Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

JSA Software only Installations

A software only installation is a JSA installation on your hardware that uses a RHEL operating system that you provide. You must configure partitions and complete other RHEL preparation before a JSA software only installation.

Important

  • Ensure that your hardware meets the system requirements for JSA deployments.

  • JSA Software node license comes with the default Red Hat entitlement. You can provide your own RHEL, or acquire entitlement to a JSA Software Node. For the vulnerability updates, you must purchase RHEL entitlement from the satellite server.

  • Install no software other than JSA and RHEL on your hardware. Unapproved RPM installations can cause dependency errors when you upgrade JSA software and can also cause performance issues in your deployment.

  • Do not update your operating system or packages before or after JSA installation.

  • It is not possible to do a factory reset from the recovery partition when you do a software only installation.

Note:

Software installations do not come with the recovery partition available, and also these instructions do not apply.

Complete the following tasks in order:

Prerequisites for Installing JSA on Your Hardware

Before you install Red Hat Enterprise Linux (RHEL) operating system on your hardware, ensure that your system meets the system requirements.

JSA and RHEL version compatibility

The following table describes the version of Red Hat Enterprise Linux used with the JSA versions.

Table 1: Red Hat Version

JSA Version

Red Hat Enterprise Linux Version

JSA 7.5.0 GA to JSA 7.5.0 Update Package 7

Red Hat Enterprise Linux V7.9 64-bit

JSA 7.5.0 Update Package 8

Red Hat Enterprise Linux V8.8 64-bit

The following table describes the system requirements:

Table 2: System Requirements for RHEL Installations on your own Hardware

Requirements

Description

Kickstart disks

Not supported

Network Time Protocol (NTP) package

Optional

If you want to use NTP as your time server, ensure that you install the NTP package.

Optional

If you want to use NTP as your time server, ensure that you install the Chrony package.

Firewall configuration

WWW (http, https) enabled

SSH-enabled

Hardware

See the tables below for memory, processor, and storage requirements.

Memory and CPU Requirements

If you use hardware not provided by Juniper, ensure that your hardware meets or exceeds the specifications for memory and CPU of the corresponding JSA appliance.

Note:

You can change the memory or the CPU of your appliance by shutting down the appliance and making the changes. When you restart the appliance the system detects the changes and adjusts the performance related configuration. You must maintain the minimum requirements.

Storage requirements

Your appliance must have at least 256 GB of storage available.

The following table shows the storage requirements for installing JSA on your hardware.

Note:

The minimum required storage size varies, based on factors such as event size, events per second (EPS), and retention requirements.
Table 3: Minimum Storage Requirements for Software Only Installations

System classification

IOPS

Data transfer rate (MB/s)

Minimum performance

800

500

Medium performance

1200

1000

High Performance

10,000

2000

All Platforms Event Processor

300

300

Event/Flow Processors

300

300

Installing RHEL on Your Own System

Download the Red Hat Enterprise Linux Server Binary DVD from https://access.redhat.com.

Refer to the Red Hat version table to choose the correct version.

Table 4: Red Hat Version

JSA Version

Red Hat Enterprise Linux version

JSA 7.5.0 GA to JSA 7.5.0 Update Package 7

Red Hat Enterprise Linux Server V7.9 Binary DVD

JSA 7.5.0 Update Package 8

Red Hat Enterprise Linux Server V8.8 Binary DVD

JSA Software node license comes with the default Red Hat entitlement. You can provide your own RHEL, or acquire entitlement to a JSA Software Node. For the vulnerability updates, you must purchase RHEL entitlement from the satellite server.

If there are circumstances where you need install to RHEL separately, proceed with the following instructions.

Note:

FIPS mode only (For JSA 7.5.0 GA to JSA 7.5.0 Update Package 7): To install RHEL in FIPS mode, add qradar.fips=1 to the vmlinuz.

  1. Map the ISO to a device for your appliance by using the bootable USB flash drive with the ISO.

    For information about creating a bootable USB flash drive, see USB Drive Installations.

  2. Insert the portable storage device into your appliance and restart your appliance.

  3. FIPS mode only (For JSA 7.5.0 GA to JSA 7.5.0 Update Package 7): From the Red Hat Enterprise Linux 7.9 installer start menu, click Tab.

  4. FIPS mode only (JSA 7.5.0 GA to JSA 7.5.0 Update Package 7): Add qradar.fips=1 to the vmlinuz line and press Enter.

    The result might look similar to this example:

  5. From the starting menu, do one of the following options:

    • Select the device that you mapped the ISO to, or the USB drive, as the boot option.

    • To install on a system that supports Extensible Firmware Interface (EFI), you must start the system in legacy mode.

  6. When prompted, log in to the system as the root user.

  7. Follow the instructions in the installation wizard to complete the installation:

    1. Set the language to English (US).

    2. Click Date & Time and set the time for your deployment.

    3. Click Software selection and select Minimal Install.

    4. Click Installation Destination and select the I will configure partitioning option.

    5. Select LVM from the list.

    6. Click the Add button to add the mount points and capacities for your partitions, and then click Done. For more information about RHEL7 partitions, see Linux Operating System Partition Properties for JSA Installations on Your Own System.

      To encrypt data complete the following steps:

      1. Select one of the LVM partitions created.

      2. Select Modify under the Volume Group section. A pop up console opens for further configuration options.

      3. Select Encrypt.

      4. Save the changes.

        Note: Upgrading to RHEL-8 on systems with LUKS encrypted partitions is not supported. Ensure that your deployment does not include hosts with LUKS encrypted partitions to successfully upgrade your system. For more information, see Upgrading Juniper Secure Analytics to 7.5.0.

    7. Click Network & Host Name.

    8. Enter a fully qualified domain name for your appliance hostname.

      Note:

      JSA Console Only: The Console and managed host (MH) cannot have the same hostname.

    9. Select the interface in the list, move the switch to the ON position, and click Configure.

    10. On the General tab, select Automatically connect to this network when it is available option.

    11. On the IPv4 Settings tab, select Manual in the Method list.

    12. Click Add to enter the IP address, Netmask, and Gateway for the appliance in the Addresses field.

    13. Add two DNS servers.

    14. Click Save > Done > Begin Installation.

  8. Set the root password, and then click Finish configuration.

  9. After the installation is complete, disable SELinux by modifying the /etc/selinux/config file, and restart the appliance.

    To modify the /etc/selinux/config file, complete the following steps:

    1. Open the /etc/selinux/config file using the following command:

    2. Configure the SELINUX=disabled option:

    3. Save the file and restart the appliance.

Linux Operating System Partition Properties for JSA Installations on Your Own System

If you use your own disk drive hardware, you can delete and re-create partitions on your Red Hat Enterprise Linux operating system rather than modify the default partitions.

Use the values in the following table as a guide when you re-create the partitioning on your Red hat Enterprise Linux Operating system. You must use these partition names. Using other partition names can cause the installation to fail and other issues.

Table 5: Partitioning Guide for RHEL for JSA 7.5.0 Update Package 8

Mount Path

LVM Supported?

Size

File System
/boot

No

1 GB

XFS

/boot/efi

No

200 MB

VFAT

/var

Yes

5 GB

XFS

/var/log

Yes

15 GB

/var/log/audit

Yes

3 GB

/opt

Yes

13 GB

/home

Yes

1 GB

/storetmp

Yes

15 GB

/tmp

Yes

3 GB

swap

N/A

swap formula:

Configure the swap partition size to be 75 percent of RAM, with a minimum value of 12 GB and a maximum value of 24 GB

/

Yes

Upto 15 GB

JSA Console

App Host

/transient

Yes

20 % of remaining space

/store

Yes

80% of remaining space

Processors and Collectors

/transient

Yes

The lesser of 20% of the remaining space and 500 GB

/store

Yes

The remaining space after /transient allocation

Data Nodes

/transient

Yes

The lesser of 10% of the remaining space and 100 GB

/store

Yes

The remaining space after /transient allocation
Table 6: Partitioning Guide for RHEL for JSA 7.5.0 GA to JSA 7.5.0 Update Package 7

Mount Path

LVM Supported?

Size

File System
/boot

No

1 GB

XFS

/boot/efi

No

200 MB

/var

Yes

5 GB

/var/log

Yes

15 GB

/var/log/audit

Yes

3 GB

/opt

Yes

13 GB

/home

Yes

1 GB

/storetmp

Yes

15 GB

/tmp

Yes

3 GB

swap

N/A

swap formula:

Configure the swap partition size to be 75 percent of RAM, with a minimum value of 12 GB and a maximum value of 24 GB

/

Yes

Upto 15 GB

/transient

Yes

20% of remaining space

/store

Yes

80% of remaining space

Console Partition Configurations for Multiple Disk Deployments

For systems with multiple disks, configure the following partitions for JSA.

Disk 1

boot, swap, OS, JSA temporary files, and log files

Remaining Disks

  • Use the default storage configurations for JSA appliances as a guideline to determine what RAID type to use.

  • Mounted as /store

  • Store JSA data

The following table shows the default storage configuration for JSA.

Table 7: Default Storage Configurations for JSA

JSA host role

Storage Configuration

Flow processor

QRadar Network Insights (QNI)

RAID1

Data Node

Event processor

Flow processor

Event and flow processor

All-in-one console

RAID6

Event collector

RAID10

Installing JSA After the RHEL Installation

Install JSA on your own device after you install RHEL.

A fresh software install erases all data in /store as part of the installation process. If you want to preserve the contents of /store when performing a software installation, manually back up the data you want to preserve apart from the host where the software is to be installed.

  1. Copy the JSA ISO to /root or /storetmp directory of the device.

  2. Create the /media/cdrom/ directory by typing the following command:

    mkdir /media/cdrom

  3. Mount the JSA ISO by using the following command:

    mount - o loop <path_to_iso>/<qradar.iso> / media/cdrom

  4. JSA Console Only:

    Run the JSA setup by using the following command:

    /media/cdrom/setup

    Note:

    A new kernel might be installed as part of the installation, which requires a system restart. Repeat the commands in steps 3 and 4 after the system restart to continue the installation.
  5. FIPS mode only (For JSA 7.5.0 GA to JSA 7.5.0 Update Package 7): When the OS installation finishes run the QRadar setup by typing the following command:/media/cdrom/setup --fips. The --fips option verifies that the OS is FIPS enabled so that you can proceed with the installation. If RHEL is not FIPS enabled, the installation fails with the following error message:
    Note: A new kernel might be installed as part of the installation, which requires a system restart. Repeat the commands in steps 3 and 4 after the system restarts.

  6. Select the disk drive type:

    Note:

    The software installation menu will not be visible in the installation wizard by default.

    • Software Install

    • High Availability Appliance

  7. Select the disk drive assignment, and then select Next.

  8. If you selected an disk drive for high-availability (HA), select whether the disk drive is a console.

  9. For the type of setup, select Normal Setup (default) or HA Recovery Setup, and set up the time.

  10. If you selected HA Recovery Setup, enter the cluster virtual IP address.

  11. Select the Internet Protocol version.

  12. If you selected ipv6, select manual or auto for the Configuration type.

  13. Select the bonded interface setup, if required.

  14. Select the management interface.

  15. In the wizard, enter a fully qualified domain name in the Hostname field.

    Note:

    The hostname must not contain only numbers.

    Note:

    JSA Console only: The console and managed host (MH) cannot share the have hostname.

  16. In the IP address field, enter a static IP address, or use the assigned IP address.

    Note:

    If you are configuring this host as primary host for a high availability (HA) cluster, and you selected Yes for auto-configure, you must record the automatically-generated IP address. The generated IP address is entered during HA configuration.

    For more information, see Juniper Security Analytics High Availability Guide.

  17. If you do not have a email server, enter localhost in the Email server name field.

  18. If you are installing a Console, enter an admin password that meets the following criteria:

    • Contains at least 5 characters

    • Contains no spaces

    • Can include the following special characters: @, #, ^, and *.

  19. Leave the root password as it is.

  20. Click Finish.

  21. Follow the instructions in the installation wizard to complete the installation.

    The installation process might take several minutes.

  22. If you are installing a Console, apply your license key.

    1. Log in to JSA as the admin user:

    2. Click Login.

    3. In the navigation menu, click Admin.

    4. In the navigation pane, click System configuration.

    5. Click the System and License Management icon.

    6. From the Display list box, select Licenses, and upload your license key.

    7. Select the unallocated license and click Allocate System to License.

    8. From the list of systems, select a system, and click Allocate System to License.

    9. Click Deploy License Changes.

  23. If you want to add managed hosts, see Juniper Security Analytics Administration Guide.