Getting Started for Administrators
If you're an administrator, the following topics are a good place to get started to learn how to use JSA in your everyday workflow.
Administration
Do you know how the Network Hierarchy impacts the JSA deployment?
Network hierarchy
You can view different areas of your network that is organized by business function and prioritize threat and policy information according to business value risk.
Defining your network hierarchy
A default network hierarchy that contains pre-defined network groups is included in JSA. You can edit the pre-defined network hierarchy objects, or you can create new network groups or objects.
Do you know how to create integrations with IBM solutions such as Guardium and AppScan?
IBM Guardium integration
IBM Guardium is a database activity and audit tracking tool for system administrators to retrieve detailed auditing events across database platforms.
AppScan Enterprise integration
JSA retrieves HCL AppScan Enterprise reports with the Representational State Transfer (REST) web service to import vulnerability data and generate offenses for your security team.
Do you know how to configure multiple log source groups for filtering, rules, and reporting?
Adding multiple log sources at the same time
Use the JSA Log Source Management app to add multiple log sources to JSA at the same time. You can add as many log sources as you want.
Editing multiple log sources at the same time
In the JSA Log Source Management app, view and edit a number of log sources at the same time. You can edit the settings of up to 1000 log sources at one time. Edit multiple log sources at the same time when the log sources have similar settings that you want to change, instead of editing each log source individually.
Do you know how to quantify and prioritize data sources in your environment to ensure adequate data collection?
Data collection
JSA accepts information in various formats and from a wide range of devices, including security events, network traffic, and scan results. Collected data is categorized into three major sections: events, flows, and vulnerability assessment (VA) information.
Adding a managed host
Add managed hosts, such as event and flow collectors, event and flow processors, and data nodes, to distribute data collection and processing activities across your JSA deployment.
APIs
Do you know how to create an authorization token for services to be used for remote access?
Managing authorized services
You can configure authorized services to authenticate an API call for your JSA deployment. The JSA RESTful API uses authorized services to authenticate API calls to the JSA Console. You can add or revoke an authorized service at any time.
Creating an authentication token for WinCollect agents
Third-party or external applications that interact with JSA require an authentication token. Before you install managed WinCollect agents in your network, you must create an authentication token.
Backup and restore
Do you know how the backup and recovery functions are configured?
Backup and recovery
You can use the backup and recovery feature to back up your event and flow data; however, you must restore event and flow data manually.
Backup configurations and data
By default, JSA creates a backup archive of your configuration information daily at midnight. The backup archive includes your configuration information, data, or both from the previous day. You can customize this nightly backup and create an on-demand configuration backup, as required.
High Availability/Disaster Recovery
Do you know how to create an HA cluster, and how to implement HA nodes in JSA, including moving online/offline?
HA overview
If your hardware or network fails, JSA can continue to collect, store, and process event and flow data by using high-availability (HA) appliances.
Creating an HA cluster
Pairing a primary host, secondary high-availability (HA) host, and a virtual IP address creates an HA cluster.
Setting an HA host online
You can set the primary or secondary HA host to Online.
Setting an HA host offline
You can set the primary or secondary high-availability (HA) host to Offline from the Active or Standby state.
License management
Do you know how to measure license allocation vs. usage and ensure adequate coverage?
License management
License keys entitle you to specific JSA products, and control the event and flow capacity for your JSA deployment. You can add licenses to your deployment to activate other JSA products, such as JSA Vulnerability Manager.
Burst handling
JSA uses burst handling to ensure that no data is lost when the system exceeds the allocated events per second (EPS) or flows per minute (FPM) license limits.
Distributing event and flow capacity
Use the License Pool Management window to ensure that the events per second (EPS) and flows per minute (FPM) that you are entitled to is fully used. Also, ensure that JSA is configured to handle periodic bursts of data without dropping events or flows, or having excessive unused EPS and FPM.
Log sources
Do you know how to create a new log source?
Adding log sources manually
You can manually add log sources that JSA does not detect automatically.
Adding a log source
Use the JSA Log Source Management app to add new log sources to receive events from your network devices or appliances.
Do you know how to add Log Sources by using non-Syslog protocols, such as OpSec LEA?
Configuring an OPSEC/LEA log source
To integrate Check Point OPSEC/LEA with JSA, you must create two Secure Internal Communication (SIC) files and enter the information in to JSA as a Check Point log source.
Reference data and building blocks
Do you know how to adjust building block and reference set content to effectively tune JSA rules?
Review building blocks
Building blocks are a reusable set of rule tests that can be used within rules when required. Host definition building blocks (BB:HostDefinition) categorize assets and server types into CIDR/IP ranges. By populating host definition building blocks, JSA can identify the type of appliance that belongs to an address or address range. These building blocks can then be used in rules to exclude or include entire asset categories in rule tests.
Rules
Do you know how to run correlation rules in "test mode" to avoid excessive offense generation?
Configuring an event or flow as false positive
You might have legitimate network traffic that triggers false positive flows and events that make it difficult to identify true security incidents. You can prevent events and flows from correlating into offenses by configuring them as false positives.
Creating a custom rule
JSA includes rules that detect a wide range of activities, including excessive firewall denies, multiple failed login attempts, and potential botnet activity. You can also create your own rules to detect unusual activity.
Threat intelligence
Do you know how to use native X-Force threat feed data to enhance corporate security and visibility?
Enabling X-Force Threat Intelligence in JSA
By enabling X-Force Threat Intelligence in JSA, you can receive feeds of the X-Force Threat Intelligence information to your console.
Troubleshooting
Do you know how to collect logs from the JSA deployment to help support troubleshoot issues?
Collecting log files
JSA log files contain detailed information about your deployment, such as hostnames, IP addresses, and email addresses. If you need help with troubleshooting, you can collect the log files and send them to Juniper Customer Support.