Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Getting Started for Administrators

If you're an administrator, the following topics are a good place to get started to learn how to use JSA in your everyday workflow.


Do you know how the Network Hierarchy impacts the JSA deployment?

  • Network hierarchy

    You can view different areas of your network that is organized by business function and prioritize threat and policy information according to business value risk.

  • Defining your network hierarchy

    A default network hierarchy that contains pre-defined network groups is included in JSA. You can edit the pre-defined network hierarchy objects, or you can create new network groups or objects.

Do you know how to create integrations with IBM solutions such as Guardium and AppScan?

  • IBM Guardium integration

    IBM Guardium is a database activity and audit tracking tool for system administrators to retrieve detailed auditing events across database platforms.

  • AppScan Enterprise integration

    JSA retrieves HCL AppScan Enterprise reports with the Representational State Transfer (REST) web service to import vulnerability data and generate offenses for your security team.

Do you know how to configure multiple log source groups for filtering, rules, and reporting?

  • Adding multiple log sources at the same time

    Use the JSA Log Source Management app to add multiple log sources to JSA at the same time. You can add as many log sources as you want.

  • Editing multiple log sources at the same time

    In the JSA Log Source Management app, view and edit a number of log sources at the same time. You can edit the settings of up to 1000 log sources at one time. Edit multiple log sources at the same time when the log sources have similar settings that you want to change, instead of editing each log source individually.

Do you know how to quantify and prioritize data sources in your environment to ensure adequate data collection?

  • Data collection

    JSA accepts information in various formats and from a wide range of devices, including security events, network traffic, and scan results. Collected data is categorized into three major sections: events, flows, and vulnerability assessment (VA) information.

  • Adding a managed host

    Add managed hosts, such as event and flow collectors, event and flow processors, and data nodes, to distribute data collection and processing activities across your JSA deployment.


Do you know how to create an authorization token for services to be used for remote access?

  • Managing authorized services

    You can configure authorized services to authenticate an API call for your JSA deployment. The JSA RESTful API uses authorized services to authenticate API calls to the JSA Console. You can add or revoke an authorized service at any time.

  • Creating an authentication token for WinCollect agents

    Third-party or external applications that interact with JSA require an authentication token. Before you install managed WinCollect agents in your network, you must create an authentication token.

Backup and restore

Do you know how the backup and recovery functions are configured?

  • Backup and recovery

    You can use the backup and recovery feature to back up your event and flow data; however, you must restore event and flow data manually.

  • Backup configurations and data

    By default, JSA creates a backup archive of your configuration information daily at midnight. The backup archive includes your configuration information, data, or both from the previous day. You can customize this nightly backup and create an on-demand configuration backup, as required.

High Availability/Disaster Recovery

Do you know how to create an HA cluster, and how to implement HA nodes in JSA, including moving online/offline?

  • HA overview

    If your hardware or network fails, JSA can continue to collect, store, and process event and flow data by using high-availability (HA) appliances.

  • Creating an HA cluster

    Pairing a primary host, secondary high-availability (HA) host, and a virtual IP address creates an HA cluster.

  • Setting an HA host online

    You can set the primary or secondary HA host to Online.

  • Setting an HA host offline

    You can set the primary or secondary high-availability (HA) host to Offline from the Active or Standby state.

License management

Do you know how to measure license allocation vs. usage and ensure adequate coverage?

  • License management

    License keys entitle you to specific JSA products, and control the event and flow capacity for your JSA deployment. You can add licenses to your deployment to activate other JSA products, such as JSA Vulnerability Manager.

  • Burst handling

    JSA uses burst handling to ensure that no data is lost when the system exceeds the allocated events per second (EPS) or flows per minute (FPM) license limits.

  • Distributing event and flow capacity

    Use the License Pool Management window to ensure that the events per second (EPS) and flows per minute (FPM) that you are entitled to is fully used. Also, ensure that JSA is configured to handle periodic bursts of data without dropping events or flows, or having excessive unused EPS and FPM.

Log sources

Do you know how to create a new log source?

  • Adding log sources manually

    You can manually add log sources that JSA does not detect automatically.

  • Adding a log source

    Use the JSA Log Source Management app to add new log sources to receive events from your network devices or appliances.

Do you know how to add Log Sources by using non-Syslog protocols, such as OpSec LEA?

  • Configuring an OPSEC/LEA log source

    To integrate Check Point OPSEC/LEA with JSA, you must create two Secure Internal Communication (SIC) files and enter the information in to JSA as a Check Point log source.

Reference data and building blocks

Do you know how to adjust building block and reference set content to effectively tune JSA rules?

  • Review building blocks

    Building blocks are a reusable set of rule tests that can be used within rules when required. Host definition building blocks (BB:HostDefinition) categorize assets and server types into CIDR/IP ranges. By populating host definition building blocks, JSA can identify the type of appliance that belongs to an address or address range. These building blocks can then be used in rules to exclude or include entire asset categories in rule tests.


Do you know how to run correlation rules in "test mode" to avoid excessive offense generation?

  • Configuring an event or flow as false positive

    You might have legitimate network traffic that triggers false positive flows and events that make it difficult to identify true security incidents. You can prevent events and flows from correlating into offenses by configuring them as false positives.

  • Creating a custom rule

    JSA includes rules that detect a wide range of activities, including excessive firewall denies, multiple failed login attempts, and potential botnet activity. You can also create your own rules to detect unusual activity.

Threat intelligence

Do you know how to use native X-Force threat feed data to enhance corporate security and visibility?

  • Enabling X-Force Threat Intelligence in JSA

    By enabling X-Force Threat Intelligence in JSA, you can receive feeds of the X-Force Threat Intelligence information to your console.


Do you know how to collect logs from the JSA deployment to help support troubleshoot issues?

  • Collecting log files

    JSA log files contain detailed information about your deployment, such as hostnames, IP addresses, and email addresses. If you need help with troubleshooting, you can collect the log files and send them to Juniper Customer Support.