Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


JSA Components

Juniper Secure Analytics (JSA) includes the following deployment components:


When deploying a Juniper Secure Analytics (JSA) appliance with image 2013.2.r3.607582, you must reimage the appliance to the common image 2013.2.r3.615469 or above. For more information, see Installing JSA Using a Bootable USB Flash-Drive Technical Note.

  • Flow Processor—Collects data from devices, and various live and recorded feeds, such as network taps, span/mirror ports, NetFlow, and JSA flow logs. When the data is collected, the Flow Processor groups related individual packets into a flow. JSA defines these flows as a communication session between two pairs of unique IP address and ports that use the same protocol.

    A flow starts when the Flow Processor detects the first packet with a unique source IP address, destination IP address, source port, destination port, and other specific protocol options that determine the start of a communication. Each additional packet is evaluated. Counts of bytes and packets are added to the statistical counters in the flow record. At the end of an interval, a status record of the flow is sent to an Event Collector and statistical counters for the flow are reset. A flow ends when no activity for the flow is detected within the configured period of time.

    Flow reporting generates records of all active or expired flows during a specified period of time. If the protocol does not support port-based connections, JSA combines all packets between the two hosts into a single flow record. However, a Flow Processor does not record flows until a connection is made to another JSA component and data is retrieved.

  • Event Collector—Collects security events from various types of security devices, known as log sources, in your network. The Event Collector gathers events from local and remote log sources. The Event Collector then normalizes the events and sends the information to the Event Processor. The Event Collector also bundles all virtually identical events to conserve system usage.

  • Event Processor—Processes event and flow data from the Event Collector. The events are bundled to conserve network usage. When received, the Event Processor correlates the information from JSA and distributes to the appropriate area, depending on the type of event. The Event Processor also includes information gathered by JSA to indicate any behavioral changes or policy violations for that event. Rules are then applied to the events that allow the Event Processor to process according to the configured rules. When complete, the Event Processor sends the events to the Magistrate.

    A non-Console Event Processor can be connected to the Event Processor on the Console or connected to another Event Processor in your deployment. The Accumulator is responsible for gathering flow and event information from the Event Processor.

    The Event Processor on the Console is always connected to the magistrate. This connection cannot be deleted.

  • Off-site Source—Indicates an off-site event or flow data source that forwards normalized data to an Event Collector. You can configure an off-site source to receive flows or events and allows the data to be encrypted before forwarding.

  • Off-site Target—Indicates an off-site device that receives event or flow data. An off-site target can only receive data from an Event Collector.

  • Magistrate—The Magistrate component provides the core processing components of the security information and event management (SIEM) system. You can add one Magistrate component for each deployment. The Magistrate provides views, reports, alerts, and analysis of network traffic and security events.

    The Magistrate processes the events or flows against the defined custom rules to create an offense. If no custom rules exist, the Magistrate uses the default rule set to process the offending event or flow. An offense is an event or flow that has been processed through JSA using multiple inputs, individual events or flows, and combined events or flows with analyzed behavior and vulnerabilities. The Magistrate prioritizes the offenses and assigns a magnitude value based on several factors, including the amount of offenses, severity, relevance, and credibility.