Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

New Features and Enhancements in JSA 7.3.2

 

For JSA users, JSA 7.3.2 introduces the following new features.

Enhanced Support for VLAN Information in Network Activity Flow Records

JSA 7.3.2 retains Virtual Local Area Network (VLAN) information that is exported in external flow records (IPFIX, NetFlow V9, sFlow V5, or J-Flow V9 or viewed in internal flows (Napatech or Network Interface Card). Users can then query, filter, search, or write custom rules with this VLAN information.

All flows with VLAN information contain two new specific fields that can be used to define unique domains in JSA:

  • Enterprise VLAN ID

  • Customer VLAN ID

For example, a UDP flow is sent from 10.0.0.1:123 to 10.0.0.2:456 on VLAN 10. Another UDP flow is sent from 10.0.0.1:123 to 10.0.0.2:456 on VLAN 20. Previously, flows were incorrectly aggregated together, resulting in a loss of information. In JSA 7.3.2, the unique identifier for each flow includes the nested VLAN fields (including post fields). The flows are treated independently, each with their own VLAN definition.

Assign Domains to Flows with VLAN Information

Domain management in JSA is enhanced for flows with VLAN information. With domain support for VLAN flows, you can define your domains in JSA based on the VLAN information in your network.

In JSA 7.3.2, you can assign domains to incoming flows based on the VLAN information that is contained in the flow. The incoming flows are mapped to domains that contain the same VLAN definition. You can also filter and query the domains for the VLAN-based domain.

As in previous versions, you can assign tenants to domain definitions to achieve multi-tenancy. In JSA 7.3.2, the new VLAN-based domain definitions enable multi-tenancy across different VLANs, if required.

For example, two domain definitions are created and mapped to two network tenants:

  • For tenant ABC, traffic is sent on Enterprise VLAN ID = 0, and Customer VLAN ID = 10.

  • For tenant DEF, traffic is sent on Enterprise VLAN ID = 0, and Customer VLAN ID = 20.

The first domain definition is created for tenant ABC, which contains a flow VLAN definition of Enterprise VLAN ID = 0 and customer VLAN ID = 10.

A second domain definition is created for tenant DEF, which contains a flow VLAN definition of Enterprise VLAN ID = 0 and customer VLAN ID = 20.

Now, incoming flows with Enterprise VLAN ID and Customer VLAN ID fields set to 0 and 10 are viewed only by tenant ABC. Similarly, incoming flows with Enterprise VLAN ID and Customer VLAN ID fields of 0 and 20 are only viewed by tenant DEF. This reflects the traffic ownership for each tenant in the network.

Enhanced Visibility into MPLS Flows Received from IPFIX Data

Internet Protocol Flow Information Export (IPFIX) is a common protocol that allows exporting of flow information from network devices. Multiprotocol Label Switching (MPLS) is a routing technique that runs on any protocol.

With MPLS support for IPFIX flow records in Flow Processor, you can filter and search for IPFIX flows in JSA 7.3.2 that contains MPLS fields and write rules based on the values of these MPLS fields. In JSA 7.3.2, MPLS information about the IPFIX flow is no longer lost.

For example, an IPFIX flow is exported from a switch on a network that uses MPLS. The IPFIX flow that is exported from the router contains information about the MPLS stack, which is now saved as part of the flow in JSA. The MPLS stack can contain up to 10 layers where each layer shows information about the flow routing. These MPLS fields are included in rules, searches, and filters.

More Detailed Visualization of Rule Performance

Rule performance visualization extends the current logging around performance degradation and the expensive custom rules in the JSA pipeline. In previous releases, it was cumbersome to identify rules that performed in a suboptimal way. With rule performance visualization in JSA 7.3.2, you can easily determine the efficiency of rules in the JSA pipeline directly from the Rules page.

When events or flows are routed to storage, JSA begins collecting metrics-enabled rules to track for efficiency. Metrics are collected on all event, common, and flow rules. When you save rule updates, the metrics are cleared to avoid any confusion around performance and updated rules. This option is also configurable.

Use rule performance visualization to help you monitor any expensive rules and ensure that they do not cause future performance issues. Sort rules by their performance metrics and identify the more expensive rules. When you review the rules, you can adjust the tests to optimize each rule, and reduce the load on the system. When rules run efficiently, the workload on the system can decrease. Over time, this efficiency helps JSA avoid any performance degradations around rules, which cause rules to bypass rule correlation. Bypassing rule correlation means that potential suspect activity might not trigger a notification, potentially missing future security-related issues.