Options for Adding Scanners to Your JSA Vulnerability Manager Deployment
If you have a large network and require flexible scanning options, you can add more scanners to your JSA Vulnerability Manager deployment.
Your JSA Vulnerability Manager processor is automatically deployed with a scanning component. By deploying more scanners you can increase the flexibility of your scanning operations. For example, you can scan specific areas of your network with different scanners and at different scheduled times.
Dynamic Vulnerability Scans
The vulnerability scanners that you deploy might not have access to all areas of your network. In JSA Vulnerability Manager you can assign different scanners to network CIDR ranges. During a scan, each asset in the CIDR range that you want to scan is dynamically associated with the correct scanner.
To add more vulnerability scanners, choose any of the following options:
Deploy a dedicated JSA Vulnerability Manager managed host scanner appliance--You can scan for vulnerabilities by using a dedicated JSA Vulnerability Manager managed host scanner appliance.
Note:Do not select Remote Tunnel Initiation for encryption on managed hosts.
To deploy a scanner appliance, you must complete the followings tasks:
Install a dedicated JSA Vulnerability Manager managed host scanner appliance.
Add the managed host scanner appliance to your JSA console by using the System and License Management tool on the Admin tab.
Deploy a JSA Vulnerability Manager scanner to your JSA console or managed host--If you move your vulnerability processor from your JSA console to a JSA Vulnerability Manager managed host, you can add a scanner to your console.
You can also add a vulnerability scanner to any of the following JSA managed hosts: JSA Console, Event Processor, Flow Processor, Combo Processor, Event Collector, and Data Node.
Note:The vulnerability scanner cannot be added to the App Host.
Run an automatic update when you add a scanner or other managed host with scanning capabilities. For more information about automatic updates, see the Juniper Secure Analytics Administration Guide.
Configure access to the Juniper Networks hosted scanner and scan your DMZ--You can configure access to an Juniper Networks hosted scanner and scan the assets in your DMZ.
Deploying a Dedicated JSA Vulnerability Manager Scanner Appliance
You can deploy a dedicated JSA Vulnerability Manager managed host scanner appliance.
Ensure that a dedicated JSA Vulnerability Manager managed host scanner appliance.
On the navigation menu, click Admin.
Click System and License Management > Deployment Actions > Add Managed Host.
Enter the Host IP address and password of the JSA Vulnerability Manager managed host scanner appliance.
Click Add.
You must wait several minutes while the managed host is added.
Close the System and License Management window.
On the Admin tab toolbar, select Advanced >Deploy Full Configuration.
Click OK.
Deploying a Vulnerability Scanner to a JSA Console or Managed Host
You can deploy a JSA Vulnerability Manager scanner to a JSA console or JSA managed host. For example, you can deploy a scanner to a flow processor, event collector, event processor, or data node.
In an All-in-One deployment the controller is used as a built-in scanner. You cannot add a separate scanner appliance to a JSA Console when the JSA Vulnerability Manager processor is on the JSA Console. In a non-All-in-One deployment it's a good practice to move the JSA Vulnerability Manager processor to a dedicated appliance when you're scanning more than 50k assets.
To deploy a scanner on your JSA console, ensure that the vulnerability processor is moved to a dedicated JSA Vulnerability Manager managed host appliance.
To deploy scanners on JSA managed hosts, ensure that you have existing managed hosts in your deployment. For more information, see the Juniper Secure Analytics Installation Guide for your product.
On the navigation menu, click Admin.
Click System and License Management > Deployment Actions > Manage Vulnerability Deployment.
Click Add Additional Vulnerability Scanners.
Click the + icon.
From the Host list, select the JSA managed host or console.
Note:You cannot add a scanner to a JSA console when the vulnerability processor is on the console. You must move the vulnerability processor to a JSA Vulnerability Manager managed host.
Click Save.
Close the System and License Management window.
On the Admin tab toolbar, select Advanced >Deploy Full Configuration..
Click OK.
Check the Scan Server list on the Scan Profiles Configuration page to ensure that the scanner is added.
For more information, see Creating a Scan Profile.
Run an automatic update after you add the scanner or other managed host with scanning capabilities. Alternatively, you can scan after the default daily scheduled automatic update runs. If the automatic updates for other scanners are run earlier, then the automatic updates for all the scanners might not be fully synchronized until the next daily update.
Scanning the Assets in Your DMZ
In JSA Vulnerability Manager, you can connect to an external scanner and scan the assets in your DMZ for vulnerabilities.
If you want to scan the assets in the DMZ for vulnerabilities, you do not need to deploy a scanner in your DMZ. You must configure JSA Vulnerability Manager with a hosted Juniper Networks scanner that is located outside your network.
Detected vulnerabilities are processed by the processor on either your JSA console or JSA Vulnerability Manager managed host.
Configure your network and assets for external scans.
Configure JSA Vulnerability Manager to scan your external assets.
- Configuring Your Network and Assets for External Scans
- Configuring JSA Vulnerability Manager to Scan Your External Assets
Configuring Your Network and Assets for External Scans
To scan the assets in a DMZ network, you must configure your network and inform Juniper Networks of the assets that you want to scan.
To scan assets in a DMZ network, you must complete the following steps:
Configure the network.
Send required network specifics to the External Scanner Team.
Configuring the Network for External Scans
To scan the assets in a DMZ network, you must first configure your network for external scans.
Ensure that the JSA Vulnerability Manager Processor has Internet access to allow communication with the DMZ scanner.
Note:A static IP address is required.
Ensure each asset that is to be scanned by the DMZ scanner has Internet access.
Configure an outbound firewall rule for port 443 to allow a connection to the DMZ scanner.
Note:Incoming connections are not required.
Sending Network Specifics to the External Scanner Team
After you configure your network for external scans, you must inform Juniper Networks that you want to scan.
Send the following network specifics to the External Scanner Team at Juniper Networks.
Option |
Description |
---|---|
Gateway IP address |
The External/Public IP of the JSA Vulnerability Manager Processor (where the scan originates from). If you use a proxy server, provide the IP of the proxy server instead. |
Load balancers (optional) |
If you employ load balancers, an explicit list or range of all load balancers is required. |
IP address list/range |
The explicit list/range of all the assets to be scanned. |
DMZ/External scans do not complete successfully until the requested information is sent to Juniper Networks and a confirmation email is received.
Configuring JSA Vulnerability Manager to Scan Your External Assets
To scan the assets in your DMZ, you must configure JSA Vulnerability Manager, by using the System and License Management tool on the Admin tab.
-
From the Admin tab, click System and License Management.
-
From the Display menu, select Systems.
-
Click Deployment Actions >Manage Vulnerability Deployment.
-
Click Use External Scanner.
-
In the Gateway IP field, enter an external IP address.
Note:You cannot scan external assets until your external IP address is configured. Ensure that you email details of your external IP address to Juniper Networks.
-
If your network is configured to use a proxy server, click Enable Proxy Server and enter the details of your server.
-
Click Save and then click Close.
-
On the Admin tab toolbar, click Advanced >Deploy Full Configuration.
-
Click OK.
A scanner that is called IbmExternalScanner is added to your deployment. You can either associate your DMZ CIDR ranges with this scanner or use this scanner as a scan server in scan profiles.
Note:Authenticated scans are not conducted from the external scanner.
Supported Web Browsers
For the features in JSA products to work properly, you must use a supported web browser.
The following table lists the supported versions of web browsers.
Web browser |
Supported versions |
---|---|
64 bit Mozilla Firefox |
60 Extended Support Release and later |
64-bit Microsoft Edge |
38.14393 and later |
64 bit Google Chrome |
Latest |
The Microsoft Internet Explorer web browser is no longer supported as of JSA 7.4.0 or later.
Security Exceptions and Certificates
If you are using the Mozilla Firefox web browser, you must add an exception to Mozilla Firefox to log in to JSA. For more information, see your Mozilla Firefox web browser documentation.
Navigate the Web-Based Application
When you use JSA, use the navigation options available in the JSA Console instead of your web browser Back button.