Juniper Secure Analytics

Similar documents
Juniper Secure Analytics

Managing Service Design for PTP Timing

Juniper Secure Analytics

Juniper Secure Analytics

Juniper Secure Analytics

Junos Space Security Director

Junos Space. Audit Logs. Release Published: Copyright 2014, Juniper Networks, Inc.

Juniper Secure Analytics

Junos Space. Virtual Appliance Deployment and Configuration Guide. Release 14.1R2. Modified: Revision 2

DDoS Secure. VMware Virtual Edition Installation Guide. Release Published: Copyright 2013, Juniper Networks, Inc.

Firefly Host. Installation and Upgrade Guide for VMware. Release 6.0. Published: Copyright 2014, Juniper Networks, Inc.

Junos OS for EX Series Ethernet Switches

SRC Virtualization. Modified: Copyright 2015, Juniper Networks, Inc.

Juniper Secure Analytics

Juniper Secure Analytics

Junos Space. Network Director Monitor Mode User Guide. Release 1.5. Published: Copyright 2013, Juniper Networks, Inc.

Juniper Secure Analytics

Juniper Secure Analytics

Junos Space. Network Director Monitor Mode User Guide. Release 1.6. Published: Copyright 2014, Juniper Networks, Inc.

Juniper Secure Analytics

STRM Log Manager Administration Guide

Junos Pulse. Windows In-Box Junos Pulse Client Solution. Release 5.0. Published: Copyright 2013, Juniper Networks, Inc.

WinCollect User Guide

Spotlight Secure. Spotlight Secure Connector Getting Started Guide. Modified: Copyright 2015, Juniper Networks, Inc.

Building and Managing a Branch Office Network Using Junos Space Network Director

Junos Space Security Director

Junos Space. Junos Space Network Management Platform Getting Started Guide. Release Modified:

Junos OS. Integrated User Firewall Feature Guide for Security Devices. Release 12.1X47-D10. Published:

Juniper Networks Network and Security Manager

Configuration and File Management Feature Guide for QFabric Systems

Junos Pulse Access Control Service

Juniper Secure Analytics

Extreme Networks Security Risk Manager Installation Guide

CTPView Network Management System Administration

Junos OS for EX Series Ethernet Switches

Junos OS. System Log Messages. Release Modified: Copyright 2015, Juniper Networks, Inc.

Firefly Host. Getting Started Guide for VMware. Release 6.0. Published: Copyright 2014, Juniper Networks, Inc.

NSM Plug-In Users Guide

Junos OS. Firewall Filters Feature Guide for Routing Devices. Release Published: Copyright 2013, Juniper Networks, Inc.

Juniper Secure Analytics

Junos Space. Junos Space Security Director Restful Web Services API Reference. Modified: Copyright 2016, Juniper Networks, Inc.

RSA Authentication Manager 8.1 Virtual Appliance Getting Started

Extreme Networks Security Upgrade Guide

Junos Space. User Interface. Release Published: Copyright 2014, Juniper Networks, Inc.

Intrusion Detection and Prevention

How To Install Extreme Security On A Computer Or Network Device

Installing and Using the vnios Trial

Extreme Control Center, NAC, and Purview Virtual Appliance Installation Guide

Junos OS. MPLS Network Operations Guide. Published: Copyright 2012, Juniper Networks, Inc.

Adaptive Log Exporter Users Guide

EMC Data Domain Management Center

Junos OS. Processing Overview for Security Devices. Release 12.1X44-D10. Published: Copyright 2014, Juniper Networks, Inc.

Juniper Networks Management Pack Documentation

WebApp Secure 5.5. Published: Copyright 2014, Juniper Networks, Inc.

IBM Security QRadar SIEM Version High Availability Guide IBM

Firewall Filters Feature Guide for EX9200 Switches

Juniper Secure Analytics Release Notes

Voice over IP. Published: Copyright 2012, Juniper Networks, Inc.

Junos OS. Authentication and Integrated User Firewalls Feature Guide for Security Devices. Release 12.3X48-D10. Modified:

VMware vcenter Log Insight Getting Started Guide

Installing and Configuring vcloud Connector

OnCommand Performance Manager 1.1

Network Monitoring. Published: Copyright 2013, Juniper Networks, Inc.

Junos OS for EX Series Ethernet Switches

Junos Space. Service Now User Guide. Release Published: Copyright 2013, Juniper Networks, Inc.

Junos OS. Installation and Upgrade Guide. Release Modified: Copyright 2016, Juniper Networks, Inc.

RealPresence Platform Director

Firefly Suite. Firefly Host Cloud Security SDK. Release 6.0. Published: Copyright 2014, Juniper Networks, Inc.

Set Up Panorama. Palo Alto Networks. Panorama Administrator s Guide Version 6.0. Copyright Palo Alto Networks

How to Test Out Backup & Replication 6.5 for Hyper-V

F-Secure Messaging Security Gateway. Deployment Guide

Junos OS. Distributed Denial-of-Service Protection Feature Guide. Release Published: Copyright 2013, Juniper Networks, Inc.

OnCommand Performance Manager 1.1

IBM Security QRadar Vulnerability Manager Version User Guide

Junos OS for EX Series Ethernet Switches

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Junos OS. Firewall Filters Configuration Guide. Release Published: Copyright 2012, Juniper Networks, Inc.

Managing Multi-Hypervisor Environments with vcenter Server

Juniper Networks Network and Security Manager

VoIP Services in an SRC-Managed Network

Managing Vulnerability Assessment

Junos OS. Flow Monitoring Feature Guide for Routing Devices. Release Published: Copyright 2014, Juniper Networks, Inc.

Junos Space Network Management Platform

Hillstone StoneOS User Manual Hillstone Unified Intelligence Firewall Installation Manual

Configuring Offboard Storage Guide

HP Intelligent Management Center v7.1 Virtualization Monitor Administrator Guide

Complete Hardware Guide for EX4300 Ethernet Switches

Installing and Configuring vcenter Support Assistant

Clearswift SECURE Exchange Gateway Installation & Setup Guide. Version 1.0

Rally Installation Guide

IBM Security QRadar SIEM Version MR1. Administration Guide

Configuration Guide. Websense Web Security Solutions Version 7.8.1

Installation Guide for Pulse on Windows Server 2008R2

Junos OS. DHCP Relay Agent Feature Guide for Subscriber Management. Release Published: Copyright 2013, Juniper Networks, Inc.

Transcription:

Juniper Secure Analytics Installation Guide Release 2014.1 Published: 2014-11-26

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Juniper Secure Analytics Installation Guide All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of that EULA. ii

Table of Contents About the Documentation........................................... v Documentation and Release Notes.................................. v Documentation Conventions....................................... v Documentation Feedback......................................... vii Requesting Technical Support..................................... viii Self-Help Online Tools and Resources........................... viii Opening a Case with JTAC..................................... viii Part 1 Juniper Secure Analytics Installation Chapter 1 Juniper Secure Analytics Deployment Overview........................ 3 Understanding JSA Deployment........................................ 3 Licence Keys........................................................ 3 Integrated Management Module........................................ 4 Supported Web Browsers............................................. 5 Enabling Document Mode and Browser Mode in Internet Explorer......... 5 Chapter 2 Virtual Appliance Installations for JSA and Log Analytics................ 7 Juniper Secure Analytics (JSA) and Log Analytics Installation Overview......... 7 Overview of Supported Virtual Appliances................................ 8 JSA Virtual All-in-One or JSA Virtual Console Deployment................ 8 JSA Virtual Distributed Event or Flow Processors....................... 8 JSA Virtual Distributed Event or Flow Processors....................... 9 JSA VFlow Collector 1290.......................................... 9 JSA 1590....................................................... 9 System Requirements for Virtual Appliances............................. 10 Creating Your Virtual Machine.......................................... 11 Installing the JSA Software on a Virtual Machine.......................... 12 Adding Your Virtual Appliance to Your Deployment........................ 13 Chapter 3 Installations from the Recovery Partition............................. 15 Installing from the Recovery Partition Using Factory Default Setting........... 15 Re-Installing a JSA Appliance.......................................... 16 Chapter 4 Network Settings Management..................................... 19 Changing the Network Settings in an All-In-One System.................... 19 Changing the Network Settings of a JSA Console in a Multisystem Deployment................................................... 20 Updating Network Settings After a NIC Replacement...................... 22 iii

Juniper Secure Analytics Installation Guide Part 2 Appendix Appendix A Troubleshooting Problems......................................... 27 Troubleshooting Resources........................................... 28 JSA Log Files....................................................... 28 Ports Used by JSA.................................................. 28 Ports and Iptables............................................... 29 SSH Communication on Port 22................................... 29 JSA Ports...................................................... 29 Searching for Ports in Use by Juniper Secure Analytics.................. 35 iv

About the Documentation Documentation and Release Notes Documentation and Release Notes on page v Documentation Conventions on page v Documentation Feedback on page vii Requesting Technical Support on page viii Documentation Conventions To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/. If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes. Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at http://www.juniper.net/books. Table 1 on page vi defines notice icons used in this guide. v

Juniper Secure Analytics Installation Guide Table 1: Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser. Tip Indicates helpful information. Best practice Alerts you to a recommended use or implementation. Table 2: Text and Syntax Conventions Table 2 on page vi defines the text and syntax conventions used in this guide. Convention Description Examples Bold text like this Represents text that you type. To enter configuration mode, type the configure command: user@host> configure Fixed-width text like this Italic text like this Represents output that appears on the terminal screen. Introduces or emphasizes important new terms. Identifies guide names. Identifies RFC and Internet draft titles. user@host> show chassis alarms No alarms currently active A policy term is a named structure that defines match conditions and actions. Junos OS CLI User Guide RFC 1997, BGP Communities Attribute Italic text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Configure the machine s domain name: [edit] root@# set system domain-name domain-name vi

About the Documentation Table 2: Text and Syntax Conventions (continued) Convention Description Examples Text like this Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components. To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE. < > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>; (pipe symbol) Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. broadcast multicast (string1 string2 string3) # (pound sign) Indicates a comment specified on the same line as the configuration statement to which it applies. rsvp { # Required for dynamic MPLS only [ ] (square brackets) Encloses a variable for which you can substitute one or more values. community name members [ community-ids ] Indention and braces ( { } ) ; (semicolon) Identifies a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level. [edit] routing-options { static { route default { nexthop address; retain; } } } GUI Conventions Bold text like this Represents graphical user interface (GUI) items you click or select. In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel. > (bold right angle bracket) Separates levels in a hierarchy of menu selections. In the configuration editor hierarchy, select Protocols>Ospf. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods: Online feedback rating system On any page at the Juniper Networks Technical Documentation site at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at https://www.juniper.net/cgi-bin/docbugreport/. vii

Juniper Secure Analytics Installation Guide E-mail Send your comments to techpubs-comments@juniper.net. Include the document or topic name, URL or page number, and software version (if applicable). Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf. Product warranties For product warranty information, visit http://www.juniper.net/support/warranty/. JTAC hours of operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/ Search for known bugs: http://www2.juniper.net/kb/ Find product documentation: http://www.juniper.net/techpubs/ Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/ Search technical bulletins for relevant hardware and software notifications: http://kb.juniper.net/infocenter/ Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/ Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/ To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/serialnumberentitlementsearch/ Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at http://www.juniper.net/cm/. Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). viii

About the Documentation For international or direct-dial options in countries without toll-free numbers, see http://www.juniper.net/support/requesting-support.html. ix

Juniper Secure Analytics Installation Guide x

PART 1 Juniper Secure Analytics Installation Juniper Secure Analytics Deployment Overview on page 3 Virtual Appliance Installations for JSA and Log Analytics on page 7 Installations from the Recovery Partition on page 15 Network Settings Management on page 19 1

Juniper Secure Analytics Installation Guide 2

CHAPTER 1 Juniper Secure Analytics Deployment Overview Understanding JSA Deployment This chapter describes about the following sections: Understanding JSA Deployment on page 3 Licence Keys on page 3 Integrated Management Module on page 4 Supported Web Browsers on page 5 You can install Juniper Secure Analytics (JSA) components on a single server for small enterprises, or across multiple servers for large enterprise environments. For maximum performance and scalability, you must install redundant appliances for each system that requires HA protection. For more information about installing or recovering an HA system, see the High Availability Guide. Related Documentation Licence Keys on page 3 Integrated Management Module on page 4 Supported Web Browsers on page 5 Licence Keys After the installation is complete and before the default license expires, you must access the Juniper Secure Analytics (JSA) user interface to apply your license key. Your system includes a default license key that provides you with access to JSA software for five weeks. After you install the software and before the default license key expires, you must add your purchased licenses. Table 3 on page 4 and Table 4 on page 4 describes the restrictions for the default license key. 3

Juniper Secure Analytics Installation Guide Table 3: Restrictions for the Default License Key for JSA Installation Usage Limit Active log source limit 750 Events per second threshold 5000 Flows per interval 200000 User limit 10 Network object limit 300 Table 4: Restrictions for the Default License Key for Log Analytics Installations Usage Limit Active log source limit 750 Active log source limit 5000 User limit 10 Network object limit 300 Related Documentation Understanding JSA Deployment on page 3 Integrated Management Module on page 4 Supported Web Browsers on page 5 Integrated Management Module Use Integrated Management Module, which is on the back panel of each appliance type, to manage the serial and Ethernet connectors. You can configure the Integrated Management Module to share an Ethernet port with the Juniper Secure Analytics (JSA) product management interface. However, to reduce the risk of losing the connection when the appliance is restarted, configure Integrated Management Module in dedicated mode. To configure Integrated Management Module, you must access the system BIOS settings by pressing F1 when the splash screen is displayed. For more information about configuring the Integrated Management Module, see the Integrated Management Module User's Guide on the CD that is shipped with your appliance. Related Documentation Understanding JSA Deployment on page 3 Licence Keys on page 3 Supported Web Browsers on page 5 4

Chapter 1: Juniper Secure Analytics Deployment Overview Supported Web Browsers For the features in Juniper Secure Analytics (JSA) products to work properly, you must use a supported web browser. When you access the JSA system, you are prompted for a user name and a password. The user name and password must be configured in advance by the administrator. Table 5 on page 5 lists the supported versions of web browsers. Table 5: Supported Web Browsers for JSA Products Web Browser Supported Version Mozilla Firefox 10.0 Extended Support Release (ESR) Microsoft Internet Explorer, with document mode and browser mode enabled 8.0 9.0 Google Chrome Latest version Enabling Document Mode and Browser Mode in Internet Explorer If you use Microsoft Internet Explorer to access Juniper Secure Analytics (JSA) products, you must enable browser mode and document mode. 1. In your Internet Explorer web browser, press F12 to open the Developer Tools window. 2. Click Browser Mode and select the version of your web browser. 3. Click Document Mode and select Internet Explorer 7.0 Standards. Related Documentation Understanding JSA Deployment on page 3 Licence Keys on page 3 Integrated Management Module on page 4 5

Juniper Secure Analytics Installation Guide 6

CHAPTER 2 Virtual Appliance Installations for JSA and Log Analytics This chapter describes about the following section: Juniper Secure Analytics (JSA) and Log Analytics Installation Overview on page 7 Overview of Supported Virtual Appliances on page 8 System Requirements for Virtual Appliances on page 10 Creating Your Virtual Machine on page 11 Installing the JSA Software on a Virtual Machine on page 12 Adding Your Virtual Appliance to Your Deployment on page 13 Juniper Secure Analytics (JSA) and Log Analytics Installation Overview You can install Juniper Secure Analytics (JSA) and Log Analytics on a virtual appliance. Ensure that you use a supported virtual appliance that meets the minimum system requirements. To install a virtual appliance, complete the following tasks in sequence: Create a virtual machine. Install JSA software on the virtual machine. Add your virtual appliance to the deployment. CAUTION: When deploying a JSA appliance with image 2013.2.r3.607582, you must reimage the appliance to the common image 2013.2.r3.615469. For more information, see Installing JSA Using a Bootable USB Flash-Drive Technical Note. Related Documentation Overview of Supported Virtual Appliances on page 8 System Requirements for Virtual Appliances on page 10 Creating Your Virtual Machine on page 11 Installing the JSA Software on a Virtual Machine on page 12 7

Juniper Secure Analytics Installation Guide Adding Your Virtual Appliance to Your Deployment on page 13 Overview of Supported Virtual Appliances A virtual appliance is a Juniper Secure Analytics (JSA) system that consists of JSA software that is installed on a VMWare ESX 5.0 virtual machine. Use the procedures in this topic to install your virtual appliance. A virtual appliance provides the same visibility and functionality in your virtual network infrastructure that JSA appliances provide in your physical environment. After you install your virtual appliances, use the deployment editor to add your virtual appliances to your deployment. For more information on how to connect appliances, see the Juniper Secure Analytics Administration Guide. JSA Virtual All-in-One or JSA Virtual Console Deployment This virtual appliance is a Juniper Secure Analytics (JSA) system that can profile network behavior and identify network security threats. The JSA Virtual All-in-One or JSA Virtual console deployment virtual appliance includes an on-board Event Collector and internal storage for events. The JSA Virtual All-in-One or JSA Virtual console deployment virtual appliance supports the following items: Up to 1,000 network objects 50,000 flows per interval, depending on your license 1,000 events per second (eps), depending on your license 750 event feeds (additional devices can be added to your licensing) External flow data sources for NetFlow, sflow, J-Flow, Packeteer, and Flowlog files Flow Processor and Layer 7 network activity monitoring To expand the capacity of the JSA Virtual All-in-One or JSA Virtual console deployment beyond the license-based upgrade options, you can add one or more of the JSA Virtual Distributed Event or Flow processors or JSA Virtual Distributed Event or Flow processors virtual appliances: JSA Virtual Distributed Event or Flow Processors This virtual appliance is a dedicated Event Processor that allows you to scale your Juniper Secure Analytics (JSA) deployment to manage higher EPS rates. The JSA Virtual Distributed Event or Flow processors includes an on-board Event Collector, Event Processor, and internal storage for events. The JSA Virtual Distributed Event or Flow processors appliance supports the following items: Up to 1,000 events per second 8

Chapter 2: Virtual Appliance Installations for JSA and Log Analytics 2 TB or larger dedicated event storage The JSA Virtual Distributed Event or Flow processors virtual appliance is a distributed Event Processor appliance and requires a connection to any series appliance. JSA Virtual Distributed Event or Flow Processors This virtual appliance is deployed with any series appliance. The virtual appliance is used to increase storage and includes an on-board Event Processor, and internal storage. JSA Virtual Distributed Event or Flow processors appliance supports the following items: 50,000 flows per interval depending on traffic types 2 TB or larger dedicated flow storage 1,000 network objects Flow Processor and Layer 7 network activity monitoring You can add JSA Virtual Distributed Event or Flow processors appliances to any series appliance to increase the storage and performance of your deployment. JSA VFlow Collector 1290 This virtual appliance provides the same visibility and functionality in your virtual network infrastructure that a Flow Processor offers in your physical environment. The Flow Processor virtual appliance analyzes network behavior and provides Layer 7 visibility within your virtual infrastructure. Network visibility is derived from a direct connection to the virtual switch. The JSA VFlow Collector 1290 virtual appliance supports a maximum of the following items: 10,000 flows per minute Three virtual switches, with one additional switch that is designated as the management interface. The JSA VFlow Collector 1290 virtual appliance does not support NetFlow. JSA 1590 This virtual appliance is a dedicated Event Collector, which is required if you want to enable the store and forward feature. The store and forward feature allows you to manage schedules that control when to start and stop forwarding events from your dedicated Event Collector appliances to Event Processor components in your deployment. A dedicated Event Collector does not process events and it does not include an on-board Event Processor. By default, a dedicated Event Collector continuously forwards events to an Event Processor that you must connect using the deployment editor. The maximum Event Per Second (EPS) is controlled by the Event Processor. 9

Juniper Secure Analytics Installation Guide Related Documentation Juniper Secure Analytics and Log Manager Installation Overview on page 7 System Requirements for Virtual Appliances on page 10 Creating Your Virtual Machine on page 11 Installing the JSA Software on a Virtual Machine on page 12 Adding Your Virtual Appliance to Your Deployment on page 13 System Requirements for Virtual Appliances To ensure that Juniper Secure Analytics (JSA) works correctly, ensure that virtual appliance that you use meets the minimum software and hardware requirements. Table 6 on page 10 describes the minimum requirements for virtual appliances. Table 6: Requirements for Virtual Appliances Requirement Description VMware client VMware ESXi Version 5.0 VMware ESXi Version 5.1 For more information about VMWare clients, see the VMware website at www.vmware.com Virtual disk size on all appliance except Flow Processor appliances Minimum: 256 GB NOTE: For optimal performance, ensure that an extra 2-3 times of the minimum disk space is available. Virtual disk size for Flow Processor appliances Minimum: 70 GB Table 7 on page 10 describes the minimum memory requirements for virtual appliances. Table 7: Minimum and Optional Memory Requirements for JSA Virtual Appliances Appliance Minimum memory requirement Suggested memory requirement JSA VFlow Collector 1290 6 GB 6 GB JSA 1590 12 GB 16 GB JSA Virtual Distributed Event or Flow processors 12 GB 48 GB JSA Virtual Distributed Event or Flow processors 12 GB 48 GB JSA Virtual All-in-One or JSA Virtual console deployment 24 GB 48 GB Log Analytics Virtual 1790 24 GB 48 GB 10

Chapter 2: Virtual Appliance Installations for JSA and Log Analytics Related Documentation Juniper Secure Analytics and Log Manager Installation Overview on page 7 Overview of Supported Virtual Appliances on page 8 Creating Your Virtual Machine on page 11 Installing the JSA Software on a Virtual Machine on page 12 Adding Your Virtual Appliance to Your Deployment on page 13 Creating Your Virtual Machine To install a virtual appliance, you must first use VMware vsphere Client 5.0 to create a virtual machine. 1. From the VMware vsphere Client, click File > New > Virtual Machine. 2. Use the following steps to guide you through the choices: a. In the Configuration pane of the Create New Virtual Machine window, select Custom. b. In the Virtual Machine Version pane, select Virtual Machine Version: 7. c. For the Operating System (OS), select Red Hat Enterprise Linux 6 (64-bit). d. On the CPUs page, configure the number of virtual processors that you want for the virtual machine: When you configure the parameters on the CPU page, you must configure a minimum of two processors. The combination of number of virtual sockets and number of cores per virtual socket determines how many processors are configured on your system. Table 8 on page 11 provides examples of CPU page settings you can use. Table 8: Same CPU Page Settings Number of processors Sample CPU page settings 2 Number of virtual sockets = 1 Number of cores per virtual socket = 2 2 Number of virtual sockets =2 Number of cores per virtual socket = 1 4 Number of virtual sockets = 4 Number of cores per virtual socket = 1 4 Number of virtual sockets = 2 Number of cores per virtual socket = 2 e. In the Memory Size field, type or select 8 or higher. 11

Juniper Secure Analytics Installation Guide f. Use Table 9 on page 12 to configure you network connections. Table 9: Descriptions for Network Configuration Parameters Parameter Description How many NICs do you want to connect You must add at least one Network Interface Controller (NIC) Adapter VMXNET3 g. In the SCSI controller pane, select VMware Paravirtual. h. In the Disk pane, select Create a new virtual disk and use Table 10 on page 12 to configure the virtual disk parameters. Table 10: Settings for the Virtual Disk Size and Provisioning Policy Parameters Property Option Capacity 256 or higher (GB) Disk Provisioning Thin provision Advanced options Do not configure 3. On the Ready to Complete page, review the settings and click Finish. Related Documentation Juniper Secure Analytics and Log Manager Installation Overview on page 7 Overview of Supported Virtual Appliances on page 8 System Requirements for Virtual Appliances on page 10 Installing the JSA Software on a Virtual Machine on page 12 Adding Your Virtual Appliance to Your Deployment on page 13 Installing the JSA Software on a Virtual Machine After you create your virtual machine, you must install the Juniper Secure Analytics (JSA) software on the virtual machine. 1. In the left navigation pane of your VMware vsphere Client, select your virtual machine. 2. In the right pane, click the Summary tab. 3. In the Commands pane, click Edit Settings. 4. In the left pane of the Virtual Machine Properties window, click CD/DVD Drive 1. 5. In the Device Status pane, select the Connect at power on check box. 6. In the Device Type pane, select Datastore ISO File and click Browse. 12

Chapter 2: Virtual Appliance Installations for JSA and Log Analytics 7. In the Browse Datastores window, locate and select the JSA product ISO file, click Open and then click OK. 8. After the JSA product ISO image is installed, right-click your virtual machine and click Power > Power On. 9. Log in to the virtual machine by typing root for the user name. The user name is case-sensitive. 10. For the type of setup, select normal. 11. For JSA console installations, select the Enterprise tuning template. 12. Follow the instructions in the installation wizard to complete the installation. Table 9 on page 12 contains descriptions and notes to help you configure the installation. After you configure the installation parameters, a series of messages are displayed. The installation process might take several minutes. Related Documentation Juniper Secure Analytics and Log Manager Installation Overview on page 7 Overview of Supported Virtual Appliances on page 8 System Requirements for Virtual Appliances on page 10 Creating Your Virtual Machine on page 11 Adding Your Virtual Appliance to Your Deployment on page 13 Adding Your Virtual Appliance to Your Deployment After the Juniper Secure Analytics (JSA) software is installed, add your virtual appliance to your deployment. 1. Log in to the JSA console. 2. On the Admin tab, click the Deployment Editor icon. 3. In the Event Components pane on the Event View page, select the virtual appliance component that you want to add. 4. On the first page of the Adding a New Component task assistant, type a unique name for the virtual appliance. The name that you assign to the virtual appliance can be up to 20 characters in length and can include underscores or hyphens. 5. Complete the steps in the task assistant. 6. From the Deployment Editor menu, click File > Save to staging. 7. On the Admin tab menu, click Deploy Changes. Related Documentation Juniper Secure Analytics and Log Manager Installation Overview on page 7 13

Juniper Secure Analytics Installation Guide Overview of Supported Virtual Appliances on page 8 System Requirements for Virtual Appliances on page 10 Creating Your Virtual Machine on page 11 Installing the JSA Software on a Virtual Machine on page 12 14

CHAPTER 3 Installations from the Recovery Partition When you install Juniper Secure Analytics (JSA) products, the installer (ISO image) is copied to the recovery partition. From this partition, you can reinstall JSA products. Your system is restored back to the default configuration. Your current configuration and data files are overwritten. When you restart your JSA appliance, an option to reinstall the software is displayed. If you do not respond to the prompt within five seconds, the system continues to start as normal. Your configuration and data files are maintained. If you choose the reinstall option, a warning message is displayed and you must confirm that you want to reinstall. After a hard disk failure, you might not be able to reinstall from the recovery partition because the recovery partition is no longer be available. If you experience a hard disk failure, contact Juniper Customer Support for assistance. Any software upgrades of JSA version 2014.1 replaces the existing ISO file with the newer version. These guidelines apply to JSA version 2014.1 installations or upgrades. Installing from the Recovery Partition Using Factory Default Setting on page 15 Re-Installing a JSA Appliance on page 16 Installing from the Recovery Partition Using Factory Default Setting You can reinstall Juniper Secure Analytics (JSA) products from the recovery partition. If your deployment includes offboard storage solutions, you must disconnect your offboard storage before you reinstall JSA. After you reinstall, you can remount your external storage solutions. For more information on configuring off-board storage, see the Configuring Offboard Storage Guide. To install a factory default setting: 1. Restart your JSA appliance and select Factory re-install. 2. Type flatten. The installer partitions and reformats the hard disk, installs the OS, and then reinstalls thejsa product. You must wait for the flatten process to complete. This process can take up to several minutes. When the process is complete, a confirmation is displayed. 15

Juniper Secure Analytics Installation Guide 3. Type SETUP. 4. Log in as the root user. 5. For JSA console installations, select the Enterprise tuning template. 6. Follow the instructions in the installation wizard to complete the installation. Table 9 on page 12 contains descriptions and notes to help you configure the installation. After you configure the installation parameters, a series of messages are displayed. The installation process might take several minutes. Related Documentation Re-Installing a JSA Appliance on page 16 Re-Installing a JSA Appliance You can reinstall Juniper Secure Analytics (JSA) products from the recovery partition. To re-install a JSA Appliance: 1. Select the Enterprise tuning template. Select Next and press Enter. 2. Configure your time settings: flatten a. Choose one of the following options: Manual Select this option to manually input the time and date. Select Next and press Enter. The Current Date and Time window is displayed. Go to Step b. Server Select this option to specify your time server. Select Next and press Enter. The Enter Time Server window is displayed. Go to Step c. b. To manually enter the time and date, type the current time and date. Select Next and press Enter. Go to Step 3. c. To specify a time server, in the Time server field, type the time server name or IP address. Select Next and press Enter. Go to Step 5. 3. On the Time Zone Continent window, select your time zone continent or area. Select Next and press Enter. 4. On the Time Zone Region window, select your time zone region. Select Next and press Enter. 5. Select an internet protocol version. Select Next and press Enter. 6. Select the interface that you want to use as the management interface. Select Next and press Enter. 7. Choose one of the following options: If you use IPv4 as your Internet protocol, go to Step 10. If you use IPv6 as your Internet protocol, go to Step 8. 16

Chapter 3: Installations from the Recovery Partition 8. Choose one of the following options: a. To automatically configure for IPv6, select Yes and press Enter. The automatic configuration can take an extended period of time. Go to Step 10. b. To manually configure for IPv6, select No and press Enter. Go to Step 9. 9. Enter network information to use for IPv6: a. In the Hostname field, type a fully qualified domain name as the system hostname. b. In the IP Address field, type the IP address of the system. c. In the Email server field, type the email server. If you do not have an email server, type localhost in this field. d. Select Next and press Enter. Go to Step 11. 10. Configure the JSA network settings: a. Enter values for the following parameters: Hostname Type a fully qualified domain name as the system hostname. IP Address Type the IP address of the system. Network Mask Type the network mask address for the system. Gateway Type the default gateway of the system. Primary DNS Type the primary DNS server address. Secondary DNS Optional. Type the secondary DNS server address. Public IP Optional. Type the Public IP address of the server. Email Server Type the email server. If you do not have an email server, type localhost in this field. b. Select Next and press Enter. 11. Configure the JSA root password: a. Type your password. Select Next and press Enter. The Confirm New Root Password window is displayed. The password must meet the following criteria: Must contain at least five characters No spaces Can include the following special characters: @,#,^, and *. b. Retype your new password to confirm. Select Finish and press Enter. 12. Press Enter to select OK. After you configure the installation parameters, a series of messages are displayed as JSA continues with the reinstallation. This process typically takes several minutes. 17

Juniper Secure Analytics Installation Guide Related Documentation Installing from the Recovery Partition Using Factory Default Setting on page 15 18

CHAPTER 4 Network Settings Management Use the qchange_netsetup script to change the network settings of your Juniper Secure Analytics (JSA) system. Configurable network settings include host name, IP address, network mask, gateway, DNS addresses, public IP address, and email server. Changing the Network Settings in an All-In-One System on page 19 Changing the Network Settings of a JSA Console in a Multisystem Deployment on page 20 Updating Network Settings After a NIC Replacement on page 22 Changing the Network Settings in an All-In-One System You can change the network settings in your All-In-One system. An All-In-One system has all Juniper Secure Analytics (JSA) components that are installed on one system. You must have a local connection to your JSA console. 1. Log in to as the root user: Username: root Password: password 2. Type the following command: qchange_netsetup 3. Follow the instructions in the wizard to complete the configuration. Table 11 on page 19 contains descriptions and notes to help you configure the network settings. Table 11: Description of Network Settings for an All-In-One JSA Console Network Setting Description Host name Fully qualified domain name Secondary DNS server address Optional 19

Juniper Secure Analytics Installation Guide Table 11: Description of Network Settings for an All-In-One JSA Console (continued) Network Setting Description Public IP address for networks that use Network Address Translation (NAT) Optional Used to access the server, usually from a different network or the Internet. Configured by using Network Address Translation (NAT) services on your network or firewall settings on your network. (NAT translates an IP address in one network to a different IP address in another network). Email server name If you do not have an email server, use localhost A series of messages are displayed as JSA processes the requested changes. After the requested changes are processed, the JSA system is automatically shutdown and restarted. Related Documentation Changing the Network Settings of a JSA Console in a Multisystem Deployment on page 20 Updating Network Settings After a NIC Replacement on page 22 Changing the Network Settings of a JSA Console in a Multisystem Deployment To change the network settings in a multi-system Juniper Secure Analytics (JSA) deployment, remove all managed hosts, change the network settings, re-add the managed hosts, and then re-assign the component. 1. To remove managed hosts, log in to JSA: The Username is admin. a. Click the Admin tab. b. Click the Deployment Editor icon. c. In the Deployment Editor window, click the System View tab. d. For each managed host in your deployment, right-click the managed host and select Remove host. e. On the Admin tab, click Deploy Changes. 2. To change network settings on the JSA console, use SSH to log in to JSA as the root user. The user name is root. a. Type the following command: qchange_netsetup b. Follow the instructions in the wizard to complete the configuration, 20

Chapter 4: Network Settings Management Table 12 on page 21 contains descriptions and notes to help you configure the network settings. Table 12: Description of Network Settings for a Multisystem JSA Console Deployment Network Setting Description Host name Fully qualified domain name Secondary DNS server address Optional Public IP address for networks that use Network Address Translation (NAT) Optional Used to access the server, usually from a different network or the Internet. Configured by using Network Address Translation (NAT) services on your network or firewall settings on your network. (NAT translates an IP address in one network to a different IP address in another network). Email server name If you do not have an email server, use localhost. After you configure the installation parameters, a series of messages are displayed. The installation process might take several minutes. 3. To read and reassign the managed hosts, log in to JSA. The Username is admin. a. Click the Admin tab. b. Click the Deployment Editor icon. c. In the Deployment Editor window, click the System View tab. d. Click Actions > Add a managed host. e. Follow the instructions in the wizard to add a host. Select the Host is NATed option to configure a public IP address for the server. This IP address is a secondary IP address that is used to access the server, usually from a different network or the Internet. The Public IP address is often configured by using Network Address Translation (NAT) services on your network or firewall settings on your network. NAT translates an IP address in one network to a different IP address in another network 4. Reassign all components to your managed hosts that are not your JSA console. a. In the Deployment Editor window, click the Event View tab, and select the component that you want to reassign to the managed host. b. Click Actions > Assign. 21

Juniper Secure Analytics Installation Guide c. From the Select a host list, select the host that you want to reassign to this component. d. On the Admin tab, click Deploy Changes. Related Documentation Changing the Network Settings in an All-In-One System on page 19 Updating Network Settings After a NIC Replacement on page 22 Updating Network Settings After a NIC Replacement If you replace your integrated system board or stand-alone (Network Interface Cards) NICs, you must update your Juniper Secure Analytics (JSA) network settings to ensure that your hardware remains operational. The network settings file contains one pair of lines for each NIC that is installed and one pair of lines for each NIC that was removed. You must remove the lines for the NIC that you removed and then rename the NIC that you installed. Your network settings file might resemble the following example, where NAME="eth0 is the NIC that was replaced and NAME="eth4" is the NIC that was installed. # PCI device 0x14e4:0x163b (bnx2) SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="78:2a:cb:23:1a:2f", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0" # PCI device 0x14e4:0x163b (bnx2) SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="78:2a:cb:23:1a:2f", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0 # PCI device 0x14e4:0x163b (bnx2) SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="78:2a:cb:23:1a:2f", ATTR{type}=="1", KERNEL=="eth*", NAME="eth4 # PCI device 0x14e4:0x163b (bnx2) SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="78:2a:cb:23:1a:2f", ATTR{type}=="1", KERNEL=="eth*", NAME="eth4 22

Chapter 4: Network Settings Management 1. Use SSH to log in to the Juniper Secure Analytics (JSA) product as the root user. The user name is root. 2. Type the following command: cd /etc/udev/rules.d/ 3. To edit the network settings file, type the following command: vi 70-persistent-net.rules 4. Remove the pair of lines for the NIC that was replaced: NAME= eth0 5. Rename the Name=<eth> values for the newly installed NIC. Example:Rename NAME="eth4" to NAME="eth0". 6. Save and close the file. 7. Type the following command: reboot Related Documentation Changing the Network Settings in an All-In-One System on page 19 Changing the Network Settings of a JSA Console in a Multisystem Deployment on page 20 23

Juniper Secure Analytics Installation Guide 24

PART 2 Appendix The Appendix chapter describes the following sections: Troubleshooting Problems on page 27 25

Juniper Secure Analytics Installation Guide 26

APPENDIX A Troubleshooting Problems Troubleshooting is a systematic approach to solving a problem. The goal of troubleshooting is to determine why something does not work as expected and how to resolve the problem. Review Table 13 on page 27 to help you or customer support resolve a problem. Table 13: Troubleshooting Actions to Prevent Problems Action Description Apply all known fix packs, service levels, or program temporary fixes (PTF). A product fix might be available to fix the problem. Ensure that the configuration is supported. Review the software and hardware requirements. Look up error message codes by selecting the product from the Juniper Customer Support at http:// www.juniper.net/support/and then typing the error message code into the Search support box. Error messages give important information to help you identify the component that is causing the problem. Reproduce the problem to ensure that it is not just a simple error. If samples are available with the product, you might try to reproduce the problem by using the sample data. Check the installation directory structure and file permissions. The installation location must contain the appropriate file structure and the file permissions. For example, if the product requires write access to log files, ensure that the directory has the correct permission. Review relevant documentation, such as release notes, tech notes, and proven practices documentation. Search the Juniper Networks knowledge bases to determine whether your problem is known, has a workaround, or if it is already resolved and documented. Review recent changes in your computing environment. Sometimes installing new software might cause compatibility issues. If you still need to resolve problems, you must collect diagnostic data. This data is necessary for an Juniper technical support representative to effectively troubleshoot and 27

Juniper Secure Analytics Installation Guide Troubleshooting Resources assist you in resolving the problem. You can also collect diagnostic data and analyze it yourself. Troubleshooting Resources on page 28 JSA Log Files on page 28 Ports Used by JSA on page 28 JSA Log Files Troubleshooting resources are sources of information that can help you resolve a problem that you have with a product. Find the Juniper Secure Analytics (JSA) content that you need by selecting your products from the Juniper Customer Support (http://www.juniper.net/customers/support/). Use the Juniper Secure Analytics (JSA) log files to help you troubleshoot problems. You can review the log files for the current session individually or you can collect them to review later. Follow these steps to review the JSA log files. 1. To help you troubleshoot errors or exceptions, review the following log files. /var/log/qradar.log /var/log/qradar.error 2. If you require more information, review the following log files: https://console_ip/system_info.cgi /var/log/qradar-sql.log /opt/tomcat5/logs/catalina.out /opt/imq/share/var/instances/imqbroker/log/log.txt /var/log/qflow.debug 3. To collect log files for an Juniper Networks technical support representative, from the command line, run the following command: /opt/qradar/support/get_logs.sh -s The command creates a logs_<console_name>_<date_time>.tar.bz2 file in the /var/log directory. Ports Used by JSA Review the common ports that are used by Juniper Secure Analytics (JSA), services, and components. 28

Appendix A: Troubleshooting Problems For example, you can determine the ports that must be opened for the JSA console to communicate with remote Event Processors. Ports and Iptables The listen ports for Juniper Secure Analytics (JSA) are valid only when iptables is enabled on your JSA system. SSH Communication on Port 22 All the ports that are described in Table 14 on page 29 can be tunneled, by encryption, through port 22 over SSH. Managed hosts that use encryption can establish multiple bidirectional SSH sessions to communicate securely. These SSH sessions are initiated from the managed host to provide data to the host that needs the data in the deployment. For example, Event Processor appliances can initiate multiple SSH sessions to the JSA console for secure communication. This communication can include tunneled ports over SSH, such as HTTPS data for port 443 and Ariel query data for port 32006. Flow Processors that use encryption can initiate SSH sessions to Flow Processor appliances that require data. JSA Ports Unless otherwise noted, information about the assigned port number, descriptions, protocols, and the signaling direction for the port applies to all Juniper Secure Analytics (JSA) products. Table 14 on page 29 lists the ports, protocols, communication direction, description, and the reason that the port is used. Table 14: Listening Ports that are used by JSA, Services, and Components Port Description Protocol Direction Requirement 22 SSH Bidirectional from the JSA console to all other components. Remote management access. Adding a remote system as a managed host. Log source protocols to retrieve files from external devices, for example the log file protocol. Users who use the command line interface to communicate from desktops to the console. High availability 25 SMTP From all managed hosts to the SMTP gateway Emails from JSA to an SMTP gateway Delivery of error and warning email messages to an administrative email contact. 29

Juniper Secure Analytics Installation Guide Table 14: Listening Ports that are used by JSA, Services, and Components (continued) Port Description Protocol Direction Requirement 37 rdate (time) UDP/ All systems to the JSA console JSA console to the NTP or rdate server Time synchronization between the JSA console and managed hosts. 80 Apache/HTTPS Users that connect to the JSA console Communication and downloads from the JSA console to desktops. Users that connect to the JSA Deployment Editor The Deployment Editor application to download and show deployment information 111 Port mapper /UDP Managed hosts that communicate to the JSA console Remote Procedure Calls (RPC) for required services, such as Network File System (NFS) 135 and dynamically allocated ports above 1024 for RPC calls. DCOM WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between JSA console components or Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events. Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. NOTE: DCOM typically allocates a random port range for communication. You can configure Microsoft Windows products to use a specific port. For more information, see your Microsoft Windows documentation. 137 Windows NetBIOS name service UDP Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. Bidirectional traffic between JSA console components or Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events. Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. 30

Appendix A: Troubleshooting Problems Table 14: Listening Ports that are used by JSA, Services, and Components (continued) Port Description Protocol Direction Requirement 138 Windows NetBIOS datagram service. UDP Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. Bidirectional traffic between JSA console components or Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events. Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events 139 Windows NetBIOS session service Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. Bidirectional traffic between JSA console components or Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events. Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events 199 NetSNMP JSA managed hosts that connect to the JSA console. External log sources to JSA Event Collectors port for the NetSNMP daemon that listens for communications (v1, v2c, and v3) from external log sources 443 Apache/HTTPS Bidirectional traffic for secure communications from all products to the JSA console Configuration downloads to managed hosts from the JSA console. JSA managed hosts that connect to the JSA console. Users to have log in access to JSA. JSA console that manage and provide configuration updates WinCollect agents. 31

Juniper Secure Analytics Installation Guide Table 14: Listening Ports that are used by JSA, Services, and Components (continued) Port Description Protocol Direction Requirement 445 Microsoft Directory Service Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. Bidirectional traffic between JSA console components or Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events. Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. 514 Syslog UDP/ External network appliances that provide syslog events use bidirectional traffic. External network appliances that provide UDP syslog events use uni-directional traffic. External log sources to send event data to JSA components. Syslog traffic includes WinCollect agents and Adaptive Log Exporter agents capable of sending either UDP or events to JSA. 762 Network File System (NFS) mount daemon (mountd) /UDP Connections between the JSA console and NFS server The Network File System (NFS) mount daemon, which processes requests to mount a file system at a specified location 1514 Syslog-ng /UDP Connection between the local Event Collector component and local Event Processor component to the syslog-ng daemon for logging. Internal logging port for syslogng. 2049 NFS Connections between the JSA console and NFS server. The Network File System (NFS) protocol to share files or data between components. 2055 NetFlow data UDP From the management interface on the flow source (typically a router) to the Flow Processor. NetFlow datagram from components, such as routers. 4333 Redirect port This port is assigned as a redirect port for Address Resolution Protocol (ARP) requests in JSA offense resolution. 5432 Postgres Communication for the managed host that is used to access the local database instance. Required for provisioning managed hosts from the Admin tab. 32

Appendix A: Troubleshooting Problems Table 14: Listening Ports that are used by JSA, Services, and Components (continued) Port Description Protocol Direction Requirement 6543 High availabilityability heartbeat /UDP Bidirectional between the secondary host and primary host in an HA cluster Heartbeat ping from a secondary host to a primary host in an HA cluster to detect hardware or network failure 7676, 7677, and four randomly bound ports above 32000. Messaging connections (IMQ) Message queue communications between components on a managed host. Message queue broker for communications between components on a managed host. Ports 7676 and 7677 are static ports and four extra connections are created on random ports. 7777-7782, 7790, 7791 JMX server ports Internal communications, these ports are not available externally JMX server (Mbean) monitoring for ECS, hostcontext, Tomcat, VIS, reporting, ariel, and accumulator services NOTE: These ports are used by JSA support. 7789 HA Distributed Replicated Block Device (DRBD) /UDP Bidirectional between the secondary host and primary host in an HA cluster Distributed Replicated Block Device (DRBD) used to keep drives synchronized between the primary and secondary hosts in HA configurations. 7800 Apache Tomcat From the Event Collector to the JSA console. Real-time (streaming) for events. 7801 Apache Tomcat From the Event Collector to the JSA console Real-time (streaming) for flows 8000 Event Collection service (ECS) From the Event Collector to the JSA console Listening port for specific Event Collection service (ECS). 8001 SNMP daemon port UDP External SNMP systems that request SNMP trap information from the JSA console UDP listening port for external SNMP data requests. 8005 Apache Tomcat None A local port that is not used by JSA 8009 Apache Tomcat From the HTTP daemon (HTTPd) process to Tomcat From the HTTP daemon (HTTPd) process to Tomcat. 8080 Apache Tomcat From the HTTP daemon (HTTPd) process to Tomcat Tomcat connector, where the request is used and proxied for the web service. 9995 NetFlow data UDP From the management interface on the flow source (typically a router) to the Flow Processor. NetFlow datagram from components, such as routers. 33

Juniper Secure Analytics Installation Guide Table 14: Listening Ports that are used by JSA, Services, and Components (continued) Port Description Protocol Direction Requirement 10000 JSA web-based, system administration interface /UDP User desktop systems to all JSA hosts Server changes, such as the hosts root password and firewall access 23111 SOAP web server SOAP web server port for the event collection service (ECS) 32004 Normalized event forwarding Bidirectional between JSA components. Normalized event data that is communicated from an offsite source or between Event Collectors. 32005 Data flow Bidirectional between JSA components. Data flow communication port between Event Collectors when on separate managed hosts. 32006 Ariel queries Bidirectional between JSA components. Communication port between the Ariel proxy server and the Ariel query server. 32009 Identity data Bidirectional between JSA components. Identity data that is communicated between the passive vulnerability information service (VIS) and the Event Collection service (ECS). 32010 Flow listening source port Bidirectional between JSA components. Flow listening port to collect data from Flow Processors. 32011 Ariel listening port Bidirectional between JSA components. Ariel listening port for database searches, progress information, and other associated commands. 32000-33999 Data flow (flows, events, flow context) Bidirectional between JSA components. Data flows, such as events, flows, flow context, and event search queries. 40799 PCAP data From Juniper Networks SRX Series appliances to JSA. Collecting incoming packet capture (PCAP) data from Juniper Networks SRX Series appliances. NOTE: The packet capture on your device can use a different port. For more information about configuring packet capture, see your Juniper Networks SRX Series appliance documentation. ICMP ICMP Bidirectional traffic between the secondary host and primary host in an HA cluster Testing the network connection between the secondary host and primary host in an HA cluster by using Internet Control Message Protocol (ICMP). 34

Appendix A: Troubleshooting Problems Searching for Ports in Use by Juniper Secure Analytics Use the netstat command to determine which ports are in use on the Juniper Secure Analytics (JSA) console or managed host. Use the netstat command to view all listening and established ports on the system. 1. Using SSH, log in to your JSA console, as the root user. 2. To display all active connections and the and UDP ports on which the computer is listening, type the following command: netstat -nap 3. To search for specific information from the netstat port list, type the following command: netstat -nap grep port Examples: To display all ports that match 199, type the following command: netstat -nap grep 199 To display all postgres related ports, type the following command: netstat -nap grep postgres To display information on all listening ports, type the following command: netstat -nap grep LISTEN 35

Juniper Secure Analytics Installation Guide 36

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information