Juniper Secure Analytics

(1)

Juniper Secure Analytics

Installation Guide

(2)

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

(3)

About the Documentation

• Documentation and Release Notes on page v

• Documentation Conventions on page v

• Documentation Feedback on page vii

• Requesting Technical Support on page viii

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation, see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed athttp://www.juniper.net/books.

Documentation Conventions

(6)

Table 1: Notice Icons

Description Meaning

Icon

Indicates important features or instructions. Informational note

Indicates a situation that might result in loss of data or hardware damage. Caution

Alerts you to the risk of personal injury or death. Warning

Alerts you to the risk of personal injury from a laser. Laser warning

Indicates helpful information. Tip

Alerts you to a recommended use or implementation. Best practice

Table 2 on page videfines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

Examples Description

Convention

To enter configuration mode, type the configure command:

user@host> configure Represents text that you type.

Bold text like this

user@host> show chassis alarms No alarms currently active Represents output that appears on the

terminal screen. Fixed-width text like this

• A policy term is a named structure that defines match conditions and actions.

• Junos OS CLI User Guide

• RFC 1997, BGP Communities Attribute

• Introduces or emphasizes important new terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles. Italic text like this

Configure the machine’s domain name: [edit]

root@# set system domain-name domain-name

Represents variables (options for which you substitute a value) in commands or configuration statements.

(7)

Table 2: Text and Syntax Conventions (continued)

Examples Description

Convention

• To configure a stub area, include the stubstatement at the[edit protocols ospf area area-id]hierarchy level.

• The console port is labeledCONSOLE. Represents names of configuration

statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform

components. Text like this

stub <default-metric metric>; Encloses optional keywords or variables.

< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3) Indicates a choice between the mutually

exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. | (pipe symbol)

rsvp { # Required for dynamic MPLS only Indicates a comment specified on the

same line as the configuration statement to which it applies.

# (pound sign)

community name members [ community-ids ]

Encloses a variable for which you can substitute one or more values. [ ] (square brackets) [edit] routing-options { static { route default { nexthop address; retain; } } } Identifies a level in the configuration

hierarchy. Indention and braces ( { } )

Identifies a leaf statement at a configuration hierarchy level. ; (semicolon)

GUI Conventions

• In the Logical Interfaces box, select All Interfaces.

• To cancel the configuration, click Cancel.

Represents graphical user interface (GUI) items you click or select.

Bold text like this

In the configuration editor hierarchy, select Protocols>Ospf.

Separates levels in a hierarchy of menu selections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods:

• Online feedback rating system—On any page at the Juniper Networks Technical Documentation site athttp://www.juniper.net/techpubs/index.html, simply click the stars to rate the content, and use the pop-up form to provide us with information about

(8)

• E-mail—Send your comments to [email protected]. Include the document or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

• Find CSC offerings:http://www.juniper.net/customers/support/

• Search for known bugs:http://www2.juniper.net/kb/

• Find product documentation:http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base:http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool:http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

• Use the Case Management tool in the CSC athttp://www.juniper.net/cm/.

(9)

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.

(10)

(11)

PART 1

Juniper Secure Analytics Installation

• Juniper Secure Analytics Deployment Overview on page 3

• Virtual Appliance Installations for JSA and Log Analytics on page 7

• Installations from the Recovery Partition on page 15

(12)

(13)

CHAPTER 1

Juniper Secure Analytics Deployment

Overview

This chapter describes about the following sections:

• Understanding JSA Deployment on page 3

• Licence Keys on page 3

• Integrated Management Module on page 4

• Supported Web Browsers on page 5

Understanding JSA Deployment

You can install Juniper Secure Analytics (JSA) components on a single server for small enterprises, or across multiple servers for large enterprise environments.

For maximum performance and scalability, you must install redundant appliances for each system that requires HA protection. For more information about installing or recovering an HA system, see the High Availability Guide.

Licence Keys

After the installation is complete and before the default license expires, you must access the Juniper Secure Analytics (JSA) user interface to apply your license key.

Your system includes a default license key that provides you with access to JSA software for five weeks. After you install the software and before the default license key expires, you must add your purchased licenses.

(14)

Table 3: Restrictions for the Default License Key for JSA Installation

Limit Usage

750 Active log source limit

5000 Events per second threshold

200000 Flows per interval

10 User limit

300 Network object limit

Table 4: Restrictions for the Default License Key for Log Analytics Installations

Limit

Usage

10 User limit

300 Network object limit

Understanding JSA Deployment on page 3

•

Integrated Management Module

Use Integrated Management Module, which is on the back panel of each appliance type, to manage the serial and Ethernet connectors.

You can configure the Integrated Management Module to share an Ethernet port with the Juniper Secure Analytics (JSA) product management interface. However, to reduce the risk of losing the connection when the appliance is restarted, configure Integrated Management Module in dedicated mode.

To configure Integrated Management Module, you must access the system BIOS settings by pressing F1 when the splash screen is displayed. For more information about configuring the Integrated Management Module, see the Integrated Management Module User's Guide on the CD that is shipped with your appliance.

Understanding JSA Deployment on page 3

•

(15)

Supported Web Browsers

For the features in Juniper Secure Analytics (JSA) products to work properly, you must use a supported web browser.

When you access the JSA system, you are prompted for a user name and a password. The user name and password must be configured in advance by the administrator.

Table 5 on page 5lists the supported versions of web browsers.

Table 5: Supported Web Browsers for JSA Products

Supported Version Web Browser

• 10.0 Extended Support Release (ESR) Mozilla Firefox

• 8.0

• 9.0 Microsoft Internet Explorer, with document mode and browser mode enabled

• Latest version Google Chrome

Enabling Document Mode and Browser Mode in Internet Explorer

If you use Microsoft Internet Explorer to access Juniper Secure Analytics (JSA) products, you must enable browser mode and document mode.

1. In your Internet Explorer web browser, press F12 to open the Developer Tools window.

2. Click Browser Mode and select the version of your web browser.

3. Click Document Mode and select Internet Explorer 7.0 Standards.

• Understanding JSA Deployment on page 3

(16)

(17)

CHAPTER 2

Virtual Appliance Installations for JSA and

Log Analytics

This chapter describes about the following section:

• Juniper Secure Analytics (JSA) and Log Analytics Installation Overview on page 7

• Overview of Supported Virtual Appliances on page 8

• System Requirements for Virtual Appliances on page 10

• Creating Your Virtual Machine on page 11

• Installing the JSA Software on a Virtual Machine on page 12

• Adding Your Virtual Appliance to Your Deployment on page 13

Juniper Secure Analytics (JSA) and Log Analytics Installation Overview

You can install Juniper Secure Analytics (JSA) and Log Analytics on a virtual appliance. Ensure that you use a supported virtual appliance that meets the minimum system requirements.

To install a virtual appliance, complete the following tasks in sequence:

• Create a virtual machine.

• Install JSA software on the virtual machine.

• Add your virtual appliance to the deployment.

CAUTION: When deploying a JSA appliance with image 2013.2.r3.607582, you must reimage the appliance to the common image 2013.2.r3.615469. For more information, see Installing JSA Using a Bootable USB Flash-Drive

Technical Note.

Overview of Supported Virtual Appliances on page 8

•

(18)

Overview of Supported Virtual Appliances

A virtual appliance is a Juniper Secure Analytics (JSA) system that consists of JSA software that is installed on a VMWare ESX 5.0 virtual machine. Use the procedures in this topic to install your virtual appliance.

A virtual appliance provides the same visibility and functionality in your virtual network infrastructure that JSA appliances provide in your physical environment.

After you install your virtual appliances, use the deployment editor to add your virtual appliances to your deployment. For more information on how to connect appliances, see the Juniper Secure Analytics Administration Guide.

JSA Virtual All-in-One or JSA Virtual Console Deployment

This virtual appliance is a Juniper Secure Analytics (JSA) system that can profile network behavior and identify network security threats. The JSA Virtual All-in-One or JSA Virtual console deployment virtual appliance includes an on-board Event Collector and internal storage for events.

The JSA Virtual All-in-One or JSA Virtual console deployment virtual appliance supports the following items:

• Up to 1,000 network objects

• 50,000 flows per interval, depending on your license

• 1,000 events per second (eps), depending on your license

• 750 event feeds (additional devices can be added to your licensing)

• External flow data sources for NetFlow, sFlow, J-Flow, Packeteer, and Flowlog files

• Flow Processor and Layer 7 network activity monitoring

To expand the capacity of the JSA Virtual All-in-One or JSA Virtual console deployment beyond the license-based upgrade options, you can add one or more of the JSA Virtual Distributed Event or Flow processors or JSA Virtual Distributed Event or Flow processors virtual appliances:

JSA Virtual Distributed Event or Flow Processors

This virtual appliance is a dedicated Event Processor that allows you to scale your Juniper Secure Analytics (JSA) deployment to manage higher EPS rates. The JSA Virtual Distributed Event or Flow processors includes an on-board Event Collector, Event Processor, and internal storage for events.

The JSA Virtual Distributed Event or Flow processors appliance supports the following items:

(19)

• 2 TB or larger dedicated event storage

The JSA Virtual Distributed Event or Flow processors virtual appliance is a distributed Event Processor appliance and requires a connection to any series appliance.

JSA Virtual Distributed Event or Flow Processors

This virtual appliance is deployed with any series appliance. The virtual appliance is used to increase storage and includes an on-board Event Processor, and internal storage. JSA Virtual Distributed Event or Flow processors appliance supports the following items:

• 50,000 flows per interval depending on traffic types

• 2 TB or larger dedicated flow storage

• 1,000 network objects

• Flow Processor and Layer 7 network activity monitoring

You can add JSA Virtual Distributed Event or Flow processors appliances to any series appliance to increase the storage and performance of your deployment.

JSA VFlow Collector 1290

This virtual appliance provides the same visibility and functionality in your virtual network infrastructure that a Flow Processor offers in your physical environment. The Flow Processor virtual appliance analyzes network behavior and provides Layer 7 visibility within your virtual infrastructure. Network visibility is derived from a direct connection to the virtual switch.

The JSA VFlow Collector 1290 virtual appliance supports a maximum of the following items:

• 10,000 flows per minute

• Three virtual switches, with one additional switch that is designated as the management interface.

The JSA VFlow Collector 1290 virtual appliance does not support NetFlow.

JSA 1590

This virtual appliance is a dedicated Event Collector, which is required if you want to enable the store and forward feature. The store and forward feature allows you to manage schedules that control when to start and stop forwarding events from your dedicated Event Collector appliances to Event Processor components in your deployment. A dedicated Event Collector does not process events and it does not include an on-board Event Processor.

By default, a dedicated Event Collector continuously forwards events to an Event Processor that you must connect using the deployment editor. The maximum Event Per Second (EPS) is controlled by the Event Processor.

(20)

Juniper Secure Analytics and Log Manager Installation Overview on page 7

•

System Requirements for Virtual Appliances

To ensure that Juniper Secure Analytics (JSA) works correctly, ensure that virtual appliance that you use meets the minimum software and hardware requirements.

Table 6 on page 10describes the minimum requirements for virtual appliances.

Table 6: Requirements for Virtual Appliances

Description Requirement

VMware ESXi Version 5.0 VMware ESXi Version 5.1

For more information about VMWare clients, see the VMware website at

www.vmware.com

VMware client

Minimum: 256 GB

NOTE: For optimal performance, ensure that an extra 2-3 times of the minimum disk space is available.

Virtual disk size on all appliance except Flow Processor appliances

Minimum: 70 GB Virtual disk size for Flow Processor appliances

Table 7 on page 10describes the minimum memory requirements for virtual appliances.

Table 7: Minimum and Optional Memory Requirements for JSA Virtual Appliances

Suggested memory requirement Minimum memory requirement Appliance 6 GB 6 GB

JSA VFlow Collector 1290

16 GB 12 GB

JSA 1590

48 GB 12 GB

JSA Virtual Distributed Event or Flow processors

48 GB 12 GB

JSA Virtual Distributed Event or Flow processors

48 GB 24 GB

JSA Virtual All-in-One or JSA Virtual console deployment

48 GB 24 GB

(21)

•

Creating Your Virtual Machine

To install a virtual appliance, you must first use VMware vSphere Client 5.0 to create a virtual machine.

1. From the VMware vSphere Client, click File > New > Virtual Machine.

2. Use the following steps to guide you through the choices:

a. In the Configuration pane of the Create New Virtual Machine window, select Custom.

b. In the Virtual Machine Version pane, select Virtual Machine Version: 7.

c. For the Operating System (OS), select Red Hat Enterprise Linux 6 (64-bit).

d. On the CPUs page, configure the number of virtual processors that you want for the virtual machine:

When you configure the parameters on the CPU page, you must configure a minimum of two processors. The combination of number of virtual sockets and number of cores per virtual socket determines how many processors are configured on your system.

Table 8 on page 11provides examples of CPU page settings you can use.

Table 8: Same CPU Page Settings

Sample CPU page settings Number of processors

Number of virtual sockets = 1 Number of cores per virtual socket = 2 2

Number of virtual sockets =2 Number of cores per virtual socket = 1 2

(22)

f. UseTable 9 on page 12to configure you network connections.

Table 9: Descriptions for Network Configuration Parameters

Description

Parameter

You must add at least one Network Interface Controller (NIC) How many NICs do you want to connect

VMXNET3 Adapter

g. In the SCSI controller pane, select VMware Paravirtual.

h. In the Disk pane, select Create a new virtual disk and useTable 10 on page 12to configure the virtual disk parameters.

Table 10: Settings for the Virtual Disk Size and Provisioning Policy Parameters

Option Property 256 or higher (GB) Capacity Thin provision Disk Provisioning Do not configure Advanced options

3. On the Ready to Complete page, review the settings and click Finish.

•

Installing the JSA Software on a Virtual Machine

After you create your virtual machine, you must install the Juniper Secure Analytics (JSA) software on the virtual machine.

1. In the left navigation pane of your VMware vSphere Client, select your virtual machine.

2. In the right pane, click the Summary tab.

3. In the Commands pane, click Edit Settings.

4. In the left pane of the Virtual Machine Properties window, click CD/DVD Drive 1.

5. In the Device Status pane, select the Connect at power on check box.

(23)

7. In the Browse Datastores window, locate and select the JSA product ISO file, click Openand then click OK.

8. After the JSA product ISO image is installed, right-click your virtual machine and click Power > Power On.

9. Log in to the virtual machine by typing root for the user name. The user name is case-sensitive.

10.For the type of setup, select normal.

11. For JSA console installations, select the Enterprise tuning template.

12.Follow the instructions in the installation wizard to complete the installation.

Table 9 on page 12contains descriptions and notes to help you configure the

installation.

After you configure the installation parameters, a series of messages are displayed. The installation process might take several minutes.

•

Adding Your Virtual Appliance to Your Deployment

After the Juniper Secure Analytics (JSA) software is installed, add your virtual appliance to your deployment.

1. Log in to the JSA console.

2. On the Admin tab, click the Deployment Editor icon.

3. In the Event Components pane on the Event View page, select the virtual appliance component that you want to add.

4. On the first page of the Adding a New Component task assistant, type a unique name for the virtual appliance.

The name that you assign to the virtual appliance can be up to 20 characters in length and can include underscores or hyphens.

5. Complete the steps in the task assistant.

6. From the Deployment Editor menu, click File > Save to staging.

7. On the Admin tab menu, click Deploy Changes.

(24)

(25)

CHAPTER 3

Installations from the Recovery Partition

When you install Juniper Secure Analytics (JSA) products, the installer (ISO image) is copied to the recovery partition. From this partition, you can reinstall JSA products. Your system is restored back to the default configuration. Your current configuration and data files are overwritten.

When you restart your JSA appliance, an option to reinstall the software is displayed. If you do not respond to the prompt within five seconds, the system continues to start as normal. Your configuration and data files are maintained. If you choose the reinstall option, a warning message is displayed and you must confirm that you want to reinstall. After a hard disk failure, you might not be able to reinstall from the recovery partition because the recovery partition is no longer be available. If you experience a hard disk failure, contact Juniper Customer Support for assistance.

Any software upgrades of JSA version 2014.1 replaces the existing ISO file with the newer version.

These guidelines apply to JSA version 2014.1 installations or upgrades.

• Installing from the Recovery Partition Using Factory Default Setting on page 15

• Re-Installing a JSA Appliance on page 16

Installing from the Recovery Partition Using Factory Default Setting

You can reinstall Juniper Secure Analytics (JSA) products from the recovery partition. If your deployment includes offboard storage solutions, you must disconnect your offboard storage before you reinstall JSA. After you reinstall, you can remount your external storage solutions. For more information on configuring off-board storage, see the Configuring

Offboard Storage Guide.

To install a factory default setting:

1. Restart your JSA appliance and select Factory re-install.

2. Type flatten.

(26)

3. Type SETUP.

4. Log in as the root user.

5. For JSA console installations, select the Enterprise tuning template.

6. Follow the instructions in the installation wizard to complete the installation.

Table 9 on page 12contains descriptions and notes to help you configure the

installation.

Re-Installing a JSA Appliance on page 16

•

Re-Installing a JSA Appliance

You can reinstall Juniper Secure Analytics (JSA) products from the recovery partition. To re-install a JSA Appliance:

1. Select the Enterprise tuning template. Select Next and press Enter.

2. Configure your time settings: flatten

a. Choose one of the following options:

• Manual—Select this option to manually input the time and date. Select Next and press Enter. The Current Date and Time window is displayed. Go to Stepb.

• Server—Select this option to specify your time server. Select Next and press Enter. The Enter Time Server window is displayed. Go to Stepc.

b. To manually enter the time and date, type the current time and date. Select Next and press Enter. Go to Step3.

c. To specify a time server, in the Time server field, type the time server name or IP address. Select Next and press Enter. Go to Step5.

3. On the Time Zone Continent window, select your time zone continent or area. Select Nextand press Enter.

4. On the Time Zone Region window, select your time zone region. Select Next and press Enter.

5. Select an internet protocol version. Select Next and press Enter.

6. Select the interface that you want to use as the management interface. Select Next and press Enter.

7. Choose one of the following options:

• If you use IPv4 as your Internet protocol, go to Step10.

(27)

8. Choose one of the following options:

a. To automatically configure for IPv6, select Yes and press Enter. The automatic configuration can take an extended period of time. Go to Step10.

b. To manually configure for IPv6, select No and press Enter. Go to Step9.

9. Enter network information to use for IPv6:

a. In the Hostname field, type a fully qualified domain name as the system hostname.

b. In the IP Address field, type the IP address of the system.

c. In the Email server field, type the email server. If you do not have an email server, type localhost in this field.

d. Select Next and press Enter. Go to Step11.

10.Configure the JSA network settings:

a. Enter values for the following parameters:

• Hostname—Type a fully qualified domain name as the system hostname.

• IP Address—Type the IP address of the system.

• Network Mask—Type the network mask address for the system.

• Gateway—Type the default gateway of the system.

• Primary DNS—Type the primary DNS server address.

• Secondary DNS—Optional. Type the secondary DNS server address.

• Public IP—Optional. Type the Public IP address of the server.

• Email Server—Type the email server. If you do not have an email server, type localhost in this field.

b. Select Next and press Enter.

11. Configure the JSA root password:

a. Type your password. Select Next and press Enter. The Confirm New Root Password window is displayed. The password must meet the following criteria:

• Must contain at least five characters

• No spaces

• Can include the following special characters: @,#,^, and *.

b. Retype your new password to confirm. Select Finish and press Enter.

12.Press Enter to select OK.

After you configure the installation parameters, a series of messages are displayed as JSA continues with the reinstallation. This process typically takes several minutes.

(28)

(29)

CHAPTER 4

Network Settings Management

Use the qchange_netsetup script to change the network settings of your Juniper Secure Analytics (JSA) system. Configurable network settings include host name, IP address, network mask, gateway, DNS addresses, public IP address, and email server.

• Changing the Network Settings in an All-In-One System on page 19

• Changing the Network Settings of a JSA Console in a Multisystem

Deployment on page 20

• Updating Network Settings After a NIC Replacement on page 22

Changing the Network Settings in an All-In-One System

You can change the network settings in your All-In-One system. An All-In-One system has all Juniper Secure Analytics (JSA) components that are installed on one system. You must have a local connection to your JSA console.

1. Log in to as the root user: Username: root

Password: password

2. Type the following command:

qchange_netsetup

3. Follow the instructions in the wizard to complete the configuration.

Table 11 on page 19contains descriptions and notes to help you configure the network settings.

Table 11: Description of Network Settings for an All-In-One JSA Console

Description

Network Setting

Fully qualified domain name Host name

(30)

Table 11: Description of Network Settings for an All-In-One JSA Console (continued)

Description

Network Setting

Optional

Used to access the server, usually from a different network or the Internet. Configured by using Network Address Translation (NAT) services on your network or firewall settings on your network. (NAT translates an IP address in one network to a different IP address in another network).

Public IP address for networks that use Network Address Translation (NAT)

If you do not have an email server, use localhost Email server name

A series of messages are displayed as JSA processes the requested changes. After the requested changes are processed, the JSA system is automatically shutdown and restarted.

Changing the Network Settings of a JSA Console in a Multisystem Deployment on page 20

•

Changing the Network Settings of a JSA Console in a Multisystem Deployment

To change the network settings in a multi-system Juniper Secure Analytics (JSA) deployment, remove all managed hosts, change the network settings, re-add the managed hosts, and then re-assign the component.

1. To remove managed hosts, log in to JSA: The Username is admin.

a. Click the Admin tab.

b. Click the Deployment Editor icon.

c. In the Deployment Editor window, click the System View tab.

d. For each managed host in your deployment, right-click the managed host and select Remove host.

e. On the Admin tab, click Deploy Changes.

2. To change network settings on the JSA console, use SSH to log in to JSA as the root user.

The user name is root.

a. Type the following command:

qchange_netsetup

(31)

Table 12 on page 21contains descriptions and notes to help you configure the network settings.

Table 12: Description of Network Settings for a Multisystem JSA Console Deployment

Description

Network Setting

Fully qualified domain name Host name

Optional Secondary DNS server address

Optional

Used to access the server, usually from a different network or the Internet. Configured by using Network Address Translation (NAT) services on your network or firewall settings on your network. (NAT translates an IP address in one network to a different IP address in another network).

Public IP address for networks that use Network Address Translation (NAT)

If you do not have an email server, use localhost. Email server name

3. To read and reassign the managed hosts, log in to JSA. The Username is admin.

a. Click the Admin tab.

b. Click the Deployment Editor icon.

c. In the Deployment Editor window, click the System View tab.

d. Click Actions > Add a managed host.

e. Follow the instructions in the wizard to add a host.

Select the Host is NATed option to configure a public IP address for the server. This IP address is a secondary IP address that is used to access the server, usually from a different network or the Internet. The Public IP address is often configured by using Network Address Translation (NAT) services on your network or firewall settings on your network. NAT translates an IP address in one network to a different IP address in another network

4. Reassign all components to your managed hosts that are not your JSA console.

a. In the Deployment Editor window, click the Event View tab, and select the component that you want to reassign to the managed host.

b. Click Actions > Assign.

(32)

c. From the Select a host list, select the host that you want to reassign to this component.

d. On the Admin tab, click Deploy Changes.

Changing the Network Settings in an All-In-One System on page 19

•

Updating Network Settings After a NIC Replacement

If you replace your integrated system board or stand-alone (Network Interface Cards) NICs, you must update your Juniper Secure Analytics (JSA) network settings to ensure that your hardware remains operational.

The network settings file contains one pair of lines for each NIC that is installed and one pair of lines for each NIC that was removed. You must remove the lines for the NIC that you removed and then rename the NIC that you installed.

Your network settings file might resemble the following example, where NAME="eth0 is the NIC that was replaced and NAME="eth4" is the NIC that was installed.

# PCI device 0x14e4:0x163b (bnx2)

SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="78:2a:cb:23:1a:2f", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="78:2a:cb:23:1a:2f", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0

SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="78:2a:cb:23:1a:2f", ATTR{type}=="1", KERNEL=="eth*", NAME="eth4

(33)

1. Use SSH to log in to the Juniper Secure Analytics (JSA) product as the root user. The user name is root.

cd /etc/udev/rules.d/

3. To edit the network settings file, type the following command:

vi 70-persistent-net.rules

4. Remove the pair of lines for the NIC that was replaced:

NAME=”eth0”

5. Rename the Name=<eth> values for the newly installed NIC. Example:Rename NAME="eth4" to NAME="eth0".

6. Save and close the file.

reboot

• Changing the Network Settings in an All-In-One System on page 19

• Changing the Network Settings of a JSA Console in a Multisystem Deployment on

page 20

(34)

(35)

PART 2

Appendix

The Appendix chapter describes the following sections:

(36)

(37)

APPENDIX A

Troubleshooting Problems

Troubleshooting is a systematic approach to solving a problem. The goal of

troubleshooting is to determine why something does not work as expected and how to resolve the problem.

ReviewTable 13 on page 27to help you or customer support resolve a problem.

Table 13: Troubleshooting Actions to Prevent Problems

Description Action

A product fix might be available to fix the problem. Apply all known fix packs, service levels, or program

temporary fixes (PTF).

Review the software and hardware requirements. Ensure that the configuration is supported.

Error messages give important information to help you identify the component that is causing the problem.

Look up error message codes by selecting the product from the Juniper Customer Support athttp://

www.juniper.net/support/and then typing the error message code into theSearch supportbox.

If samples are available with the product, you might try to reproduce the problem by using the sample data. Reproduce the problem to ensure that it is not just a simple

error.

The installation location must contain the appropriate file structure and the file permissions.

For example, if the product requires write access to log files, ensure that the directory has the correct permission.

Check the installation directory structure and file permissions.

Search the Juniper Networks knowledge bases to determine whether your problem is known, has a workaround, or if it is already resolved and documented.

Review relevant documentation, such as release notes, tech notes, and proven practices documentation.

Sometimes installing new software might cause compatibility issues.

Review recent changes in your computing environment.

(38)

assist you in resolving the problem. You can also collect diagnostic data and analyze it yourself.

• Troubleshooting Resources on page 28

• JSA Log Files on page 28

• Ports Used by JSA on page 28

Troubleshooting Resources

Troubleshooting resources are sources of information that can help you resolve a problem that you have with a product.

Find the Juniper Secure Analytics (JSA) content that you need by selecting your products from theJuniper Customer Support (http://www.juniper.net/customers/support/).

JSA Log Files

Use the Juniper Secure Analytics (JSA) log files to help you troubleshoot problems. You can review the log files for the current session individually or you can collect them to review later.

Follow these steps to review the JSA log files.

1. To help you troubleshoot errors or exceptions, review the following log files.

• /var/log/qradar.log

• /var/log/qradar.error

2. If you require more information, review the following log files:

• https://console_ip/system_info.cgi

• /var/log/qradar-sql.log

• /opt/tomcat5/logs/catalina.out

• /opt/imq/share/var/instances/imqbroker/log/log.txt

• /var/log/qflow.debug

3. To collect log files for an Juniper Networks technical support representative, from the command line, run the following command:

/opt/qradar/support/get_logs.sh -s

The command creates a logs_<console_name>_<date_time>.tar.bz2 file in the /var/log directory.

Ports Used by JSA

(39)

For example, you can determine the ports that must be opened for the JSA console to communicate with remote Event Processors.

Ports and Iptables

The listen ports for Juniper Secure Analytics (JSA) are valid only when iptables is enabled on your JSA system.

SSH Communication on Port 22

All the ports that are described inTable 14 on page 29can be tunneled, by encryption, through port 22 over SSH. Managed hosts that use encryption can establish multiple bidirectional SSH sessions to communicate securely. These SSH sessions are initiated from the managed host to provide data to the host that needs the data in the deployment. For example, Event Processor appliances can initiate multiple SSH sessions to the JSA console for secure communication. This communication can include tunneled ports over SSH, such as HTTPS data for port 443 and Ariel query data for port 32006. Flow Processors that use encryption can initiate SSH sessions to Flow Processor appliances that require data.

JSA Ports

Unless otherwise noted, information about the assigned port number, descriptions, protocols, and the signaling direction for the port applies to all Juniper Secure Analytics (JSA) products.

Table 14 on page 29lists the ports, protocols, communication direction, description, and the reason that the port is used.

Table 14: Listening Ports that are used by JSA, Services, and Components

Requirement Direction

Protocol Description

Port

Remote management access. Adding a remote system as a managed host.

Log source protocols to retrieve files from external devices, for example the log file protocol.

Users who use the command line interface to communicate from desktops to the console. High availability Bidirectional from the JSA console

to all other components. TCP

SSH 22

Emails from JSA to an SMTP gateway Delivery of error and warning email messages to an administrative email contact.

From all managed hosts to the SMTP gateway

TCP SMTP

25

(40)

Table 14: Listening Ports that are used by JSA, Services, and Components (continued)

Requirement Direction Protocol Description Port

Time synchronization between the JSA console and managed hosts. All systems to the JSA console

JSA console to the NTP or rdate server

UDP/TCP rdate (time)

37

Communication and downloads from the JSA console to desktops. The Deployment Editor application to download and show deployment information

Users that connect to the JSA console

Users that connect to the JSA Deployment Editor

TCP Apache/HTTPS 80

Remote Procedure Calls (RPC) for required services, such as Network File System (NFS)

Managed hosts that communicate to the JSA console

TCP/UDP Port mapper

111

This traffic is generated by

WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter.

NOTE: DCOM typically allocates a random port range for

communication. You can configure Microsoft Windows products to use a specific port. For more information, see your Microsoft Windows documentation.

WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between JSA console components or Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events. Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. TCP DCOM 135 and dynamically allocated ports above 1024 for RPC calls.

Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between JSA console components or Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events. Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. UDP

(41)

Table 14: Listening Ports that are used by JSA, Services, and Components (continued)

Bidirectional traffic between JSA console components or Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events. Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events

UDP Windows NetBIOS datagram service. 138

Bidirectional traffic between JSA console components or Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events. Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events

TCP Windows

NetBIOS session service

139

TCP port for the NetSNMP daemon that listens for communications (v1, v2c, and v3) from external log sources

JSA managed hosts that connect to the JSA console.

External log sources to JSA Event Collectors

TCP NetSNMP

199

Configuration downloads to managed hosts from the JSA console. JSA managed hosts that connect to the JSA console.

Users to have log in access to JSA. JSA console that manage and provide configuration updates WinCollect agents.

Bidirectional traffic for secure communications from all products to the JSA console

TCP Apache/HTTPS 443

(42)

Table 14: Listening Ports that are used by JSA, Services, and Components (continued)

Bidirectional traffic between JSA console components or Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events. Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. TCP

Microsoft Directory Service 445

External log sources to send event data to JSA components. Syslog traffic includes WinCollect agents and Adaptive Log Exporter agents capable of sending either UDP or TCP events to JSA.

External network appliances that provide TCP syslog events use bidirectional traffic.

External network appliances that provide UDP syslog events use uni-directional traffic. UDP/TCP

Syslog 514

The Network File System (NFS) mount daemon, which processes requests to mount a file system at a specified location

Connections between the JSA console and NFS server TCP/UDP Network File System (NFS) mount daemon (mountd) 762

Internal logging port for syslogng. Connection between the local Event

Collector component and local Event Processor component to the syslog-ng daemon for logging. TCP/UDP

Syslog-ng 1514

The Network File System (NFS) protocol to share files or data between components. Connections between the JSA

console and NFS server. TCP

NFS 2049

NetFlow datagram from components, such as routers. From the management interface on

the flow source (typically a router) to the Flow Processor.

UDP NetFlow data

2055

This port is assigned as a redirect port for Address Resolution Protocol (ARP) requests in JSA offense resolution.

TCP Redirect port

4333

Required for provisioning managed hosts from the Admin tab. Communication for the managed

host that is used to access the local database instance.

TCP Postgres

(43)

Table 14: Listening Ports that are used by JSA, Services, and Components (continued)

Heartbeat ping from a secondary host to a primary host in an HA cluster to detect hardware or network failure

Bidirectional between the secondary host and primary host in an HA cluster TCP/UDP High availabilityability heartbeat 6543

Message queue broker for communications between components on a managed host. Ports 7676 and 7677 are static TCP ports and four extra connections are created on random ports.

Message queue communications between components on a managed host. TCP Messaging connections (IMQ) 7676, 7677, and four randomly bound ports above 32000.

JMX server (Mbean) monitoring for ECS, hostcontext, Tomcat, VIS, reporting, ariel, and accumulator services

NOTE: These ports are used by JSA support.

Internal communications, these ports are not available externally TCP

JMX server ports 7777 - 7782,

7790, 7791

Distributed Replicated Block Device (DRBD) used to keep drives synchronized between the primary and secondary hosts in HA configurations.

Bidirectional between the secondary host and primary host in an HA cluster TCP/UDP HA Distributed Replicated Block Device (DRBD) 7789

Real-time (streaming) for events. From the Event Collector to the JSA

console. TCP

Apache Tomcat 7800

Real-time (streaming) for flows From the Event Collector to the JSA

console TCP

Apache Tomcat 7801

Listening port for specific Event Collection service (ECS). From the Event Collector to the JSA

console TCP

Event Collection service (ECS) 8000

UDP listening port for external SNMP data requests.

External SNMP systems that request SNMP trap information from the JSA console

UDP SNMP daemon port

8001

A local port that is not used by JSA None

TCP Apache Tomcat 8005

From the HTTP daemon (HTTPd) process to Tomcat.

From the HTTP daemon (HTTPd) process to Tomcat

Tomcat connector, where the request is used and proxied for the web service.

From the HTTP daemon (HTTPd) process to Tomcat

NetFlow datagram from From the management interface on

UDP NetFlow data

9995

(44)

Table 14: Listening Ports that are used by JSA, Services, and Components (continued)

Server changes, such as the hosts root password and firewall access User desktop systems to all JSA

hosts TCP/UDP JSA web-based, system administration interface 10000

SOAP web server port for the event collection service (ECS)

TCP SOAP web server 23111

Normalized event data that is communicated from an offsite source or between Event Collectors. Bidirectional between JSA

components. TCP

Normalized event forwarding 32004

Data flow communication port between Event Collectors when on separate managed hosts.

Bidirectional between JSA components.

TCP Data flow

32005

Communication port between the Ariel proxy server and the Ariel query server.

TCP Ariel queries

32006

Identity data that is communicated between the passive vulnerability information service (VIS) and the Event Collection service (ECS). Bidirectional between JSA

components. TCP

Identity data 32009

Flow listening port to collect data from Flow Processors.

TCP Flow listening

source port 32010

Ariel listening port for database searches, progress information, and other associated commands. Bidirectional between JSA

components. TCP

Ariel listening port

32011

Data flows, such as events, flows, flow context, and event search queries.

TCP Data flow (flows, events, flow context) 32000-33999

Collecting incoming packet capture (PCAP) data from Juniper Networks SRX Series appliances.

NOTE: The packet capture on your device can use a different port. For more information about configuring packet capture, see your Juniper Networks SRX Series appliance documentation.

From Juniper Networks SRX Series appliances to JSA.

TCP PCAP data

40799

Testing the network connection between the secondary host and primary host in an HA cluster by using Internet Control Message Protocol (ICMP).

Bidirectional traffic between the secondary host and primary host in an HA cluster

(45)

Searching for Ports in Use by Juniper Secure Analytics

Use the netstat command to determine which ports are in use on the Juniper Secure Analytics (JSA) console or managed host. Use the netstat command to view all listening and established ports on the system.

1. Using SSH, log in to your JSA console, as the root user.

2. To display all active connections and the TCP and UDP ports on which the computer is listening, type the following command:

netstat -nap

3. To search for specific information from the netstat port list, type the following command:

netstat -nap | grep port

Examples:

• To display all ports that match 199, type the following command:

netstat -nap | grep 199

• To display all postgres related ports, type the following command:

netstat -nap | grep postgres

• To display information on all listening ports, type the following command:

netstat -nap | grep LISTEN

(46)

Juniper Secure Analytics

Juniper Secure Analytics

Installation Guide

Table of Contents

Part 1

Juniper Secure Analytics Installation

Part 2

Appendix

About the Documentation

Documentation and Release Notes

Documentation Conventions

Table 1: Notice Icons

Table 2: Text and Syntax Conventions

Table 2: Text and Syntax Conventions (continued)

Documentation Feedback

Requesting Technical Support

Self-Help Online Tools and Resources

Opening a Case with JTAC

PART 1

Juniper Secure Analytics Installation

CHAPTER 1

Juniper Secure Analytics Deployment

Overview

Understanding JSA Deployment

Licence Keys

Table 3: Restrictions for the Default License Key for JSA Installation

Table 4: Restrictions for the Default License Key for Log Analytics Installations

Integrated Management Module

Supported Web Browsers

Table 5: Supported Web Browsers for JSA Products

Enabling Document Mode and Browser Mode in Internet Explorer

CHAPTER 2

Virtual Appliance Installations for JSA and

Log Analytics

Juniper Secure Analytics (JSA) and Log Analytics Installation Overview

Overview of Supported Virtual Appliances

JSA Virtual All-in-One or JSA Virtual Console Deployment

JSA Virtual Distributed Event or Flow Processors

JSA Virtual Distributed Event or Flow Processors

JSA VFlow Collector 1290

JSA 1590

System Requirements for Virtual Appliances

Table 6: Requirements for Virtual Appliances

Table 7: Minimum and Optional Memory Requirements for JSA Virtual Appliances

Creating Your Virtual Machine

Table 8: Same CPU Page Settings

Table 9: Descriptions for Network Configuration Parameters

Table 10: Settings for the Virtual Disk Size and Provisioning Policy Parameters

Installing the JSA Software on a Virtual Machine

Adding Your Virtual Appliance to Your Deployment

CHAPTER 3

Installations from the Recovery Partition

Installing from the Recovery Partition Using Factory Default Setting

Re-Installing a JSA Appliance

CHAPTER 4

Network Settings Management

Changing the Network Settings in an All-In-One System

Table 11: Description of Network Settings for an All-In-One JSA Console

Table 11: Description of Network Settings for an All-In-One JSA Console (continued)

Changing the Network Settings of a JSA Console in a Multisystem Deployment

Table 12: Description of Network Settings for a Multisystem JSA Console Deployment

Updating Network Settings After a NIC Replacement

PART 2

Appendix

APPENDIX A

Troubleshooting Problems

Table 13: Troubleshooting Actions to Prevent Problems

Troubleshooting Resources

JSA Log Files

Ports Used by JSA

Ports and Iptables

SSH Communication on Port 22

JSA Ports

Table 14: Listening Ports that are used by JSA, Services, and Components

Table 14: Listening Ports that are used by JSA, Services, and Components (continued)

Table 14: Listening Ports that are used by JSA, Services, and Components (continued)

Table 14: Listening Ports that are used by JSA, Services, and Components (continued)

Table 14: Listening Ports that are used by JSA, Services, and Components (continued)

Table 14: Listening Ports that are used by JSA, Services, and Components (continued)

Searching for Ports in Use by Juniper Secure Analytics