Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Options for Adding Scanners to Your JSA Vulnerability Manager Deployment

 

If you have a large network and require flexible scanning options, you can add more scanners to your JSA Vulnerability Manager deployment.

Your JSA Vulnerability Manager processor is automatically deployed with a scanning component. By deploying more scanners you can increase the flexibility of your scanning operations. For example, you can scan specific areas of your network with different scanners and at different scheduled times.

Dynamic Vulnerability Scans

The vulnerability scanners that you deploy might not have access to all areas of your network. In JSA Vulnerability Manager you can assign different scanners to network CIDR ranges. During a scan, each asset in the CIDR range that you want to scan is dynamically associated with the correct scanner.

To add more vulnerability scanners, choose any of the following options:

  • Deploy a dedicated JSA Vulnerability Manager managed host scanner appliance--You can scan for vulnerabilities by using a dedicated JSA Vulnerability Manager managed host scanner appliance. To deploy a scanner appliance, you must complete the followings tasks:

    1. Install a dedicated JSA Vulnerability Manager managed host scanner appliance.

    2. Add the managed host scanner appliance to your JSA console by using the System and License Management tool on the Admin tab.

  • Deploy a JSA Vulnerability Manager scanner to your JSA console or managed host--If you move your vulnerability processor from your JSA console to a JSA Vulnerability Manager managed host, you can add a scanner to your console.

    You can also add a vulnerability scanner to any preexisting JSA managed hosts in your deployment. For example, you can add a scanner to an event collector, flow processor, or event processor.

Run an automatic update when you add a scanner or other managed host with scanning capabilities. For more information about automatic updates, see the Juniper Secure Analytics Administration Guide.

  • Configure access to the Juniper Networks hosted scanner and scan your DMZ--You can configure access to an Juniper Networks hosted scanner and scan the assets in your DMZ.

Deploying a Dedicated JSA Vulnerability Manager Scanner Appliance

You can deploy a dedicated JSA Vulnerability Manager managed host scanner appliance.

Ensure that a dedicated JSA Vulnerability Manager managed host scanner appliance is installed and a valid appliance activation key is applied.

  1. On the navigation menu, click Admin to open the admin tab.
  2. Click System and License Management > Deployment Actions > Add Managed Host.
  3. Enter the Host IP address and password of the JSA Vulnerability Manager managed host scanner appliance.
  4. Click Add.

    You must wait several minutes while the managed host is added.

  5. Close the System and License Management window.
  6. On the Admin tab toolbar, select Advanced >Deploy Full Configuration.
  7. Click OK.

Deploying a Vulnerability Scanner to a JSA Console or Managed Host

You can deploy a JSA Vulnerability Manager scanner to a JSA console or JSA managed host. For example, you can deploy a scanner to a flow processor, event collector, event processor, or data node.

In an All-in-One deployment the controller is used as a built-in scanner. You cannot add a separate scanner appliance to a JSA Console when the JSA Vulnerability Manager processor is on the JSA Console. In a non-All-in-One deployment it's a good practice to move the JSA Vulnerability Manager processor to a dedicated appliance when you're scanning more than 50k assets.

To deploy a scanner on your JSA console, ensure that the vulnerability processor is moved to a dedicated JSA Vulnerability Manager managed host appliance.

To deploy scanners on JSA managed hosts, ensure that you have existing managed hosts in your deployment. For more information, see the Juniper Secure Analytics Installation Guide for your product.

  1. On the navigation menu, click Admin to open the admin tab.
  2. Click System and License Management > Deployment Actions > Manage Vulnerability Deployment.
  3. Click Add Additional Vulnerability Scanners.
  4. Click the + icon.
  5. From the Host list, select thnowe JSA managed host or console.Note

    You cannot add a scanner to a JSA console when the vulnerability processor is on the console. You must move the vulnerability processor to a JSA Vulnerability Manager managed host.

  6. Click Save.
  7. Close the System and License Management window.
  8. On the Admin tab toolbar, select Advanced >Deploy Full Configuration..
  9. Click OK.
  10. Check the Scan Server list on the Scan Profiles Configuration page to ensure that the scanner is added.

    For more information, see Creating a Scan Profile.

    Note

    Do not use the Deployment Editor on the Admin tab to manage your deployment because it is only available for compatibility with an earlier version of JSA.

Run an automatic update after you add the scanner or other managed host with scanning capabilities. Alternatively, you can scan after the default daily scheduled automatic update runs. If the automatic updates for other scanners are run earlier, then the automatic updates for all the scanners might not be fully synchronized until the next daily update.

Scanning the Assets in Your DMZ

In JSA Vulnerability Manager, you can connect to an external scanner and scan the assets in your DMZ for vulnerabilities.

If you want to scan the assets in the DMZ for vulnerabilities, you do not need to deploy a scanner in your DMZ. You must configure JSA Vulnerability Manager with a hosted Juniper Networks scanner that is located outside your network.

Detected vulnerabilities are processed by the processor on either your JSA console or JSA Vulnerability Manager managed host.

  1. Configure your network and assets for external scans.
  2. Configure JSA Vulnerability Manager to scan your external assets.

Configuring Your Network and Assets for External Scans

To scan the assets in your DMZ, you must configure your network and inform Juniper Networks of the assets that you want to scan.

  1. Configure your firewall to allow https (port 443) connectivity from your JSA Vulnerability Manager processor host to the external scanner.

    The host that runs the JSA Vulnerability Manager processor can be the console or a managed host.

  2. Send the following information to Juniper Networks:

    • The outward-facing external IP address that JSA uses to connect to the internet.

      Note

      The IP address must be configured before you can run external scans.

    • The IP address range of the assets in your DMZ.

Configuring JSA Vulnerability Manager to Scan Your External Assets

To scan the assets in your DMZ, you must configure JSA Vulnerability Manager, by using the System and License Management tool on the Admin tab.

  1. On the navigation menu, click Admin tab to open the admin tab.
  2. click System Configuration.
  3. Click System and License Management.
  4. From the Display menu, select Systems.
  5. Click Deployment Actions >Manage Vulnerability Deployment.
  6. Click Use External Scanner.
  7. In the Gateway IP field, enter an external IP address.Note

    You cannot scan external assets until your external IP address is configured. Ensure that you email details of your external IP address to Juniper Networks.

  8. If your network is configured to use a proxy server, click Enable Proxy Server and enter the details of your server.
  9. Click Save and then click Close.
  10. On the Admin tab toolbar, click Advanced >Deploy Full Configuration.
  11. Click OK.Note

    Authenticated scans are not conducted from the external scanner.

Supported Web Browsers

For the features in JSA products to work properly, you must use a supported web browser.

The following table lists the supported versions of web browsers.

Table 1: Supported Web Browsers for JSA Products

Web browser

Supported versions

Mozilla Firefox

45.8 Extended Support Release

64-bit Microsoft Internet Explorer with Microsoft Edge mode enabled.

11.0, Edge 38.14393

Google Chrome

Latest

Enabling Document Mode and Browser Mode in Internet Explorer

If you use Microsoft Internet Explorer to access JSA products, you must enable browser mode and document mode.

  1. In your Internet Explorer web browser, press F12 to open the Developer Tools window.
  2. Click Browser Mode and select the version of your web browser.
  3. Click Document Mode, and select the Internet Explorer standards for your Internet Explorer release.

Related Documentation