Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Managed Hosts

For greater flexibility over data collection and event and flow processing, build a distributed JSA deployment by adding non-console managed hosts, such as gateways, processors, and data nodes.

For more information about planning and building your JSA environment, see the Juniper Secure Analytics Architecture and Deployment Guide.

Software Compatibility Requirements

Software versions for all JSA appliances in your deployment must be at the same version and build. Deployments that use different versions of software are not supported because mixed software environments can prevent rules from firing, prevent offenses from being created or updated, or cause errors in search results.

When a managed host uses a software version that is different than the JSA Console, you might be able to view components that were already assigned to the host, but you cannot configure the component or add or assign new components.

Internet Protocol (IP) Requirements

The following table describes the various combinations of IP protocols that are supported when you add non-console managed hosts:

Table 1: Supported Combinations of IP protocols on Non-console Managed Hosts

Managed Hosts

JSA Console (IPv6, single)

JSA Console (IPv6, HA)

JSA Console (dual-stack, single)

JSA Console (dual-stack, HA)

IPv4, single

No

No

Yes*

No

IPv4, HA

No

No

No

No

IPv6, single

Yes

Yes

Yes

No

IPv6, HA

Yes

Yes

Yes

No

Note:

*By default, you cannot add an IPv4-only managed host to a dual-stack single console. You must run a script to enable an IPv4-only managed host. For more information, see Adding an IPv4-only Managed Host in a dual-stack Environment.

A dual-stack console supports both IPv4 and IPv6. The following list outlines the conditions you must follow in dual-stack environments:

  • You can add IPv6 managed hosts to a dual-stack single console, or to an IPv6-only console.

  • You can add only IPv4 managed hosts to a dual-stack single console.

  • Do not add a managed host to a dual-stack console that is configured for HA.

  • Do not add an IPv4 managed host that is not in an HA pair to an IPv6-only console, or to a dual-stack console that is in an HA pair.

JSA does not support the following configurations:

  • Adding a managed host to a dual-stack console that is configured for HA.

  • Adding an IPv4 managed host that is not in an HA pair to an IPv6-only console.

  • Adding an IPv4 managed host that is not in an HA pair to a dual-stack console that is in an HA pair.

Bandwidth Considerations for Managed Hosts

To replicate state and configuration data, ensure that you have a minimum bandwidth of 100 Mbps between the JSA console and all managed hosts. Higher bandwidth is necessary when you search log and network activity, and you have over 10,000 events per second (EPS).

An Event Collector that is configured to store and forward data to an Event Processor forwards the data according to the schedule that you set. Ensure that you have sufficient bandwidth to cover the amount of data that is collected, otherwise the forwarding appliance cannot maintain the scheduled pace.

Use the following methods to mitigate bandwidth limitations between data centers:

  • Process and send data to hosts at the primary data center -- Design your deployment to process and send data as it's collected to hosts at the primary data center where the console resides. In this design, all user-based searches query the data from the local data center rather than waiting for remote sites to send back data.

    You can deploy a store and forward event collector, such as a JSA 15XX physical or virtual appliance, in the remote locations to control bursts of data across the network. Bandwidth is used in the remote locations, and searches for data occur at the primary data center, rather than at a remote location.

  • Don't run data-intensive searches over limited bandwidth connections -- Ensure that users don't run data-intensive searches over links that have limited bandwidth. Specifying precise filters on the search limits the amount of data that is retrieved from the remote locations, and reduces the bandwidth that is required to send the query result back.

Encryption

To provide secure data transfer between each of the appliances in your environment, JSA has integrated encryption support that uses OpenSSH. Encryption occurs between managed hosts; therefore, you must have at least one managed host before you can enable encryption.

When encryption is enabled, a secure tunnel is created on the client that initiates the connection, by using an SSH protocol connection. When you enable encryption on a managed host, an SSH tunnel is created for all client applications on the managed host. When you enable encryption on a non-Console managed host, encryption tunnels are automatically created for databases and other support service connections to the Console. To ensure that all data between managed hosts is encrypted, enable encryption.

The SSH tunnel between two managed hosts can be initiated from the remote host instead of the local host. For example, if you have a connection from an Event Processor in a secure environment to an Event Collector that is outside of the secure environment, and you have a firewall rule that would prevent you from having a host outside the secure environment connect to a host in the secure environment, you can switch which host creates the tunnel so that the connection is established from the Event Processor by selecting the Remote Tunnel Initiation checkbox for the Event Collector.

You cannot reverse the tunnels from your Console to managed hosts.

For example, with encryption enabled on an Event Processor, the connection between the Event Processor and Event Collector is encrypted, and the connection between the Event Processor and Magistrate is encrypted.

Adding a Managed Host

Add managed hosts, such as event and flow processors and data nodes to distribute data collection and processing activities across your JSA deployment.

Ensure that the managed host has the same JSA version and patch as the JSA Console that you are using to manage it.

If you want to enable Network Address Translation (NAT) for a managed host, the network must use static NAT translation.

Enable encryption for a Managed Host to provide encryption between hosts.

The following table describes the components that you can connect:

Table 2: Supported Component Connections

Source Connection

Target Connection

Description

Flow Processor

Event Collector

You can connect a Flow Processor only to an Event Collector. The number of connections is not restricted.

You can't connect a Flow Processor to the Event Collector on a 15xx appliance.

Event Collector

Event Processor

You can connect an Event Collector to only one Event Processor.

You can connect a non-console Event Collector to an Event Processor on the same system.

A console Event Collector can be connected only to a console Event Processor. You can't remove this connection.

Event Processor

Event Processor

You can't connect a console Event Processor to a non-console Event Processor.

You can connect a non-console Event Processor to another console or non-console Event Processor, but not both at the same time.

When a non-console managed host is added, the non-console Event Processor is connected to the console Event Processor.

Data Node

Event Processor

You can connect a data node to an event or flow processor only. You can connect multiple Data Nodes to the same processor to create a storage cluster.

Event Collector

Off-site target

The number of connections is not restricted.

Off-site source

Event Collector

The number of connections is not restricted.

An Event Collector that is connected to an event-only appliance can't receive an off-site connection from system hardware that has the Receive Flows feature enabled.

An Event Collector that is connected to a Flow-only appliance can't receive an off-site connection from a remote system that has the Receive Flows feature enabled.

If you configured JSA Vulnerability Manager in your deployment, you can add vulnerability scanners and a vulnerability processor. For more information, see the Juniper Secure Analytics Vulnerability Manager User Guide.

If you configured JSA Risk Manager in your deployment, you can add a managed host. For more information, see the Juniper Secure Analytics Risk Manager Installation Guide.

To add a managed host:

  1. On the navigation menu (), click Admin.

  2. In the System Configuration section, click System and License Management.

  3. In the Display list, select Systems.

  4. On the Deployment Actions menu, click Add Host.

  5. Configure the settings for the managed host by providing the fixed IP address, and the root password to access the operating system shell on the appliance.

  6. Click Add.

  7. Optional: Use the Deployment actions > View Deployment menu to see visualizations of your deployment. You can download a PNG image or a Microsoft Visio (2010) VDX file of your deployment visualization.

  8. On the Admin tab menu, click Advanced > Deploy Full Configuration. When you deploy the full configuration, JSA restarts all services. Data collection for events and flows stops until the deployment completes.

Note:

JSA continues to collect events when you deploy the full configuration. When the event collection service must restart, JSA does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.

Adding an IPv4-only Managed Host in a dual-stack Environment

To add an IPv4-only managed host to a dual-stack Console, you must run scripts to prepare both the managed host and the Console before you can add the managed host to the Console.

A dual-stack Console is one that supports both IPv4 and IPv6. You cannot add an IPv4-only managed host to a JSA High Availability (HA) deployment.

Table 3: Supported Combinations of IP protocols on Non-console Managed Hosts

Managed Hosts

JSA Console (IPv6, single)

JSA Console (IPv6, HA)

JSA Console (dual-stack, single)

JSA Console (dual-stack, HA)

IPv4, single

No

No

Yes*

No

IPv4, HA

No

No

No

No

IPv6, single

Yes

Yes

Yes

No

IPv6, HA

Yes

Yes

Yes

No

  1. To enable your JSA Console for dual-stack deployment, type the following command:

    /opt/qradar/bin/setup_v6v4_console.sh ip=<IPv4_address_of_the_Console> netmask=<netmask> gateway=<gateway>

    This example assumes that the IPv4 address of the Console is 192.0.2.2, the subnet mask is 255.255.255.0, and the gateway is 192.0.2.1.

    /opt/qradar/bin/setup_v6v4_console.sh ip=192.0.2.2 netmask=255.255.255.0 gateway=192.0.2.1

  2. To allow an IPv4-only managed host to be added to your deployment, type the following command on the Console:

    /opt/qradar/bin/add_v6v4_host.sh host=<IP_address_of_the_managed_host>

    This example assumes that the IPv4 address of the managed host is 192.0.2.3.

    opt/qradar/bin/add_v6v4_host.sh host=192.0.2.3

  3. Add the IPv4-only managed host to the deployment.

Configuring a Managed Host

Configure a managed host to specify which role the managed host fulfills in your deployment. For example, you can configure the managed host as a collector, processor, or a data node. You can also change the encryption settings, and assign the host to a network address translation (NAT) group.

To make network configuration changes, such as an IP address change to your JSA Console and managed host systems after you install your JSA deployment, use the qchange_netsetup utility. For more information about network settings, see the Installation Guide for your product.

Ensure that the managed host has the same JSA version and patch as the JSA Console that is used to manage it. You can't edit or remove a managed host that uses a different version of JSA.

If you want to enable Network Address Translation (NAT) for a managed host, the network must use static NAT translation.

To configure a managed host:

  1. On the navigation menu (), click Admin.

  2. In the System Configuration section, click System and License Management.

  3. In the Display list, select Systems.

  4. Select the host in the host table, and on the Deployment Actions menu, click Edit Host.

    1. To create an SSH encryption tunnel on port 22 for the managed host, select the Encrypt Host Connections checkbox.

    2. Optional: To initiate the tunnel between managed hosts from the remote host, select the Remote Tunnel Initiation checkbox.

    3. To configure the managed host to use a NAT-enabled network, select the Network Address Translation checkbox, and then configure the NAT Group and Public IP address.

    4. To configure the components on the managed host, click the Component Management settings icon ( ) and configure the options.

    5. Click Save.

  5. On the Admin tab menu, click Advanced > Deploy Full Configuration. When you deploy the full configuration, JSA restarts all services. Data collection for events and flows stops until the deployment completes.

Removing a Managed Host

You can remove non-Console managed hosts from your deployment. You can't remove a managed host that hosts the JSA Console.

Ensure that the managed host has the same JSA version and patch as the JSA Console that is used to manage it. You can't remove a host that is running a different version of JSA.

To remove a managed host:

  1. On the navigation menu (), click Admin.

  2. In the System Configuration section, click System and License Management.

  3. In the Display list, select Systems.

  4. On the Deployment Actions menu, click Remove host and click OK. You can't remove a JSA Console host.

  5. On the Admin tab menu, click Advanced > Deploy Full Configuration.

Note:

JSA continues to collect events when you deploy the full configuration. When the event collection service must restart, JSA does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.

Configuring Your Local Firewall

Use the local firewall to manage access to the JSA managed host from specific devices that are outside the network. When the firewall list is empty, access to the managed host is disabled, except through the ports that are opened by default.

  1. On the navigation menu (), click Admin.

  2. In the System Configuration section, click System and License Management.

  3. In the Display list, select Systems.

  4. Select the host for which you want to configure firewall access settings.

  5. From the Actions menu, click View and Manage System.

  6. Click the Firewall tab and type the information for the device that needs to connect to the host.

    1. Configure access for devices that are outside of your deployment and need to connect to this host.

    2. Add this access rule.

  7. Click Save.

    If you change the External Flow Source Monitoring Port parameter in the Flow configuration, you must also update your firewall access configuration.

Secure Email Server

JSA uses an email server to distribute alerts, reports, notifications, and event messages.

You can configure an email server for your entire JSA deployment, or multiple email servers.

If you configure the mail server setting for a host as localhost, then the mail messages don't leave that host.

Adding an email server

Add one or more email servers to distribute alerts, reports, notifications, and event messages from your hosts.

  1. Click the Admin tab.

  2. Click Email Server Management.

  3. Click Add.

  4. Enter the following parameters:

    Parameter

    Description

    Hostname

    The hostname of the email server.

    Port

    The port that mail is sent to on the email server.

    Description

    A description of the email server, so you can tell it apart from other email servers that you add.

    Username

    Optional. If you want to send authenticated email, enter the username for SMTP authentication on the target email server.

    Password

    Optional. If you want to send authenticated email, enter the password for SMTP authentication on the target email server.

  5. Optional: Select the TLS checkbox to send encrypted email. Sending encrypted email requires an external TLS certificate.

  6. Click Save.

Assigning an email server to a host

After you have configured an email server, assign it to one or more hosts.

  1. On the System And License Management page, select a host.

  2. Click Actions > View and Manage System.

  3. Click the Email Server tab.

  4. Select an email server and click Save.

  5. Optional: Test the connection to the email server by clicking the Test Connection button.

  6. Click Save.

Editing an email server

You can edit email server settings if needed.

  1. Click the Admin tab.

  2. Click Email Server Management.

  3. Click the Other Settings icon for the server that you are editing.

  4. Make whatever changes you need and then click Save.

Deleting an email server

Delete an email server if you are no longer using it.

  1. Click the Admin tab.

  2. Click Email Server Management.

  3. Click the Other Settings icon for the server that you are deleting.

  4. Select Delete.