Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Managed Hosts

 

For greater flexibility over data collection and event and flow processing, build a distributed JSA deployment by adding non-console managed hosts, such as collectors, processors, and data nodes.

For more information about planning and building your JSA environment, see the Juniper Secure Analytics Architecture and Deployment Guide.

Software Compatibility Requirements

Software versions for all JSA appliances in the deployment must be at the same version and build. Deployments that use different versions of software are not supported because mixed software environments can cause rules not to fire, offenses not to be created or updated, and errors in search results.

When a managed host uses a software version that is different than the JSA console, you might be able to view components that were already assigned to the host, but you cannot configure the component or add or assign new components.

Bandwidth Considerations for Managed Hosts

To replicate state and configuration data, ensure that you have a minimum bandwidth of 100 Mbps between the JSA console and all managed hosts. Higher bandwidth is necessary when you search log and network activity, and you have over 10,000 events per second (EPS).

An Event Collector that is configured to store and forward data to an Event Processor forwards the data according to the schedule that you set. Ensure that you have sufficient bandwidth to cover the amount of data that is collected, otherwise the forwarding appliance cannot maintain the scheduled pace.

Use the following methods to mitigate bandwidth limitations between data centers:

  • Process and send data to hosts at the primary data center -- Design your deployment to process and send data as it's collected to hosts at the primary data center where the console resides. In this design, all user-based searches query the data from the local data center rather than waiting for remote sites to send back data.

    You can deploy a store and forward event collector, such as a JSA 15XX physical or virtual appliance, in the remote locations to control bursts of data across the network. Bandwidth is used in the remote locations, and searches for data occur at the primary data center, rather than at a remote location.

  • Don't run data-intensive searches over limited bandwidth connections -- Ensure that users don't run data-intensive searches over links that have limited bandwidth. Specifying precise filters on the search limits the amount of data that is retrieved from the remote locations, and reduces the bandwidth that is required to send the query result back.

Encryption

To provide secure data transfer between each of the appliances in your environment, JSA has integrated encryption support that uses OpenSSH. Encryption occurs between managed hosts; therefore, you must have at least one managed host before you can enable encryption.

When encryption is enabled, a secure tunnel is created on the client that initiates the connection, by using an SSH protocol connection. When you enable encryption on a managed host, an SSH tunnel is created for all client applications on the managed host. When you enable encryption on a non-Console managed host, encryption tunnels are automatically created for databases and other support service connections to the Console.

For example, with encryption enabled on an Event Processor, the connection between the Event Processor and Event Collector is encrypted, and the connection between the Event Processor and Magistrate is encrypted.

Adding a Managed Host

Add managed hosts, such as event and flow collectors, event and flow processors, and data nodes, to distribute data collection and processing activities across your JSA deployment.

Ensure that the managed host has the same JSA version and patch as the JSA Console that you are using to manage it.

If you want to enable Network Address Translation (NAT) for a managed host, the network must use static NAT translation.

The following table describes the components that you can connect:

Table 1: Supported Component Connections

Source Connection

Target Connection

Description

Flow Processor

Event Collector

You can connect a Flow Processor only to an Event Collector. The number of connections is not restricted.

You can't connect a Flow Processor to the Event Collector on a 15xx appliance.

Event Collector

Event Processor

You can connect an Event Collector to only one Event Processor.

You can connect a non-console Event Collector to an Event Processor on the same system.

A console Event Collector can be connected only to a console Event Processor. You can't remove this connection.

Event Processor

Event Processor

You can't connect a console Event Processor to a non-console Event Processor.

You can connect a non-console Event Processor to another console or non-console Event Processor, but not both at the same time.

When a non-console managed host is added, the non-console Event Processor is connected to the console Event Processor.

Data Node

Event Processor

You can connect a data node to an event or flow processor only. You can connect multiple Data Nodes to the same processor to create a storage cluster.

Event Collector

Off-site target

The number of connections is not restricted.

Off-site source

Event Collector

The number of connections is not restricted.

An Event Collector that is connected to an event-only appliance can't receive an off-site connection from system hardware that has the Receive Flows feature enabled.

An Event Collector that is connected to a Flow-only appliance can't receive an off-site connection from a remote system that has the Receive Flows feature enabled.

If you configured JSA Vulnerability Manager in your deployment, you can add vulnerability scanners and a vulnerability processor. For more information, see the Juniper Secure Analytics Vulnerability Manager User Guide.

If you configured JSA Risk Manager in your deployment, you can add a managed host. For more information, see the Juniper Secure Analytics Risk Manager Installation Guide.

To add a managed host:

  1. On the navigation menu (), click Admin to open the admin tab.
  2. In the System Configuration section, click System and License Management.
  3. In the Display list, select Systems.
  4. On the Deployment Actions menu, click Add Host.
  5. Configure the settings for the managed host by providing the fixed IP address, and the root password to access the operating system shell on the appliance.
  6. Click Add.
  7. Optional: Use the Deployment actions > View Deployment menu to see visualizations of your deployment. You can download a PNG image or a Microsoft Visio (2010) VDX file of your deployment visualization.
  8. On the Admin tab menu, click Advanced > Deploy Full Configuration. When you deploy the full configuration, JSA restarts all services. Data collection for events and flows stops until the deployment completes.
Note

JSA continues to collect events when you deploy the full configuration. When the event collection service must restart, JSA does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.

Configuring a Managed Host

Configure a managed host to specify which role the managed host fulfills in your deployment. For example, you can configure the managed host as a collector, processor, or a data node. You can also change the encryption settings, and assign the host to a network address translation (NAT) group.

To make network configuration changes, such as an IP address change to your JSA Console and managed host systems after you install your JSA deployment, use the qchange_netsetup utility. For more information about network settings, see the Installation Guide for your product.

Ensure that the managed host has the same JSA version and patch as the JSA Console that is used to manage it. You can't edit or remove a managed host that uses a different version of JSA.

If you want to enable Network Address Translation (NAT) for a managed host, the network must use static NAT translation.

To configure a managed host:

  1. On the navigation menu (), click Admin to open the admin tab.
  2. In the System Configuration section, click System and License Management.
  3. In the Display list, select Systems.
  4. Select the host in the host table, and on the Deployment Actions menu, click Edit Host.
    1. To create an SSH encryption tunnel on port 22 for the managed host, select the Encrypt Host Connections check box.

    2. To configure the managed host to use a NAT-enabled network, select the Network Address Translation check box, and then configure the NAT Group and Public IP address.

    3. To configure the components on the managed host, click the Component Management settings icon ( ) and configure the options.

    4. Click Save.

  5. On the Admin tab menu, click Advanced > Deploy Full Configuration. When you deploy the full configuration, JSA restarts all services. Data collection for events and flows stops until the deployment completes.

Removing a Managed Host

You can remove non-Console managed hosts from your deployment. You can't remove a managed host that hosts the JSA Console.

Ensure that the managed host has the same JSA version and patch as the JSA Console that is used to manage it. You can't remove a host that is running a different version of JSA.

To remove a managed host:

  1. On the navigation menu (), click Admin to open the admin tab.
  2. In the System Configuration section, click System and License Management.
  3. In the Display list, select Systems.
  4. On the Deployment Actions menu, click Remove host and click OK. You can't remove a JSA Console host.
  5. On the Admin tab menu, click Advanced > Deploy Full Configuration.
Note

JSA continues to collect events when you deploy the full configuration. When the event collection service must restart, JSA does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.

Configuring Your Local Firewall

Use the local firewall to manage access to the JSA managed host from specific devices that are outside the network. When the firewall list is empty, access to the managed host is disabled, except through the ports that are opened by default.

  1. On the navigation menu (), click Admin to open the admin tab.
  2. In the System Configuration section, click System and License Management.
  3. In the Display list, select Systems.
  4. Select the host for which you want to configure firewall access settings.
  5. From the Actions menu, click View and Manage System.
  6. Click the Firewall tab and type the information for the device that needs to connect to the host.
    1. Configure access for devices that are outside of your deployment and need to connect to this host.

    2. Add this access rule.

  7. Click Save.

    If you change the External Flow Source Monitoring Port parameter in the Flow configuration, you must also update your firewall access configuration.

Configuring Email

Configure an email server to distribute alerts, reports, notifications, and event messages in JSA.

When you're setting up JSA, it looks for a mail relay server to use to send out email messages.

If you configure the mail server setting as localhost, then the mail messages don't leave the JSA box.

  1. On the navigation menu (), click Admin to open the admin tab.
  2. In the System Configuration section, click System and License Management.
  3. In the Display list, select Systems.
  4. Select the host for which you want to configure email settings.
  5. From the Actions menu, click View and Manage System.
  6. Click the Email Server tab and type the host name or IP address of the email server that you want to use.

    If you want to use the email server that JSA provides, type localhost to use local email processing.

  7. Click Save.