Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

New Features and Enhancements in JSA 7.5.0

For JSA users, JSA 7.5.0 introduces greater visibility into flow traffic, as well as performance and stability improvements.

Multi-threaded processing for external flow sources

Changed in 7.5.0 Update Pack 1

As part of ongoing improvements to the flow pipeline, the Flow Processor flow processing service now supports multi-threaded processing for external flow sources, such as IPFIX, NetFlow V9, and QRadar Network Insights flow sources.

JSA 7.5.0 introduced multi-threaded processing in the receiving, parsing, and normalization phases when processing external flow sources.

Building on those improvements, JSA 7.5.0 Update Pack 1 introduces multi-threaded processing for the analysis, sending, and garbage collection of flows within the Flow Processor flow processing service.

Now, the entire end-to-end Flow Processor flow processing service uses multi-threaded processing. Performance of the Flow Processor process is improved, which enables JSA to process more flows.

Multi-threaded processing is turned on by default, and the number of threads is automatically determined based on the capabilities of the appliance.

Sequence number verification

New in 7.5.0 Update Pack 1

Now that all stages of the Flow Processor flow processing service uses multi-threaded processing, JSA can use sequence number verification to detect when messages are dropped. Dropped messages might indicate that something is wrong in your network, such as a faulty flow exporter, a lossy network, or packet injection into the network by an attacker.

In JSA 7.5.0 Update Pack 1, missing sequence numbers are reported only once per minute to ensure that packets have time to fill in gaps in the sequence ranges. Missed sequence numbers are reported in the /var/log/qradar.log file.

Support for Network Address Translation fields

JSA can now receive network address translation (NAT) information from IPFIX and NetFlow V9 flow records.

The following NAT fields are supported in JSA 7.5.0:

  • postNATSourceIPv4Address (IANA Element ID 225)

  • postNATDestinationIPv4Address (IANA Element ID 226)

  • postNAPTSourceTransportPort (IANA Element ID 227)

  • postNAPTDestinationTransportPort (IANA Element ID 228)

The new fields are categorized under Flow Data on the Flow Information window. You can use them in filters, searches, and rules.

For more information about the supported fields for JSA flow sources, see the Network activity monitoring chapter in the Juniper Secure Analytics Users Guide.

New application determination algorithms

Now you can see more information about the application identification algorithm that is used for QRadar Network Insights flows.

The QNI Inspectors (9) algorithm is removed in this release. It is replaced by the following new algorithms:

  • QNI port heuristics (11)

    This algorithm is used when QRadar Network Insights identifies the application based on port heuristics. It represents the least degree of confidence in the application determination.

  • QNI initial data (12)

    This algorithm is used when QRadar Network Insights identifies the application based on the analysis of initial data in the flow session. It represents a medium degree of confidence.

  • QNI parsers (13)

    This algorithm is used when QRadar Network Insights is confident in determining the application based on the data that is available.

You can see the information in the Application Determination Algorithm field on the Flow Information window.

For more information about identifying flow application, see the Juniper Secure Analytics Users Guide.

Support for more fields from AWS VPC flow logs

JSA can now show more information from Amazon Web Services (AWS) Virtual Private Cloud (VPC) Version 3 flow logs.

JSA 7.5.0 introduces support for the following fields:

  • VPC ID
  • Subnet ID
  • Instance ID

When an IPFIX flow record includes these fields, JSA shows the information on the Flow Details page under the Cloud category.

For more information about viewing AWS flow data, see the Juniper Secure Analytics Users Guide.

More improvements

JSA 7.5.0 also includes the following enhancements:

  • On the Component Management window (Admin > System and License Management > Edit Host), the Alias Autodetection field is renamed to DNS lookup for Alias Autodetection.

  • The flow direction algorithm is now applied at the beginning of the flow parsing process.

    This change ensures that the destination port is determined before the payload content capture occurs so that the amount of captured payload always matches the setting in the common destination port configuration.

  • Only the relevant IPFIX fields are encoded into the payload.

    The default encoding method for some IPFIX fields changed, and they are no longer appended to the payload. Now, they are added to the flow as type-value-length (TLV) elements.

  • You cannot delete the Uncategorized category for tagged flow fields from your system.