Managed Hosts
For greater flexibility over data collection and event and flow processing, build a distributed JSA deployment by adding non-console managed hosts, such as gateways, processors, and data nodes.
For more information about planning and building your JSA environment, see the Juniper Secure Analytics Architecture and Deployment Guide.
Software Compatibility Requirements
Software versions for all JSA appliances in your deployment must be at the same version and update package level. Deployments that use different versions of software are not supported because mixed software environments can prevent rules from firing, prevent offenses from being created or updated, or cause errors in search results.
When a managed host uses a software version that is different than the JSA Console, you might be able to view components that were already assigned to the host, but you cannot configure the component or add or assign new components.
Internet Protocol (IP) Requirements
The following table describes the various combinations of IP protocols that are supported when you add non-console managed hosts:
Managed Hosts |
JSA Console (IPv6, single) |
JSA Console (IPv6, HA) |
---|---|---|
IPv4, single |
No |
No |
IPv4, HA |
No |
No |
IPv6, single |
Yes |
Yes |
IPv6, HA |
Yes |
Yes |
Bandwidth Considerations for Managed Hosts
To replicate state and configuration data, ensure that you have a minimum bandwidth of 100 Mbps between the JSA console and all managed hosts. Higher bandwidth is necessary when you search log and network activity, and you have over 10,000 events per second (EPS).
An Event Collector that is configured to store and forward data to an Event Processor forwards the data according to the schedule that you set. Ensure that you have sufficient bandwidth to cover the amount of data that is collected, otherwise the forwarding appliance cannot maintain the scheduled pace.
Use the following methods to mitigate bandwidth limitations between data centers:
-
Process and send data to hosts at the primary data center -- Design your deployment to process and send data as it's collected to hosts at the primary data center where the console resides. In this design, all user-based searches query the data from the local data center rather than waiting for remote sites to send back data.
You can deploy a store and forward event collector, such as a JSA 15XX physical or virtual appliance, in the remote locations to control bursts of data across the network. Bandwidth is used in the remote locations, and searches for data occur at the primary data center, rather than at a remote location.
-
Don't run data-intensive searches over limited bandwidth connections -- Ensure that users don't run data-intensive searches over links that have limited bandwidth. Specifying precise filters on the search limits the amount of data that is retrieved from the remote locations, and reduces the bandwidth that is required to send the query result back.
Encryption
To provide secure data transfer between each of the appliances in your environment, JSA has integrated encryption support that uses OpenSSH. Encryption occurs between managed hosts and is enabled by default when you add a managed host.
When encryption is enabled, a secure tunnel is created on the client that initiates the connection, by using an SSH protocol connection. When encryption is enabled on a managed host, an SSH tunnel is created for all client applications on the managed host. When encryption is enabled on a non-Console managed host, encryption tunnels are automatically created for databases and other support service connections to the Console. Encryption ensures that all data between managed hosts is encrypted.
The SSH tunnel between two managed hosts can be initiated from the remote host instead of the local host. For example, if you have a connection from an Event Processor in a secure environment to an Event Collector that is outside of the secure environment, and you have a firewall rule that would prevent you from having a host outside the secure environment connect to a host in the secure environment, you can switch which host creates the tunnel so that the connection is established from the Event Processor by selecting the Remote Tunnel Initiation checkbox for the Event Collector.
You cannot reverse the tunnels from your Console to managed hosts.
For example, with encryption enabled on an Event Processor, the connection between the Event Processor and Event Collector is encrypted, and the connection between the Event Processor and Magistrate is encrypted.
Adding a Managed Host
Add managed hosts, such as event and flow processors and data nodes to distribute data collection and processing activities across your JSA deployment.
Ensure that the managed host has the same JSA version and update package as the JSA Console that you are using to manage it.
If you want to enable Network Address Translation (NAT) for a managed host, the network must use static NAT translation.
The following table describes the components that you can connect:
Source Connection |
Target Connection |
Description |
---|---|---|
Flow Processor |
Event Collector |
You can connect a Flow Processor only to an Event Collector. The number of connections is not restricted. You can't connect a Flow Processor to the Event Collector on a 15xx appliance. |
Event Collector |
Event Processor |
You can connect an Event Collector to only one Event Processor. You can connect a non-console Event Collector to an Event Processor on the same system. A console Event Collector can be connected only to a console Event Processor. You can't remove this connection. |
Event Processor |
Event Processor |
You can't connect a console Event Processor to a non-console Event Processor. You can connect a non-console Event Processor to another console or non-console Event Processor, but not both at the same time. When a non-console managed host is added, the non-console Event Processor is connected to the console Event Processor. |
Data Node |
Event Processor |
You can connect a data node to an event or flow processor only. You can connect multiple Data Nodes to the same processor to create a storage cluster. |
Event Collector |
Off-site target |
The number of connections is not restricted. |
Off-site source |
Event Collector |
The number of connections is not restricted. An Event Collector that is connected to an event-only appliance can't receive an off-site connection from system hardware that has the Receive Flows feature enabled. An Event Collector that is connected to a Flow-only appliance can't receive an off-site connection from a remote system that has the Receive Flows feature enabled. |
If you configured JSA Vulnerability Manager in your deployment, you can add vulnerability scanners and a vulnerability processor. For more information, see the Juniper Secure Analytics Vulnerability Manager User Guide.
If you configured JSA Risk Manager in your deployment, you can add a managed host. For more information, see the Juniper Secure Analytics Risk Manager Installation Guide.
To add a managed host:
-
On the navigation menu (), click Admin.
-
In the System Configuration section, click System and License Management.
-
In the Display list, select Systems.
-
On the Deployment Actions menu, click Add Host.
-
Configure the settings for the managed host by providing the fixed IP address, and the root password to access the operating system shell on the appliance.
-
Click Add.
-
Optional: Use the Deployment actions > View Deployment menu to see visualizations of your deployment. You can download a PNG image or a Microsoft Visio (2010) VDX file of your deployment visualization.
-
On the Admin tab menu, click Advanced > Deploy Full Configuration. When you deploy the full configuration, JSA restarts all services. Data collection for events and flows stops until the deployment completes.
JSA continues to collect events when you deploy the full configuration. When the event collection service must restart, JSA does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.
Configuring a Managed Host
Configure a managed host to specify which role the managed host fulfills in your deployment. For example, you can configure the managed host as a collector, processor, or a data node. You can also change the encryption settings, and assign the host to a network address translation (NAT) group.
To make network configuration changes, such as an IP address change to your JSA
Console and managed host systems after you install your JSA deployment, use the
qchange_netsetup utility.
If you
use qchange_netsetup
, verify all external storage which is not
/store/ariel or /store is not
mounted.
For more information about network settings, see the Installation Guide for your product.
Ensure that the managed host has the same JSA version and update package as the JSA Console that is used to manage it. You can't edit or remove a managed host that uses a different version of JSA.
If you want to enable Network Address Translation (NAT) for a managed host, the network must use static NAT translation.
To configure a managed host:
-
On the navigation menu (), click Admin.
-
In the System Configuration section, click System and License Management.
-
In the Display list, select Systems.
-
Select the host in the host table, and on the Deployment Actions menu, click Edit Host.
-
Optional: To initiate the tunnel between managed hosts from the remote host, select the Remote Tunnel Initiation checkbox.
-
To configure the managed host to use a NAT-enabled network, select the Network Address Translation checkbox, and then configure the NAT Group and Public IP address.
-
To configure the components on the managed host, click the Component Management settings icon ( ) and configure the options.
-
Click Save.
-
-
On the Admin tab menu, click Advanced > Deploy Full Configuration. When you deploy the full configuration, JSA restarts all services. Data collection for events and flows stops until the deployment completes.
Removing a Managed Host
You can remove non-Console managed hosts from your deployment. You can't remove a managed host that hosts the JSA Console.
Ensure that the managed host has the same JSA version and update package as the JSA Console that is used to manage it. You can't remove a host that is running a different version of JSA.
To remove a managed host:
-
On the navigation menu (), click Admin.
-
In the System Configuration section, click System and License Management.
-
In the Display list, select Systems.
-
On the Deployment Actions menu, click Remove host and click OK. You can't remove a JSA Console host.
-
On the Admin tab menu, click Advanced > Deploy Full Configuration.
JSA continues to collect events when you deploy the full configuration. When the event collection service must restart, JSA does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.
Configuring Your Local Firewall
Use the local firewall to manage access to the JSA managed host from specific devices that are outside the network. When the firewall list is empty, access to the managed host is disabled, except through the ports that are opened by default.
-
On the navigation menu (), click Admin.
-
In the System Configuration section, click System and License Management.
-
In the Display list, select Systems.
-
Select the host for which you want to configure firewall access settings.
-
From the Actions menu, click View and Manage System.
-
Click the Firewall tab and type the information for the device that needs to connect to the host.
-
Configure access for devices that are outside of your deployment and need to connect to this host.
-
Add this access rule.
-
-
Click Save.
If you change the External Flow Source Monitoring Port parameter in the Flow configuration, you must also update your firewall access configuration.
Adding an Email Server
JSA uses an email server to distribute alerts, reports, notifications, and event messages.
You can configure an email server for your entire JSA deployment, or multiple email servers.
JSA only supports encryption for the email server using STARTTLS.
If you configure the mail server setting for a host as
localhost
, then the mail messages don't leave that
host.
-
On the Admin tab, click Email Server Management.
-
Click Add, and configure the parameters for your email server.
-
Click Save.
Tip:Keep the TLS option set to On to send encrypted email. Sending encrypted email requires an external TLS certificate.
-
To edit an email server, click the Other Settings icon for the server, make your edits, and then click Save.
-
To delete an email server, click the Other Settings icon for the server, and then click Delete.
-
After you configure an email server, you can assign it to one or more hosts.
-
On the System and License Management page, select a host.
-
Change the Display list to show Systems.
-
Click Actions > View and Manage System.
-
On the Email Server tab, select an email server and click Save.
-
Test the connection to the email server by clicking the Test Connection button.
-
Click Save.
-