Juniper Secure Analytics

(1)

Juniper Secure Analytics

Virtual Appliance Installation Guide

Release

2014.1

Published: 2014-12-04

(2)

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.

(3)

About the Documentation

• Documentation and Release Notes on page v

• Documentation Conventions on page v

• Documentation Feedback on page vii

• Requesting Technical Support on page viii

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation, see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed athttp://www.juniper.net/books.

Documentation Conventions

Table 1 on page videfines notice icons used in this guide.

(6)

Table 1: Notice Icons

Description Meaning

Icon

Indicates important features or instructions. Informational note

Indicates a situation that might result in loss of data or hardware damage. Caution

Alerts you to the risk of personal injury or death. Warning

Alerts you to the risk of personal injury from a laser. Laser warning

Indicates helpful information. Tip

Alerts you to a recommended use or implementation. Best practice

Table 2 on page videfines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

Examples Description

Convention

To enter configuration mode, type the configure command:

user@host> configure Represents text that you type.

Bold text like this

user@host> show chassis alarms No alarms currently active Represents output that appears on the

terminal screen. Fixed-width text like this

• A policy term is a named structure that defines match conditions and actions.

• Junos OS CLI User Guide

• RFC 1997, BGP Communities Attribute

• Introduces or emphasizes important new terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure the machine’s domain name: [edit]

root@# set system domain-name

domain-name

Represents variables (options for which you substitute a value) in commands or configuration statements.

Italic text like this

(7)

Table 2: Text and Syntax Conventions (continued)

Examples Description

Convention

• To configure a stub area, include the

stubstatement at the[edit protocols ospf area area-id]hierarchy level.

• The console port is labeledCONSOLE. Represents names of configuration

statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform

components.

Text like this

stub <default-metric metric>;

Encloses optional keywords or variables. < > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. | (pipe symbol)

rsvp { # Required for dynamic MPLS only

Indicates a comment specified on the same line as the configuration statement to which it applies.

# (pound sign)

community name members [ community-ids ]

Encloses a variable for which you can substitute one or more values. [ ] (square brackets) [edit] routing-options { static { route default { nexthop address; retain; } } } Identifies a level in the configuration

hierarchy. Indention and braces ( { } )

Identifies a leaf statement at a configuration hierarchy level. ; (semicolon)

GUI Conventions

• In the Logical Interfaces box, select

All Interfaces.

• To cancel the configuration, click

Cancel. Represents graphical user interface (GUI)

items you click or select. Bold text like this

In the configuration editor hierarchy, select Protocols>Ospf.

Separates levels in a hierarchy of menu selections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods:

• Online feedback rating system—On any page at the Juniper Networks Technical Documentation site athttp://www.juniper.net/techpubs/index.html, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at

https://www.juniper.net/cgi-bin/docbugreport/.

(8)

• E-mail—Send your comments to [email protected]. Include the document or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

• Find CSC offerings:http://www.juniper.net/customers/support/

• Search for known bugs:http://www2.juniper.net/kb/

• Find product documentation:http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base:http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool:http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

• Use the Case Management tool in the CSC athttp://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

(9)

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.

(10)

(11)

PART 1

Virtual Appliance Installation

• Virtual Appliance Installations for JSA and Log Analytics on page 3

(12)

(13)

CHAPTER 1

Virtual Appliance Installations for JSA and

Log Analytics

This chapter describes about the following section:

• Juniper Secure Analytics (JSA) and Log Analytics Installation Overview on page 3

• Overview of Supported Virtual Appliances on page 4

• System Requirements for Virtual Appliances on page 6

• Creating Your Virtual Machine on page 7

• Installing the JSA Software on a Virtual Machine on page 8

• Adding Your Virtual Appliance to Your Deployment on page 9

Juniper Secure Analytics (JSA) and Log Analytics Installation Overview

You can install Juniper Secure Analytics (JSA) and Log Analytics on a virtual appliance. Ensure that you use a supported virtual appliance that meets the minimum system requirements.

To install a virtual appliance, complete the following tasks in sequence:

• Create a virtual machine.

• Install JSA software on the virtual machine.

• Add your virtual appliance to the deployment.

CAUTION: When deploying a JSA appliance with image 2013.2.r3.607582, you must reimage the appliance to the common image 2013.2.r3.615469. For more information, see Installing JSA Using a Bootable USB Flash-Drive

Technical Note.

Overview of Supported Virtual Appliances

A virtual appliance is a Juniper Secure Analytics (JSA) system that consists of JSA software that is installed on a VMWare ESX 5.0 virtual machine. Use the procedures in this topic to install your virtual appliance.

A virtual appliance provides the same visibility and functionality in your virtual network infrastructure that JSA appliances provide in your physical environment.

After you install your virtual appliances, use the deployment editor to add your virtual appliances to your deployment. For more information on how to connect appliances, see the Juniper Secure Analytics Administration Guide.

JSA Virtual All-in-One or JSA Virtual Console Deployment

This virtual appliance is a Juniper Secure Analytics (JSA) system that can profile network behavior and identify network security threats. The JSA Virtual All-in-One or JSA Virtual console deployment virtual appliance includes an on-board Event Collector and internal storage for events.

The JSA Virtual All-in-One or JSA Virtual console deployment virtual appliance supports the following items:

• Up to 1,000 network objects

• 50,000 flows per interval, depending on your license

• 1,000 events per second (eps), depending on your license

• 750 event feeds (additional devices can be added to your licensing)

• External flow data sources for NetFlow, sFlow, J-Flow, Packeteer, and Flowlog files

• Flow Processor and Layer 7 network activity monitoring

To expand the capacity of the JSA Virtual All-in-One or JSA Virtual console deployment beyond the license-based upgrade options, you can add one or more of the JSA Virtual Distributed Event or Flow processors or JSA Virtual Distributed Event or Flow processors virtual appliances:

JSA Virtual Distributed Event or Flow Processors

This virtual appliance is a dedicated Event Processor that allows you to scale your Juniper Secure Analytics (JSA) deployment to manage higher EPS rates. The JSA Virtual Distributed Event or Flow processors includes an on-board Event Collector, Event Processor, and internal storage for events.

The JSA Virtual Distributed Event or Flow processors appliance supports the following items:

• Up to 1,000 events per second

(15)

• 2 TB or larger dedicated event storage

The JSA Virtual Distributed Event or Flow processors virtual appliance is a distributed Event Processor appliance and requires a connection to any series appliance.

JSA Virtual Distributed Event or Flow Processors

This virtual appliance is deployed with any series appliance. The virtual appliance is used to increase storage and includes an on-board Event Processor, and internal storage. JSA Virtual Distributed Event or Flow processors appliance supports the following items:

• 50,000 flows per interval depending on traffic types

• 2 TB or larger dedicated flow storage

• 1,000 network objects

• Flow Processor and Layer 7 network activity monitoring

You can add JSA Virtual Distributed Event or Flow processors appliances to any series appliance to increase the storage and performance of your deployment.

JSA VFlow Collector 1290

This virtual appliance provides the same visibility and functionality in your virtual network infrastructure that a Flow Processor offers in your physical environment. The Flow Processor virtual appliance analyzes network behavior and provides Layer 7 visibility within your virtual infrastructure. Network visibility is derived from a direct connection to the virtual switch.

The JSA Flow Processor 1290 virtual appliance supports a maximum of the following items:

• 10,000 flows per minute

• Three virtual switches, with one additional switch that is designated as the management interface.

The JSA VFlow Collector 1290 virtual appliance does not support NetFlow.

JSA 1590

This virtual appliance is a dedicated Event Collector, which is required if you want to enable the store and forward feature. The store and forward feature allows you to manage schedules that control when to start and stop forwarding events from your dedicated Event Collector appliances to Event Processor components in your deployment. A dedicated Event Collector does not process events and it does not include an on-board Event Processor.

By default, a dedicated Event Collector continuously forwards events to an Event Processor that you must connect using the deployment editor. The maximum Event Per Second (EPS) is controlled by the Event Processor.

(16)

Juniper Secure Analytics and Log Manager Installation Overview on page 3

•

System Requirements for Virtual Appliances

To ensure that Juniper Secure Analytics (JSA) works correctly, ensure that virtual appliance that you use meets the minimum software and hardware requirements.

Table 3 on page 6describes the minimum requirements for virtual appliances.

Table 3: Requirements for Virtual Appliances

Description Requirement

VMware ESXi Version 5.0 VMware ESXi Version 5.1

For more information about VMWare clients, see the VMware website at

www.vmware.com

VMware client

Minimum: 256 GB

NOTE: For optimal performance, ensure that an extra 2-3 times of the minimum disk space is available.

Virtual disk size on all appliance except Flow Processor appliances

Minimum: 70 GB Virtual disk size for Flow Processor appliances

Table 4 on page 6describes the minimum memory requirements for virtual appliances.

Table 4: Minimum and Optional Memory Requirements for JSA Virtual Appliances

Suggested memory requirement Minimum memory requirement Appliance 6 GB 6 GB

JSA VFlow Collector 1290

16 GB 12 GB

JSA 1590

48 GB 12 GB

JSA Virtual Distributed Event or Flow processors

48 GB 12 GB

JSA Virtual Distributed Event or Flow processors

48 GB 24 GB

JSA Virtual All-in-One or JSA Virtual console deployment

48 GB 24 GB

Log Analytics Virtual 1790

(17)

•

Creating Your Virtual Machine

To install a virtual appliance, you must first use VMware vSphere Client 5.0 to create a virtual machine.

1. From the VMware vSphere Client, click File > New > Virtual Machine.

2. Use the following steps to guide you through the choices:

a. In the Configuration pane of the Create New Virtual Machine window, select Custom.

b. In the Virtual Machine Version pane, select Virtual Machine Version: 7.

c. For the Operating System (OS), select Red Hat Enterprise Linux 6 (64-bit).

d. On the CPUs page, configure the number of virtual processors that you want for the virtual machine:

When you configure the parameters on the CPU page, you must configure a minimum of two processors. The combination of number of virtual sockets and number of cores per virtual socket determines how many processors are configured on your system.

Table 5 on page 7provides examples of CPU page settings you can use.

Table 5: Same CPU Page Settings

Sample CPU page settings Number of processors

Number of virtual sockets = 1 Number of cores per virtual socket = 2 2

Number of virtual sockets =2 Number of cores per virtual socket = 1 2

e. In the Memory Size field, type or select 8 or higher.

(18)

f. UseTable 6 on page 8to configure you network connections.

Table 6: Descriptions for Network Configuration Parameters

Description

Parameter

You must add at least one Network Interface Controller (NIC)

How many NICs do you want to connect

VMXNET3

Adapter

g. In the SCSI controller pane, select VMware Paravirtual.

h. In the Disk pane, select Create a new virtual disk and useTable 7 on page 8to configure the virtual disk parameters.

Table 7: Settings for the Virtual Disk Size and Provisioning Policy Parameters

Option Property 256 or higher (GB) Capacity Thin provision Disk Provisioning Do not configure Advanced options

3. On the Ready to Complete page, review the settings and click Finish.

•

Installing the JSA Software on a Virtual Machine

After you create your virtual machine, you must install the Juniper Secure Analytics (JSA) software on the virtual machine.

1. In the left navigation pane of your VMware vSphere Client, select your virtual machine.

2. In the right pane, click the Summary tab.

3. In the Commands pane, click Edit Settings.

4. In the left pane of the Virtual Machine Properties window, click CD/DVD Drive 1.

5. In the Device Status pane, select the Connect at power on check box.

6. In the Device Type pane, select Datastore ISO File and click Browse.

(19)

7. In the Browse Datastores window, locate and select the JSA product ISO file, click Openand then click OK.

8. After the JSA product ISO image is installed, right-click your virtual machine and click Power > Power On.

9. Log in to the virtual machine by typing root for the user name. The user name is case-sensitive.

10.For the type of setup, select normal.

11. For JSA console installations, select the Enterprise tuning template.

12.Follow the instructions in the installation wizard to complete the installation.

Table 6 on page 8contains descriptions and notes to help you configure the

installation.

After you configure the installation parameters, a series of messages are displayed. The installation process might take several minutes.

•

Adding Your Virtual Appliance to Your Deployment

After the Juniper Secure Analytics (JSA) software is installed, add your virtual appliance to your deployment.

1. Log in to the JSA console.

2. On the Admin tab, click the Deployment Editor icon.

3. In the Event Components pane on the Event View page, select the virtual appliance component that you want to add.

4. On the first page of the Adding a New Component task assistant, type a unique name for the virtual appliance.

The name that you assign to the virtual appliance can be up to 20 characters in length and can include underscores or hyphens.

5. Complete the steps in the task assistant.

6. From the Deployment Editor menu, click File > Save to staging.

7. On the Admin tab menu, click Deploy Changes.

• Juniper Secure Analytics and Log Manager Installation Overview on page 3

(20)

(21)

PART 2

Index

• Index on page 13

(22)

(23)

Index

Symbols

#, comments in configuration statements...vii

( ), in syntax descriptions...vii

< >, in syntax descriptions...vii

[ ], in configuration statements...vii

{ }, in configuration statements...vii

| (pipe), in syntax descriptions...vii

B

braces, in configuration statements...vii

brackets angle, in syntax descriptions...vii

square, in configuration statements...vii

C

comments, in configuration statements...vii

conventions text and syntax...vi

curly braces, in configuration statements...vii

customer support...viii

contacting JTAC...viii

D

documentation comments on...vii

F

font conventions...vi

M

manuals comments on...vii

P

parentheses, in syntax descriptions...vii

S

support, technical See technical support syntax conventions...vi

T

technical support contacting JTAC...viii

(24)

Juniper Secure Analytics

Juniper Secure Analytics

Virtual Appliance Installation Guide

2014.1

Table of Contents

Part 1

Virtual Appliance Installation

Part 2

Index

About the Documentation

Documentation and Release Notes

Documentation Conventions

Table 1: Notice Icons

Table 2: Text and Syntax Conventions

Table 2: Text and Syntax Conventions (continued)

Documentation Feedback

Requesting Technical Support

Self-Help Online Tools and Resources

Opening a Case with JTAC

PART 1

Virtual Appliance Installation

CHAPTER 1

Virtual Appliance Installations for JSA and

Log Analytics

Juniper Secure Analytics (JSA) and Log Analytics Installation Overview

Overview of Supported Virtual Appliances

JSA Virtual All-in-One or JSA Virtual Console Deployment

JSA Virtual Distributed Event or Flow Processors

JSA Virtual Distributed Event or Flow Processors

JSA VFlow Collector 1290

JSA 1590

System Requirements for Virtual Appliances

Table 3: Requirements for Virtual Appliances

Table 4: Minimum and Optional Memory Requirements for JSA Virtual Appliances

Creating Your Virtual Machine

Table 5: Same CPU Page Settings

Table 6: Descriptions for Network Configuration Parameters

Table 7: Settings for the Virtual Disk Size and Provisioning Policy Parameters

Installing the JSA Software on a Virtual Machine

Adding Your Virtual Appliance to Your Deployment

PART 2

Index

Index

Symbols

B

C

D

F

M

P

S

T