies that map verdict score ranges to actions (permit / drop / quarantine). Third, enable SecIntel feed download in the security policy and bind it to the correct zones. Adaptive Threat Profiling is an optional fourth step that turns on the custom-feed aggregation loop.

Common failure modes

The three most common issues are: file not sent — usually a missing application identification (AppID) profile or the file type not matching the extraction policy; verdict never returned — a cloud-reachability or authentication (realm/token) problem; feed stale — the SRX cannot reach srxatp.junipersecurity.net on port 443, often a firewall or proxy blocking the update channel. Check show advanced-anti-malware statistics and show security intelligence feed status to isolate which leg has failed.

Figure 4 — Cloud analysis vs SecIntel feeds

Use cloud analysis for unknown files; use SecIntel feeds for known-bad infrastructure — they are complementary, not competing.

Vikram at a Pune fintech firm faces this

The security team notices a workstation is making outbound connections to unusual foreign IPs every 15 minutes. The SRX ATP Cloud is licensed and deployed but generated no alert.

Likely cause

The C2 SecIntel feed is configured but the SRX cannot reach srxatp.junipersecurity.net on port 443 — an upstream firewall rule was blocking the update channel, so the feed is weeks out of date and does not include this new C2 infrastructure.

Diagnosis

Run 'show security intelligence feed status' — the C2 feed shows last-updated timestamp over two weeks ago and feed-download failures.

CLI ▸ show security intelligence feed status ▸ show security intelligence statistics

Fix

Open port 443 outbound to srxatp.junipersecurity.net from the SRX management or data plane interface. Force an immediate feed refresh with 'request security intelligence download'. Verify the C2 feed updates to a current timestamp, then confirm the workstation's outbound sessions are now dropped.

Verify

After the fix: 'show security intelligence feed status' shows a recent update time; the workstation's outbound sessions appear as drops in the security log with reason C2-feed-match.

Always verify feed freshness before closing an incident

Never assume SecIntel feeds are current. Before declaring an ATP investigation complete, run 'show security intelligence feed status' and confirm the last-updated timestamp for each feed type is recent. A stale feed means your line-rate blocking is running on old data — exactly the condition an attacker using new C2 infrastructure can exploit.

Quick check · Q4 of 10 · Analyze

The SRX is not sending files to ATP Cloud. Which is the most likely first place to check?

a) The SecIntel feed download scheduleb) The application identification (AppID) profile and file-extraction policy matchc) The infected-host feed stale timerd) The SRX chassis fan speed

Correct: a. The most common reason files are not sent to ATP Cloud is a missing or mismatched AppID profile or the file type not covered by the extraction policy. Check show advanced-anti-malware statistics to confirm no files are being extracted before looking further.

👉 So far: Troubleshoot ATP Cloud with 'show advanced-anti-malware statistics' (file analysis) and 'show security intelligence feed status' (SecIntel freshness). Most issues are AppID mismatch or port-443 outbound blocked to srxatp.junipersecurity.net.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: explain in your own words why Juniper ATP Cloud needs two pillars — cloud analysis AND on-box SecIntel feeds. Then compare with the expert version.

Expert version: Cloud analysis handles unknown and zero-day files: the SRX sends a copy to the ATP Cloud sandbox, which uses deception, multiple AV engines and ML to score the file 0–10 and return a verdict. On-box SecIntel feeds handle known-bad infrastructure: C2 IPs, infected-host IPs, malicious domains and URLs are pushed to the SRX data plane ahead of time and enforced at line rate without any cloud round-trip per packet. You need both because unknown files require analysis time, while known-bad infrastructure must be blocked instantly — and the cloud may not always be reachable at the exact moment a packet arrives.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Juniper SRX at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

ATP Cloud (Advanced Threat Prevention Cloud): Juniper's cloud-delivered threat analysis service (formerly Sky ATP) that sandboxes files and returns 0–10 verdicts to the SRX, and distributes SecIntel feeds.
SecIntel: On-box threat intelligence feeds (C2 IPs, infected-host IPs, malicious domains, malicious URLs) pushed to the SRX data plane and enforced at line rate.
Verdict score: A 0–10 risk number returned by ATP Cloud for each analysed file: 0 = clean, 10 = highly malicious. SRX threat policies map score ranges to actions.
C2 (Command and Control) feed: A SecIntel feed of known C2 server IP addresses. Outbound connections to these IPs are dropped by the SRX data plane at line rate.
Infected-host feed: A SecIntel feed of inside-host IPs that have already called home to a C2. Available on all ATP license tiers; used for automatic quarantine.
Cloud sandbox: The ATP Cloud execution environment that runs suspicious files using deception techniques (simulated mouse, keystrokes, installed software) to reveal evasive malware behaviour.
Adaptive Threat Profiling: A mode where the SRX reports observed threat indicators to ATP Cloud, which builds custom feeds and redistributes them to all SRX devices in the estate.
Hold buffer: An SRX option that holds an in-transit session until the ATP Cloud verdict is returned, preventing file delivery to the endpoint before a malicious verdict is known.
File cache: An SRX-side cache of file hashes and their ATP Cloud verdicts, so the same file is never submitted to the cloud twice — repeat encounters are actioned immediately.

📚 Sources

Juniper Networks — Juniper Advanced Threat Prevention Datasheet. juniper.net/us/en/products/security/srx-series/juniper-advanced-threat-prevention-datasheet.html
Juniper Networks Documentation — ATP Cloud User Guide: How Malware Is Analysed and Detected. juniper.net/documentation/us/en/software/atp-cloud/atp-cloud-user-guide
Juniper Networks Documentation — SecIntel Feeds Overview and Benefits. juniper.net/documentation/us/en/software/atp-cloud/atp-cloud-user-guide/topics/concept/secintel-feeds-overview-and-benefits.html
Juniper Networks Documentation — Adaptive Threat Profiling Overview and Configuration. juniper.net/documentation/us/en/software/atp-cloud/atp-cloud-user-guide/topics/concept/adaptive-threat-profiling-overview-and-deployment.html
Juniper Networks Documentation — ATP Cloud Administrator Guide (PDF). juniper.net/documentation/us/en/software/atp-cloud/atp-cloud-admin-guide/atp-cloud-admin-guide.pdf
Security Scientist — 12 Questions and Answers About Juniper ATP Cloud. securityscientist.net/blog/12-questions-and-answers-about-juniper-atp-cloud/

What's next?

Got ATP Cloud covered? Next, go deep on Juniper Policy Enforcer and Security Director — how they distribute SRX policy across the entire network from a single pane.

Next · All interview lessons → Practice on exam.techclick.in →

Juniper SRX ATP Cloud — Sandboxing, SecIntel & Threat Feeds

🎯 By the end you will be able to

Pick where you want to start

What ATP Cloud is

Malware analysis

SecIntel feeds

Config & tuning

① What Juniper ATP Cloud actually is — cloud brain, on-box feeds

② The malware analysis pipeline — sandbox, ML and the 0–10 verdict

Acting on the verdict

③ SecIntel feeds — C2, infected-host, domain and URL at line rate

▶ Watch a malicious download get caught end-to-end

④ Configuration, tuning and failure diagnosis

Common failure modes

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?