JSA Configuration
This topic includes:
JSA Configuration Procedure
By configuring JSA, you can review your network hierarchy and customize automatic updates.
Ensure that Java Runtime Environment (JRE) version 1.7 or IBM 64-bit Runtime Environment for Java V7.0 is installed on all desktop systems that you use to access the JSA product user interface.
Ensure that you are using a supported web browser.
Log in to the JSA user interface by typing the following URL with the IP address of the JSA console:
https://IP Address
Network Hierarchy
You can view different areas of your network that is organized by business function and prioritize threat and policy information according to business value risk.
JSA uses the network hierarchy to do the following tasks:
-
Understand network traffic and view network activity.
-
Monitor specific logical groups or services in your network, such as marketing, DMZ, or VoIP.
-
Monitor traffic and profile the behavior of each group and host within the group.
-
Determine and identify local and remote hosts.
When you develop your network hierarchy, consider the most effective method for viewing network activity. The network hierarchy does not need to resemble the physical deployment of your network. JSA supports any network hierarchy that can be defined by a range of IP addresses. You can base your network on many different variables, including geographical or business units.
The objects that are defined in your network hierarchy do not have to be physically in your environment. All logical network ranges belonging to your infrastructure must be defined as a network object.
For more information, see the Juniper Secure Analytics Administration Guide.
Defining Your Network Hierarchy
A default network hierarchy that contains pre-defined network groups is included in JSA. You can edit the pre-defined network hierarchy objects, or you can create new network groups or objects.
Network objects are containers for Classless Inter-Domain Routing (CIDR) addresses. Any IP address that is defined in a CIDR range in the network hierarchy is considered to be a local address. Any IP address that is not defined in a CIDR range in the network hierarchy is considered to be a remote address. A CIDR can belong only to one network object, but subsets of a CIDR range can belong to another network object. Network traffic matches the most exact CIDR. A network object can have multiple CIDR ranges assigned to it.
Some of the default building blocks and rules in JSA use the default network hierarchy objects. Before you change a default network hierarchy object, search the rules and building blocks to understand how the object is used and which rules and building blocks might need adjustments after you modify the object. It is important to keep the network hierarchy, rules, and building blocks up-to-date to prevent false offenses.
On the navigation menu, click Admin.
In the System Configuration section, click Network Hierarchy.
From the menu tree on the Network Views window, select the area of the network in which you want to work.
To add network objects, click Add and complete the following fields:
Option |
Description |
---|---|
Name |
The unique name of the network object. Note:
You can use periods in network object names to define network object hierarchies. For example, if you enter the object name D.E.F, you create a three-tier hierarchy with E as a subnode of D, and F as a subnode of E. |
Group |
The network group in which to add the network object. Select from the Group list, or click Add a New Group. Note:
When you add a network group, you can use periods in network group names to define network group hierarchies. For example, if you enter the group name A.B.C, you create a three-tier hierarchy with B as a subnode of A, and C as a subnode of B. |
IP/CIDR(s) |
Type an IP address or CIDR range for the network object, and click Add. You can add multiple IP addresses and CIDR ranges. |
Description |
A description of the network object. |
Country/Region |
The country or region in which the network object is located. |
Longitude and Latitude |
The geographic location (longitude and latitude) of the network object. These fields are co-dependent. |
Automatic Updates
Using JSA, you can either replace your existing configuration files or integrate the updated files with your existing files.
The JSA console must be connected to the Internet to receive updates. If your console is not connected to the Internet, you must configure an internal update server. For information about setting up an automatic update server, see the Juniper Secure Analytics User Guide.
Software update are available to download from the following website:https://support.juniper.net/support/downloads/.
Update files can include the following updates:
Configuration updates, which include configuration file changes, vulnerability, QID map, and security threat information updates.
DSM updates, which include corrections to parsing issues, scanner changes, and protocol updates.
Major updates, which include items such as updated JAR files.
Minor updates, which include items such as extra online help content or updated scripts.
Configuring Automatic Update Settings
You can customize the frequency of JSA updates, update types, server configuration, and backup settings.
You can select the Auto Deploy to automatically deploy updates. If Auto Deploy is not selected, then you must manually deploy changes, from the Dashboard tab, after updates are installed.
In high-availability (HA) environment, automatic updates aren't installed when a secondary host is active. The updates are installed only after the primary host become the active node.
You can select Auto Restart Service to allow automatic updates that require the user interface to restart. A user interface disruption occurs when the service restarts. Alternatively, you can manually install the updated from the Check for Updates window.
On the navigation menu, click Admin.
In the System Configuration section , click Auto Update.
Click Change Settings.
On the Basic tab, select the schedule for updates.
In the Configuration Updates section, select the method that you want to use for updating your configuration files.
To merge your existing configuration files with the server updates without affecting your custom signatures, custom entries, and remote network configurations, select Auto Integrate.
To override your customizations with server settings, select Auto Update.
In the DSM, Scanner, Protocol Updates section, select an option to install updates.
In the Major Updates section, select an option for receiving major updates for new releases.
In the Minor Updates section, select an option for receiving patches for minor system issues.
If you want to deploy update changes automatically after updates are installed, select the Auto Deploy check box.
If you want to restart the user interface service automatically after updates are installed, select the Auto Restart Service check box.
Click the Advanced tab to configure the update server and backup settings.
In Web Server field, type the web server from which you want to obtain the updates.
In the Directory field, type the directory location on which the web server stores the updates.
The default directory is autoupdates/.
Optional: Configure the settings for proxy server.
If the application server uses a proxy server to connect to the Internet, you must configure the proxy server. If you are using an authenticated proxy, you must provide the username and password for the proxy server.
In the Backup Retention Period list, type or select the number of days that you want to store files that are replaced during the update process.
The files are stored in the location that is specified in the Backup Location. The minimum is one day and the maximum is 65535 years.
In the Backup Location field, type the location where you want to store backup files.
In the Download Path field, type the directory path location to which you want to store DSM, minor, and major updates.
The default directory path is /store/configservices/staging/updates.
Click Save.
Collecting Events
By collecting events, you can investigate the logs that are sent to JSA in real time.
To collect the events:
Click the Admin tab.
In the navigation pane, click Data Sources >Events.
Click the Log Sources icon.
In the JSA Log Source Management app, click Log Sources.
Review the list of log sources and make any necessary changes to the log source.
For information about configuring log sources, see the Juniper Secure Analytics Log Sources User Guide.
Save your changes, and then close the app.
Collecting Flows
By collecting flows, you can investigate the network communication sessions between hosts.
To collect the flows:
Click the Admin tab.
In the navigation menu, click Data Sources >Flows.
Click the Flow Sources icon.
Review the list of flow sources and make any necessary changes to the flow sources.
For more information about configuring flow sources, see the Juniper Secure Analytics Administration Guide.
Close the Flow Sources window.
On the Admin tab menu, click Deploy Changes.
Importing Vulnerability Assessment Information
By importing vulnerability assessment information, you identify active hosts, open ports, and potential vulnerabilities.
To import VA information:
-
Click the Admin tab.
-
In the navigation menu, click Data Sources >Vulnerability.
-
Click the VA Scanners icon.
-
On the toolbar, click Add.
-
Enter values for the parameters.
The parameters depend on the scanner type that you want to add.
Note:The CIDR range specifies which networks JSA integrates into the scan results. For example, if you want to conduct a scan against the 192.168.0.0/16 network and specify 192.168.1.0/24 as the CIDR range, only results from the 192.168.1.0/24 range are integrated.
-
Click Save.
-
On the Admin tab menu, click Deploy Changes.
-
Click the Schedule VA Scanners icon, and then click Add.
-
Specify the criteria for how often you want the scan to occur.
Depending on the scan type, the criteria includes how frequently JSA imports scan results or starts a new scan. You also must specify the ports to be included in the scan results.
-
Click Save.