Event and Flow Forwarding from a Primary Data Center to Another Data Center
To ensure that there is a redundant data store for events, flows, offenses, and that there is an identical architecture in two separate data centers, forward event and flow data from site 1 to site 2.
The following information is provided only for general guidance and is not intended or designed as a how-to guide.
This scenario is dependent upon site 1 remaining active. If site 1 fails, data is not transmitted to Site 2, but the data is current up to the time of failure. In the case of failure at site 1, you implement disaster recovery (DR), by manually changing IP addresses and use a backup and restore to fail over from site 1 to site 2, and to switch to site 2 for all JSA hosts.
The following list describes the setup for event and flow forwarding from the primary site to the secondary site:
There is an identical distributed architecture in two separate data centers, which includes a primary data center and a secondary data center.
The primary JSA console is active and collecting all events and flows from log sources and is generating correlated offenses.
You configure off-site targets on the primary JSA console to enable forwarding of event and flow data from the primary data center to the event and flow processors in another data center.
Use routing rules instead of off-site targets because the setup is easier.
Periodically, use the content management tool to update content from the primary JSA console to the secondary JSA console.
For more information about forwarding destinations and routing rules, see the Juniper Secure Analytics Administration Guide.
In the case of a failure at site 1, you can use a high-availability (HA) deployment to trigger an automatic failover to site 2. The secondary HA host on site 2 takes over the role of the primary HA host on site 1. Site 2 continues to collect, store, and process event and flow data. Secondary HA hosts that are in a standby state don't have services that are running but data is synchronized if disk replication is enabled. For more information about HA deployment planning, see HA Deployment Planning.
You can use a load balancer to divide events, and split flows such as NetFlow, J-Flow, and sFlow but you can't use a load balancer to split Flows. Use external technologies such as a regenerative tap to divide Flow and send to the backup site.
The following diagram shows how site 2 is used as a redundant data store for site 1. Event and flow data are forwarded from site 1 to site 2.
Event and Flow Forwarding Configuration
For data redundancy, configure JSA systems to forward data from one site to a backup site.
The target system that receives the data from JSA is known as a forwarding destination. JSA systems ensure that all forwarded data is unaltered. Newer versions of JSA systems can receive data from earlier versions of JSA systems. However, earlier versions cannot receive data from later versions. To avoid compatibility issues, upgrade all receivers before you upgrade JSA systems that send data. Follow these steps to set up forwarding:
Configure one or more forwarding destinations.
A forwarding destination is the target system that receives the event and flow data from the JSA primary console. You must add forwarding destinations before you can configure bulk or selective data forwarding. For more information about forwarding destinations, see the Juniper Secure Analytics Administration Guide.
Configure routing rules, custom rules, or both.
After you add one or more forwarding destinations for your event and flow data, you can create filter-based routing rules to forward large quantities of data. For more information about routing rules, see the Juniper Secure Analytics Administration Guide.
Configure data exports, imports, and updates.
You use the content management tool to move data from your primary JSA console to the JSA secondary console. Export security and configuration content from JSA into an external, portable format. For more information about using the content management tool to transfer data, see the Juniper Secure Analytics Administration Guide.