Juniper Secure Analytics Installation Manual
Juniper Secure Analytics Installation Guide
Published
2021-03-26
Release
7.4.1
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks
are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publication without notice.
Juniper Secure Analytics Installation Guide
7.4.1
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
ii
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related
limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)
Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement
(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you
agree to the terms and conditions of that EULA.
Table of Contents
1
About the Documentation | vii
Documentation and Release Notes | vii
Documentation Conventions | vii
Documentation Feedback | x
Requesting Technical Support | x
Self-Help Online Tools and Resources | xi
Creating a Service Request with JTAC | xi
JSA Deployment Overview
JSA Deployment Overview | 13
iii
Management Controller | 13
License Keys | 14
JSA Components | 14
Prerequisite Hardware Accessories for JSA Installations | 17
Hardware Accessories | 17
Environmental Restrictions | 17
Supported Web Browsers | 18
USB Flash Drive Installations | 18
Supported Versions | 19
Installation Overview | 19
Creating a Bootable USB Flash Drive with Microsoft Windows | 19
Creating a Bootable USB Flash Drive on an Apple Mac OS X System | 20
Creating a Bootable USB Flash Drive with Red Hat Linux | 21
Installing JSA with a USB Flash Drive | 22
Standard Linux Users | 23
Third-party Software on JSA Appliances | 26
Bandwidth for Managed Hosts
2
3
4
5
Bandwidth for Managed Hosts | 29
Installing a JSA Console or Managed Host
Installing a JSA Console or Managed Host | 31
Installing a JSA Console or Managed Host (applicable only for JSA 7.3.1 Patch 9, JSA
7.3.2 Patch 2, and JSA 7.3.2 Patch 3) | 33
Virtual Appliance Installations for JSA and Log Manager
Virtual Appliance Installations for JSA and Log Manager | 37
Overview Of Supported Virtual Appliances | 38
JSA Threat Analytics “All-in-one” or Console 3199 | 38
JSA Event and Flow Processor Combo | 39
iv
JSA Flow Processor Virtual 1799 | 39
JSA Event Processor Virtual 1699 | 40
JSA Event Collector Virtual 1599 | 40
JSA Flow Processor | 40
JSA Flow Processor Virtual 1299 | 41
JSA Vulnerability Manager Processor | 41
JSA Vulnerability Manager Scanner | 42
JSA Risk Manager | 42
JSA App Host 4000 | 42
System Requirements for Virtual Appliances | 42
Storage Requirements | 47
Creating Your Virtual Machine | 48
Installing JSA on a Virtual Machine | 49
Adding Your Virtual Appliance to Your Deployment | 51
Installations from the Recovery Partition
Installations from the Recovery Partition | 54
Reinstalling from the Recovery Partition | 54
Reinstalling JSA from Media
6
7
8
9
10
Reinstalling JSA from Media | 57
Data Node Overview
Data Node Overview | 59
JSA Software Installations (applicable only for JSA 7.3.1 Patch 9, JSA 7.3.2 Patch 2, and
JSA 7.3.2 Patch 3) | 62
Prerequisites for Installing JSA on Your Hardware | 62
Appliance Storage Requirements for Virtual and Software Installations | 65
Installing RHEL on Your System | 66
Linux Operating System Partition Properties for JSA Installations on Your Own System | 67
Console Partition Configurations for Multiple Disk Deployments | 68
Installing JSA After the RHEL Installation | 69
v
Configuring Bonded Management Interfaces
Configuring Bonded Management Interfaces | 73
Network Settings Management
Network Settings Management | 75
Changing the Network Settings in an All-in-one System | 75
Changing the Network Settings Of a JSA Console in a Multi-system Deployment | 76
Updating Network Settings After a NIC Replacement | 78
Troubleshooting Problems
Troubleshooting Problems | 82
Troubleshooting Resources | 83
JSA Log Files | 83
Common Ports and Servers Used by JSA | 84
SSH Communication on Port 22 | 84
Open Ports That Are Not Required by JSA | 84
JSA Port Usage | 85
WinCollect Remote Polling | 85
JSA Listening Ports | 85
Viewing IMQ Port Associations | 97
Searching for Ports in Use by JSA | 98
JSA Public Servers | 98
Public Servers | 98
RSS Feeds for JSA Products | 99
vi
About the Documentation
IN THIS SECTION
Documentation and Release Notes | vii
Documentation Conventions | vii
Documentation Feedback | x
Requesting Technical Support | x
Use this guide to understand how to install JSA in your network.
vii
Documentation and Release Notes
To obtain the most current version of all Juniper Networks®technical documentation, see the product
documentation page on the Juniper Networks website at https://www.juniper.net/documentation/.
If the information in the latest release notes differs from the information in the documentation, follow the
product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts.
These books go beyond the technical documentation to explore the nuances of network architecture,
deployment, and administration. The current list can be viewed at https://www.juniper.net/books.
Documentation Conventions
Table 1 on page viii defines notice icons used in this guide.
Table 1: Notice Icons
viii
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Caution
Indicates a situation that might result in loss of data or hardware
damage.
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page viii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
Fixed-width text like this
Italic text like this
Represents text that you type.Bold text like this
Represents output that appears on
the terminal screen.
Introduces or emphasizes important
•
new terms.
Identifies guide names.
•
Identifies RFC and Internet draft
•
titles.
To enter configuration mode, type
the configure command:
user@host> configure
user@host> show chassis alarms
No alarms currently active
A policy term is a named structure
•
that defines match conditions and
actions.
Junos OS CLI User Guide
•
RFC 1997, BGP Communities
•
Attribute
Table 2: Text and Syntax Conventions (continued)
ix
ExamplesDescriptionConvention
Italic text like this
Text like this
< > (angle brackets)
| (pipe symbol)
Represents variables (options for
which you substitute a value) in
commands or configuration
statements.
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy
levels; or labels on routing platform
components.
variables.
Indicates a choice between the
mutually exclusive keywords or
variables on either side of the symbol.
The set of choices is often enclosed
in parentheses for clarity.
Configure the machine’s domain
name:
[edit]
root@# set system domain-name
domain-name
To configure a stub area, include
•
the stub statement at the [edit
protocols ospf area area-id]
hierarchy level.
The console port is labeled
•
CONSOLE.
stub <default-metric metric>;Encloses optional keywords or
broadcast | multicast
(string1 | string2 | string3)
# (pound sign)
[ ] (square brackets)
Indention and braces ( { } )
; (semicolon)
GUI Conventions
Indicates a comment specified on the
same line as the configuration
statement to which it applies.
Encloses a variable for which you can
substitute one or more values.
Identifies a level in the configuration
hierarchy.
Identifies a leaf statement at a
configuration hierarchy level.
rsvp { # Required for dynamic MPLS
only
community name members [
community-ids ]
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
Table 2: Text and Syntax Conventions (continued)
x
ExamplesDescriptionConvention
Bold text like this
> (bold right angle bracket)
Represents graphical user interface
(GUI) items you click or select.
Separates levels in a hierarchy of
menu selections.
In the Logical Interfaces box, select
•
All Interfaces.
To cancel the configuration, click
•
Cancel.
In the configuration editor hierarchy,
select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback so that we can improve our documentation. You can use either
of the following methods:
Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the Juniper
•
Networks TechLibrary site, and do one of the following:
Click the thumbs-up icon if the information on the page was helpful to you.
•
Click the thumbs-down icon if the information on the page was not helpful to you or if you have
•
suggestions for improvement, and use the pop-up form to provide feedback.
E-mail—Send your comments to techpubs-comments@juniper.net. Include the document or topic name,
•
URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC).
If you are a customer with an active Juniper Care or Partner Support Services support contract, or are
covered under warranty, and need post-sales technical support, you can access our tools and resources
online or open a case with JTAC.
JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User
•
Guide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
Product warranties—For product warranty information, visit https://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week,
•
365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called
the Customer Support Center (CSC) that provides you with the following features:
Find CSC offerings: https://www.juniper.net/customers/support/
•
Search for known bugs: https://prsearch.juniper.net/
•
xi
Find product documentation: https://www.juniper.net/documentation/
•
Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
•
Download the latest versions of software and review release notes:
•
https://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:
•
https://kb.juniper.net/InfoCenter/
Join and participate in the Juniper Networks Community Forum:
•
https://www.juniper.net/company/communities/
Create a service request online: https://myjuniper.juniper.net
•
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:
https://entitlementsearch.juniper.net/entitlementsearch/
Creating a Service Request with JTAC
You can create a service request with JTAC on the Web or by telephone.
Visit https://myjuniper.juniper.net.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
•
For international or direct-dial options in countries without toll-free numbers, see
https://support.juniper.net/support/requesting-support/.
1
CHAPTER
JSA Deployment Overview
JSA Deployment Overview | 13
Management Controller | 13
License Keys | 14
JSA Components | 14
Prerequisite Hardware Accessories for JSA Installations | 17
Environmental Restrictions | 17
Supported Web Browsers | 18
USB Flash Drive Installations | 18
Standard Linux Users | 23
Third-party Software on JSA Appliances | 26
JSA Deployment Overview
You can install JSA on a single server for small enterprises, or across multiple servers for large enterprise
environments.
For maximum performance and scalability, you must install a high-availability (HA) managed host appliance
for each system that requires HA protection. For more information about installing or recovering an HA
system, see the Juniper Secure Analytics High Availability Guide.
RELATED DOCUMENTATION
License Keys | 14
JSA Components | 14
Prerequisite Hardware Accessories for JSA Installations | 17
13
Management Controller
The JSA appliances use a management controller for systems-management functions.
JSA appliances contain an integrated service processor, which provides advanced service processor control,
monitoring, and alerting functions and consolidates the service processor functionality, super I/O, video
controller, and remote presence capabilities into a single chip on the server system board.
For more information about the Lenovo management controller, see Lenovo XClarity Controller.
For instructions on how to configure the Lenovo management controller, see XClarity Controller User
Guide.
RELATED DOCUMENTATION
JSA Components | 14
Prerequisite Hardware Accessories for JSA Installations | 17
Supported Web Browsers | 18
License Keys
After you install JSA, you must apply your license keys.
Your system includes a temporary license key that provides you with access to JSA software for five weeks.
After you install the software and before the default license key expires, you must add your purchased
licenses.
The following table describes the restrictions for the default license key:
Table 3: Restrictions for the Default License Key for JSA Installations
LimitUsage
5000Events per second threshold
NOTE: This restriction also applies to the default license key for Log Manager.
14
200000Flows per interval
When you purchase a JSA product, an email that contains your permanent license key is sent from Juniper
Networks. These license keys extend the capabilities of your appliance type and define your system
operating parameters. You must apply your license keys before your default license expires.
RELATED DOCUMENTATION
JSA Components | 14
Prerequisite Hardware Accessories for JSA Installations | 17
Supported Web Browsers | 18
JSA Components
JSA consolidates event data from log sources that are used by devices and applications in your network.
Figure 1 on page 15 shows JSA components.
NOTE: Software versions for all JSA appliances in a deployment must be same version and patch
level. Deployments that use different versions of software are not supported.
Figure 1: JSA Components
15
JSA deployments can include the following components:
JSA Flow Processor
Passively collects traffic flows from your network through span ports or network taps. The JSA Flow
Processor also supports the collection of external flow-based data sources, such as NetFlow.
JSA Console
Provides the JSA product user interface. The interface delivers real-time event and flow views, reports,
offenses, asset information, and administrative functions.
In distributed JSA deployments, use the JSA console to manage hosts that include other components.
Magistrate
A service running on the JSA console, the Magistrate provides the core processing components. You can
add one Magistrate component for each deployment. The Magistrate provides views, reports, alerts, and
analysis of network traffic and security events.
The Magistrate component processes events against the custom rules. If an event matches a rule, the
Magistrate component generates the response that is configured in the custom rule.
For example, the custom rule might indicate that when an event matches the rule, an offense is created.
If there is no match to a custom rule, the Magistrate component uses default rules to process the event.
An offense is an alert that is processed by using multiple inputs, individual events, and events that are
combined with analyzed behavior and vulnerabilities. The Magistrate component prioritizes the offenses
and assigns a magnitude value that is based on several factors, including number of events, severity,
relevance, and credibility.
JSA Event Collector
Gathers events from local and remote log sources. Normalizes raw log source events. During this process,
the Magistrate component, on the JSA Console, examines the event from the log source and maps the
event to a JSA Identifier (QID). Then, the Event Collector bundles identical events to conserve system
usage and sends the information to the Event Processor.
JSA Event Processor
Processes events that are collected from one or more Event Collector components. The Event Processor
correlates the information from JSA products and distributes the information to the appropriate area,
depending on the type of event. The Event Processor can also collect events if you do not have an Event
Collector in your deployment.
The Event Processor also includes information that is gathered by JSA products to indicate behavioral
changes or policy violations for the event. When complete, the Event Processor sends the events to the
Magistrate component.
16
When to add Event Processors: if you collect and store events in a different country or state, you may
need to add Event Processors to comply with local data collection laws.
Data Node
Data Nodes enable new and existing JSA deployments to add storage and processing capacity on demand
as required. Data Notes increase the search speed on your deployment by allowing you to keep more of
your data uncompressed.
You can scale storage and processing power independently of data collection, which results in a deployment
that has the appropriate storage and processing capacity. Data Nodes are plug-n-play and can be added
to a deployment at any time. Data Nodes seamlessly integrate with the existing deployment.
Increasing data volumes in deployments require data compression sooner. Data compression slows down
system performance as the system must decompress queried data before analysis is possible. Adding Data
Node appliances to a deployment allows you to keep data uncompressed longer.
For more information about Data Nodes, see the “Data Node Overview” on page 59.
RELATED DOCUMENTATION
Prerequisite Hardware Accessories for JSA Installations | 17
Supported Web Browsers | 18
USB Flash Drive Installations | 18
Prerequisite Hardware Accessories for JSA Installations
Before you install JSA products, ensure that you have access to the required hardware accessories and
desktop software.
Hardware Accessories
Ensure that you have access to the following hardware components:
Monitor and keyboard, or a serial console
•
Uninterrupted Power Supply (UPS) for all systems that store data, such as JSA console, Event Processor
•
components, or JSA flow processor components
17
Null modem cable if you want to connect the system to a serial console
•
NOTE: JSA products support hardware-based Redundant Array of Independent Disks (RAID)
implementations, but do not support software-based RAID installations or hardware assisted
RAID installations.
RELATED DOCUMENTATION
Supported Web Browsers | 18
USB Flash Drive Installations | 18
Third-party Software on JSA Appliances | 26
Environmental Restrictions
JSA performance can be affected by other devices in your deployment.
For any DNS server that you point a JSA appliance to, you cannot have a DNS registry entry with the
hostname set to localhost.
Supported Web Browsers
For the features in JSA products to work properly, you must use a supported web browser.
The following table lists the supported versions of web browsers.
Table 4: Supported Web Browsers for JSA Products
Supported versionsWeb browser
60 Extended Support Release and later64 bit Mozilla Firefox
38.14393 and later64-bit Microsoft Edge
Latest64 bit Google Chrome
The Microsoft Internet Explorer web browser is no longer supported as of JSA 7.4.0.
18
Security Exceptions and Certificates
If you are using the Mozilla Firefox web browser, you must add an exception to Mozilla Firefox to log in
to JSA. For more information, see your Mozilla Firefox web browser documentation.
Navigate the Web-Based Application
When you use JSA, use the navigation options available in the JSA user interface instead of your web
browser Back button.
RELATED DOCUMENTATION
USB Flash Drive Installations | 18
Third-party Software on JSA Appliances | 26
JSA Components | 14
USB Flash Drive Installations
You can install JSA software with a USB flash drive.
USB flash drive installations are full product installations. You cannot use a USB flash drive to upgrade or
apply product patches. For information about applying patches, see the latest Patch Release Notes.
Supported Versions
The following appliances or operating systems can be used to create a bootable USB flash drive:
A Linux system that is installed with Red Hat Enterprise Linux V7.7
•
Apple Mac OS X
•
Microsoft Windows
•
Installation Overview
Follow this procedure to install JSA software from a USB flash drive:
1. Create the bootable USB flash drive.
2. Install the software for your JSA appliance.
19
3. Install any product maintenance releases or patches.
See latest patch Release Notes for installation instructions for patches..
Creating a Bootable USB Flash Drive with Microsoft Windows
Use the Fedora Media Writer app on a Windows system to create a bootable USB flash drive that you can
use to install JSA software.
You must have access to an 8 GB or larger USB flash drive.
NOTE: It is recommended to download the latest version of the Fedora Media Writer app.
1. On your Windows system, download and install the Fedora Media Writer app from the Fedora Media
Writer GitHub repository.
Other media creation tools might work to create the bootable flash drive, but the JSA ISO is a modified
Red Hat ISO, and Red Hat suggests Fedora Media Writer. For more information, see Making Installation
USB Media.
2. On your Windows system, download the JSA ISO image file from
https://support.juniper.net/support/downloads/ to a local drive.
3. Insert the USB flash drive into a USB port on your Windows system.
NOTE: Any files stored on the USB flash drive are overwritten when creating the bootable
flash drive.
4. Open Fedora Media Writer and in the main window, click Custom Image.
5. Browse to where you downloaded the JSA ISO on your Windows system and select it.
6. Select the USB flash drive from the Fedora Media Writer menu, and then click Write to disk.
7. When the writing process is complete, click Close and remove the USB flash drive from your system.
For more information about installing JSA software, see “Installing JSA with a USB Flash Drive” on
page 22.
20
Creating a Bootable USB Flash Drive on an Apple Mac OS X System
You can use an Apple Mac OS X computer to create a bootable USB flash drive that you can use to install
JSA software.
You must have access to the following items:
A 8 GB or larger USB flash drive
•
A JSA 7.3.1 or later ISO image file
•
When you create a bootable USB flash drive, the contents of the flash drive are deleted.
1. Download the JSA ISO image file from the https://support.juniper.net/support/downloads/.
2. . Insert the USB flash drive into a USB port on your system.
3. Open a terminal and type the following command to unmount the USB flash drive:
diskutil unmountDisk /dev/<name_of_the_connected_USB_flash_drive>
4. Type the following command to write the JSA ISO to your USB flash drive:
dd if=/<jsa.iso>of=/dev/ r <name_of_the_connected_USB_flash_drive>bs=1m
NOTE: The r before the name of the connected USB flash drive is for raw mode, which makes
the transfer much faster. There is no space between the r and the name of the connected
USB flash drive.
5. Remove the USB flash drive from your system.
Creating a Bootable USB Flash Drive with Red Hat Linux
You can use a Linux desktop or notebook system with Red Hat V7 or higher to create a bootable USB
flash drive that you can use to install JSA software.
You must have access to the following items:
21
An 8 GB or larger USB flash drive
•
A JSA 7.4.1 or later ISO image file
•
When you create a bootable USB flash drive, the contents of the flash drive are deleted.
1. Download the JSA ISO image file from the https://support.juniper.net/support/downloads/.
2. Insert the USB flash drive in the USB port on your system.
It might take up to 30 seconds for the system to recognize the USB flash drive.
3. Open a terminal and type the following command to determine the name of the USB flash drive:
dmesg | grep SCSI
The system outputs the messages produced by device drivers. The following example shows the name
of the connected USB flash drive as sdb.
[ 170.171135] sd 5:0:0:0: [sdb] Attached SCSI removable disk
4. Type the following commands to unmount the USB flash drive:
df -h | grep<name_of_the_connected_USB_flash_drive>
umount /dev/<name_of_the_connected_USB_flash_drive>
Example:
[root@jsa ~]# dmesg | grep SCSI
[93425.566934] sd 14:0:0:0: [sdb] Attached SCSI removable disk
[root@jsa ~]# df -h | grep sdb
[root@jsa ~]# umount /dev/sdb
umount: /dev/sdb: not mounted
5. Type the following command to write the JSA ISO to your USB flash drive:
dd if=/<jsa.iso>of=/dev/<name_of_the_connected_USB_flash_drive> bs=512k
Example:
[root@jsa ~]# dd if=7.4.1.20200716115107.iso of=/dev/sdb bs=512k
11112+0 records in
11112+0 records out
5825888256 bytes (5.8 GB) copied, 1085.26 s, 5.4 MB/s
22
6. Remove the USB flash drive from your system. For more information about installing JSA software,
see “Installing JSA with a USB Flash Drive” on page 22.
Installing JSA with a USB Flash Drive
Follow this procedure to install JSA from a bootable USB flash drive.
You must create the bootable USB flash drive before you can use it to install JSA software.
This procedure provides general guidance on how to use a bootable USB flash drive to install JSA software.
The complete installation process is documented in the product Installation Guide.
1. Install all necessary hardware.
2. Choose one of the following options:
Connect a notebook to the serial port at the back of the appliance.
•
Connect a keyboard and monitor to their respective ports.
•
3. Insert the bootable USB flash drive into the USB port of your appliance.
4. Restart the appliance.
Most appliances can boot from a USB flash drive by default. If you are installing JSA software on your
own hardware (only supported for Data Nodes), you might have to set the device boot order to prioritize
USB.
After the appliance starts, the USB flash drive prepares the appliance for installation. This process can
take up to an hour to complete.
5. When the login prompt is displayed, type root to log in to the system as the root user.
The user name is case-sensitive.
6. Press Enter and follow the prompts to install JSA.
The complete installation process is documented in the product Installation Guide.
RELATED DOCUMENTATION
23
Third-party Software on JSA Appliances | 26
JSA Components | 14
Supported Web Browsers | 18
Standard Linux Users | 23
Standard Linux Users
The tables describe the standard Linux user accounts that are created on the JSA console and other JSA
product components (All In One console, JSA Risk Manager, QRadar Network Insights, App Host, and all
other managed hosts).
The following tables show standard Linux user accounts for RedHat and JSA.
Table 5: Standard Linux User Accounts for RedHat
Login to the Login
ShellUser Account
Purpose
RedHat userYesroot (password required)
Linux Standard BaseNobin
Linux Standard BaseNodaemon
Table 5: Standard Linux User Accounts for RedHat (continued)
Login to the Login
ShellUser Account
Purpose
Linux Standard BaseNoadm
Linux Standard BaseNolp
Linux Standard BaseNosync
Linux Standard BaseNoshutdown
Linux Standard BaseNohalt
Linux Standard BaseNomail
Linux Standard BaseNooperator
24
RedHat userNogames
RedHat userNoftp
Linux Standard BaseNonobody
RedHat userNosystemd-network
RedHat userNodbus
RedHat userNopolkitd
RedHat userNosshd
RedHat userNorpc
RedHat userNorpcuser
RedHat userNonfsnobody
RedHat userNoabrt
RedHat userNontp
RedHat userNotcpdump
Table 5: Standard Linux User Accounts for RedHat (continued)
Login to the Login
ShellUser Account
Purpose
RedHat userNotss
RedHat userNosaslauth
RedHat userNosssd
Table 6: Standard Linux User Accounts for JSA
25
PurposeLogin to the Login ShellUser Account
Noziptie
Nosi-vault
Novis
Nosi-registry
Nocustomactionuser
Nomks
Ziptie service used by JSA Risk
Manager
JSA Vault service used by JSA to
store secrets and manage internal
certificates
JSA VIS service used by JSA to
process scan results
JSA Docker Registry Service used by
JSA for App Framework
JSA Custom Actions used to isolate
custom actions into a chroot jail
MKS JSA component for handling
secrets
General user for JSANoqradar
JSA Vulnerability ManagerNoqvmuser
PostgreSQL database used by JSANo (account locked)postgres
Notlsdated
Notraefik
Tlsdate legacy time sync tool that was
previously used by JSA
Traefik service proxies Docker
Containers for JSA App Framework
Table 6: Standard Linux User Accounts for JSA (continued)
26
PurposeLogin to the Login ShellUser Account
Nogluster
Noopenvpn
Nochrony
Nopostfix
RELATED DOCUMENTATION
USB Flash Drive Installations | 18
Third-party Software on JSA Appliances | 26
GlusterFS used by JSA HA on event
collectors
OpenVPN optional VPN tool installed
by JSA
Chronyd service time sync tool used
by JSA
Apache Web Server used by JSANoapache
Mail Service used by JSA to send
email
JSA Components | 14
Third-party Software on JSA Appliances
JSA is a security appliance that is built on Linux, and is designed to resist attacks. JSA is not intended as a
multi-user, general-purpose server. It is designed and developed specifically to support its intended
functions. The operating system and the services are designed for secure operation. JSA has a built-in
firewall, and allows administrative access only through a secure connection that requires encrypted and
authenticated access, and provides controlled upgrades and updates. JSA does not require or support
traditional anti-virus or malware agents, or support the installation of third-party packages or programs.
RELATED DOCUMENTATION
JSA Components | 14
Supported Web Browsers | 18
USB Flash Drive Installations | 18
27
2
CHAPTER
Bandwidth for Managed Hosts
Bandwidth for Managed Hosts | 29
Bandwidth for Managed Hosts
To replicate state and configuration data, ensure that you have a minimum bandwidth of 100 Mbps between
the JSA console and all managed hosts. Higher bandwidth is necessary when you search log and network
activity, and you have over 10,000 events per second (EPS).
An Event Collector that is configured to store and forward data to an Event Processor forwards the data
according to the schedule that you set. Ensure that you have sufficient bandwidth to cover the amount
of data that is collected, otherwise the forwarding appliance cannot maintain the scheduled pace.
Use the following methods to mitigate bandwidth limitations between data centers:
Process and send data to hosts at the primary data center-- Design your deployment to process and
•
send data as it's collected to hosts at the primary data center where the console resides. In this design,
all user-based searches query the data from the local data center rather than waiting for remote sites
to send back data.
29
You can deploy a store and forward event collector, such as a JSA physical or virtual appliance, in the
remote locations to control bursts of data across the network. Bandwidth is used in the remote locations,
and searches for data occur at the primary data center, rather than at a remote location.
Don't run data-intensive searches over limited bandwidth connections-- Ensure that users don't run
•
data-intensive searches over links that have limited bandwidth. Specifying precise filters on the search
limits the amount of data that is retrieved from the remote locations, and reduces the bandwidth that
is required to send the query result back.
For more information about deploying managed hosts and components after installation, see the Juniper
Secure Analytics Administration Guide.
3
CHAPTER
Installing a JSA Console or Managed
Host
Installing a JSA Console or Managed Host | 31
Installing a JSA Console or Managed Host (applicable only for JSA 7.3.1 Patch 9, JSA
7.3.2 Patch 2, and JSA 7.3.2 Patch 3) | 33
Loading...