Juniper Secure Analytics Risk Manager Adapter

Juniper Secure Analytics Risk Manager Adapter
Juniper Secure Analytics
Risk Manager Adapter Configuration Guide
Release
2014.7
Modified: 2016-07-11
Copyright © 2016, Juniper Networks, Inc.
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Copyright © 2016, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Copyright © 2016, Juniper Networks, Inc.
All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of
that EULA.
ii
Copyright © 2016, Juniper Networks, Inc.
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Part 1
Introduction to Configuring Adapters for JSA Risk Manager
Chapter 1
Understanding Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Adapters Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Network Topology and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Process for Integrating Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Types of Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 2
Adapter Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Installing an Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Uninstalling an Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Chapter 3
Overview of Adding Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Methods for Adding Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Adding a Network Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Adding devices that are managed by an NSM console . . . . . . . . . . . . . . . . . . . . . . 10
Adding Devices that are Managed by a CPSMS Console . . . . . . . . . . . . . . . . . . . . . 11
Adding devices that are managed by SiteProtector . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 4
Troubleshooting Device Discovery and Backup . . . . . . . . . . . . . . . . . . . . . . . . 15
Troubleshooting Device Discovery and Backup Overview . . . . . . . . . . . . . . . . . . . . 15
Device Backup Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
View Device Backup Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Backup Completes with Parse Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Do you have the most Recent Device Backup? . . . . . . . . . . . . . . . . . . . . . . . . . 17
Error When Importing Configurations from your Devices . . . . . . . . . . . . . . . . . 17
Chapter 5
Overview of Supported Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Supported Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
BIG-IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Check Point SecurePlatform Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Check Point Security Management Server Adapter . . . . . . . . . . . . . . . . . . . . . . . . 24
Cisco CatOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Cisco IOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Copyright © 2016, Juniper Networks, Inc.
iii
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Cisco Nexus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Methods for Adding VDCs for Cisco Nexus Devices . . . . . . . . . . . . . . . . . . . . . . . . . 31
Adding VDCs as subdevices of your Cisco Nexus Device . . . . . . . . . . . . . . . . . 32
Adding VDCs as Individual Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Cisco Security Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Fortinet FortiOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Generic SNMP adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
HP Networking ProVision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Juniper Networks Junos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Juniper Networks NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Juniper Networks ScreenOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Palo Alto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Sidewinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Sourcefire 3D Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
TippingPoint IPS adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Part 2
Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
iv
Copyright © 2016, Juniper Networks, Inc.
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Part 1
Introduction to Configuring Adapters for JSA Risk Manager
Chapter 3
Overview of Adding Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Table 3: Methods for Adding a Network Device to JSA Risk Manager . . . . . . . . . . . . 7
Table 4: Parameter Options for Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Table 5: Parameter Options for Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Table 6: OPSEC Entity SIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Chapter 4
Troubleshooting Device Discovery and Backup . . . . . . . . . . . . . . . . . . . . . . . . 15
Table 7: Device Backup Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 5
Overview of Supported Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Table 8: Adaptor Information Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Table 9: Integration Requirements for the BIG-IP Adapter . . . . . . . . . . . . . . . . . . . 21
Table 10: Integration Requirements for the Check Point SecurePlatform
Appliances Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Table 11: Integration requirements for the CPSMS adapter . . . . . . . . . . . . . . . . . . 25
Table 12: Integration Requirements for the Cisco CatOS Adapter . . . . . . . . . . . . . 26
Table 13: Integration Requirements for Cisco IOS . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Table 14: Integration Requirements for the Cisco Nexus Adapter . . . . . . . . . . . . . 30
Table 15: Integration Requirements for the Cisco Security Appliances
Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Table 16: Integration Requirements for the Fortinet FortiOS Adapter . . . . . . . . . . 36
Table 17: Integration Requirements for the SNMP Adapter . . . . . . . . . . . . . . . . . . 38
Table 18: Integration Requirements for the HP Networking ProVision Adapter . . . 39
Table 19: Integration Requirements for the Juniper Networks Junos Adapter . . . . 41
Table 20: Risk Manager Adapter Supported Environments for Juniper Networks
NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Table 21: Integration Requirements for the Juniper Networks ScreenOS
Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Table 22: Integration Requirements for the Palo Alto Adapter . . . . . . . . . . . . . . . . 45
Table 23: Integration Requirements for the Sidewinder Adapter . . . . . . . . . . . . . . 47
Table 24: integration Requirements for the Sourcefire 3D Sensor Adapter . . . . . . 49
Table 25: Integration Requirements for the for the TippingPoint Adapter . . . . . . . 51
Copyright © 2016, Juniper Networks, Inc.
v
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
vi
Copyright © 2016, Juniper Networks, Inc.
About the Documentation
•
Documentation and Release Notes on page vii
•
Documentation Conventions on page vii
•
Documentation Feedback on page ix
•
Requesting Technical Support on page x
Documentation and Release Notes
®
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Documentation Conventions
Table 1 on page viii defines notice icons used in this guide.
Copyright © 2016, Juniper Networks, Inc.
vii
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Table 1: Notice Icons
Icon
Meaning
Description
Informational note
Indicates important features or instructions.
Caution
Indicates a situation that might result in loss of data or hardware damage.
Warning
Alerts you to the risk of personal injury or death.
Laser warning
Alerts you to the risk of personal injury from a laser.
Tip
Indicates helpful information.
Best practice
Alerts you to a recommended use or implementation.
Table 2 on page viii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention
Description
Examples
Bold text like this
Represents text that you type.
To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this
Italic text like this
Italic text like this
viii
Represents output that appears on the
terminal screen.
user@host> show chassis alarms
•
Introduces or emphasizes important
new terms.
•
•
Identifies guide names.
A policy term is a named structure
that defines match conditions and
actions.
•
Identifies RFC and Internet draft titles.
•
Junos OS CLI User Guide
•
RFC 1997, BGP Communities Attribute
Represents variables (options for which
you substitute a value) in commands or
configuration statements.
No alarms currently active
Configure the machine’s domain name:
[edit]
root@# set system domain-name
domain-name
Copyright © 2016, Juniper Networks, Inc.
About the Documentation
Table 2: Text and Syntax Conventions (continued)
Convention
Description
Examples
Text like this
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy levels;
or labels on routing platform
components.
•
To configure a stub area, include the
stub statement at the [edit protocols
ospf area area-id] hierarchy level.
•
The console port is labeled CONSOLE.
< > (angle brackets)
Encloses optional keywords or variables.
stub <default-metric metric>;
| (pipe symbol)
Indicates a choice between the mutually
exclusive keywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.
broadcast | multicast
# (pound sign)
Indicates a comment specified on the
same line as the configuration statement
to which it applies.
rsvp { # Required for dynamic MPLS only
[ ] (square brackets)
Encloses a variable for which you can
substitute one or more values.
community name members [
community-ids ]
Indention and braces ( { } )
Identifies a level in the configuration
hierarchy.
; (semicolon)
Identifies a leaf statement at a
configuration hierarchy level.
(string1 | string2 | string3)
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
GUI Conventions
Bold text like this
Represents graphical user interface (GUI)
items you click or select.
> (bold right angle bracket)
Separates levels in a hierarchy of menu
selections.
•
In the Logical Interfaces box, select
All Interfaces.
•
To cancel the configuration, click
Cancel.
In the configuration editor hierarchy,
select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
•
Online feedback rating system—On any page of the Juniper Networks TechLibrary site
at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content,
and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at
http://www.juniper.net/techpubs/feedback/.
Copyright © 2016, Juniper Networks, Inc.
ix
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
•
E-mail—Send your comments to techpubs-comments@juniper.net. Include the document
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
•
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
•
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
•
Find CSC offerings: http://www.juniper.net/customers/support/
•
Search for known bugs: http://www2.juniper.net/kb/
•
Find product documentation: http://www.juniper.net/techpubs/
•
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
•
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
•
Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
•
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
x
•
Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
Copyright © 2016, Juniper Networks, Inc.
About the Documentation
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
Copyright © 2016, Juniper Networks, Inc.
xi
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
xii
Copyright © 2016, Juniper Networks, Inc.
PART 1
Introduction to Configuring Adapters for
JSA Risk Manager
•
Understanding Adapters on page 3
•
Adapter Installation Overview on page 5
•
Overview of Adding Network Devices on page 7
•
Troubleshooting Device Discovery and Backup on page 15
•
Overview of Supported Adapters on page 19
Copyright © 2016, Juniper Networks, Inc.
1
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
2
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 1
Understanding Adapters
This chapter describes about the following sections:
•
Adapters Overview on page 3
•
Types of Adapters on page 4
Adapters Overview
Use adapters to integrate Juniper Secure Analytics (JSA) Risk Manager with your network
devices. By configuring adapters, JSA Risk Manager can interrogate and import the
configuration parameters of network devices, such as firewalls, routers, and switches.
Network Topology and Configuration
JSA Risk Manager uses adapters to collect network configurations. The adapters turn
the configuration information into a format that is unified for supported device models,
manufacturers, and types. JSA Risk Manager uses the data to understand your network
topology and configuration of your network devices.
To connect external devices in the network, JSA Risk Manager must be able to access
the devices. JSA Risk Manager uses the user credentials that are configured in JSA to
access the device and to download the configurations.
Process for Integrating Network Devices
To integrate network devices with JSA Risk Manager, follow these steps:
1.
Configure the network device to enable communication with JSA Risk Manager.
2. Install the appropriate adapter for your network device on your JSA Risk Manager
appliance.
3. Use Configuration Source Management to add your network devices to JSA Risk
Manager.
4. Define the (network protocol) that is required for communication with your network
devices.
For more information, see the Risk Manager Users Guide.
Copyright © 2016, Juniper Networks, Inc.
3
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Related
Documentation
•
Installing an Adapter on page 5
•
Methods for Adding Network Devices on page 7
•
Adding a Network Device on page 7
Types of Adapters
Juniper Secure Analytics (JSA) Risk Manager supports several types of adapters.
The following adapters are supported:
Related
Documentation
4
•
BIG-IP
•
Check Point SecurePlatform Appliances
•
Check Point Security Management Server
•
Cisco Catalyst (CatOS)
•
Cisco Internet Operating System (IOS)
•
Cisco Nexus
•
Cisco Security Appliances
•
Fortinet FortiOS
•
HP Networking ProVision
•
Juniper Networks ScreenOS
•
Juniper Networks JUNOS
•
Juniper Networks NSM
•
Palo Alto
•
Sourcefire 3D Sensor
•
Generic SNMP
•
TippingPoint IPS
•
McAfee Sidewinder
•
Installing an Adapter on page 5
•
Methods for Adding Network Devices on page 7
•
Adding a Network Device on page 7
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 2
Adapter Installation Overview
This chapter describes about the following sections:
•
Installing an Adapter on page 5
•
Uninstalling an Adapter on page 6
Installing an Adapter
You must download an adapter to your Juniper Secure Analytics (JSA) console, and then
copy the adapter files to JSA Risk Manager.
You can access and download adapters from http://www.juniper.net/support. The RPM
files are included in the download.
After you establish the initial connection, JSA console is the only device that can
communicate directly to JSA Risk Manager.
To Install an adapter:
1.
Using SSH, log in to your JSA console as the root user.
2. Download the compressed file from http://www.juniper.net/support to your JSA
console.
3. To copy the compressed file from your JSA console to JSA Risk Manager, type the
following command:
scp adapters.zip root@IP_address:
The IP address is the IP address or host name of JSA Risk Manager.
For example:
scp adapters.bundle-2014-10-972165.zip root@100.100.100.100:
4. On your JSA Risk Manager appliance, type the password for the root user.
5. Using SSH from your JSA console, log in to your JSA Risk Manager appliance as the
root user.
6. To unpack and install the adapters, type the following commands from the root
directory that contains the compressed file:
unzip adapters.zip
rpm -Uvh *.rpm
Copyright © 2016, Juniper Networks, Inc.
5
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
For example:
unzip adapters.bundle-2014-10-972165.zip
rpm -Uvh *.rpm
7. To restart the services for the ziptie server and complete the installation, type the
following command:
service ziptie-server restart
NOTE: Restarting the services for the ziptie server interrupts any device
backups that are in progress from Configuration Source Management.
Related
Documentation
•
Installing an Adapter on page 5
•
Methods for Adding Network Devices on page 7
•
Adding a Network Device on page 7
Uninstalling an Adapter
Use the rpm command to remove an adapter from Juniper Secure Analytics (JSA) Risk
Manager.
To uninstall an adapter:
1.
Using SSH, log in to the JSA console as the root user.
2. To uninstall an adapter, type the following command:
rpm -e adapter file
rpm -e adapters.cisco.ios-2011_05-205181.noarch.rpm
Related
Documentation
6
•
Installing an Adapter on page 5
•
Methods for Adding Network Devices on page 7
•
Adding a Network Device on page 7
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 3
Overview of Adding Network Devices
This chapter describes about the following sections:
•
Methods for Adding Network Devices on page 7
•
Adding a Network Device on page 7
•
Adding devices that are managed by an NSM console on page 10
•
Adding Devices that are Managed by a CPSMS Console on page 11
•
Adding devices that are managed by SiteProtector on page 13
Methods for Adding Network Devices
Use Configuration Source Management to add network devices to Juniper Secure Analytics
(JSA) Risk Manager.
Table 3 on page 7 describes the methods that you can use to add a network device.
Table 3: Methods for Adding a Network Device to JSA Risk Manager
Method
Description
Add Device
Add one device.
Discover Devices
Add multiple devices.
Discover From NSM
Add devices that are managed by a Juniper Networks
NSM console.
Discover SiteProtectorCheck Point SMS
Add devices that are managed by a Check Point
Security Manager Server (CPSMS).
Discover From SiteProtector
Add devices from SiteProtector.
Discover From Defense Center
Add devices from Sourcefire Defense Center.
Adding a Network Device
To add a network device to Juniper Secure Analytics (JSA) Risk Manager, use Configuration
Source Management.
Copyright © 2016, Juniper Networks, Inc.
7
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Review the supported software versions, credentials, and required commands for your
network devices. For more information, see “Supported Adapters” on page 19.
To Add a Network Device:
1.
Click the Admin tab.
2. On the Admin navigation menu, click Plug-ins.
3. On the Risk Manager pane, click Configuration Source Management.
4. On the navigation menu, click Credentials.
5. On the Network Groups pane, click Add a new network group.
a. Type a name for the network group, and click OK.
b. Type the IP address of your device, and click Add.
You can type an IP address, a range of IP addresses, a CIDR subnet, or a wildcard.
Use a wildcard type 10.1.*.* or to use a CIDR, type 10.2.1.0/24.
NOTE: Do not replicate device addresses that exist in other network
groups in Configuration Source Management.
c. Ensure that the addresses that you add are displayed in the Network address box
beside the Add address box.
d. Repeat the previous two steps 2 and 3 for each IP address that you want to add.
6. On the Credentials pane, click Add a new credential set.
a. Type a name for the credential set, and click OK.
b. Select the name of the credential set that you create and enter values for the
parameters.
Table 4 on page 8 describes the parameter options for credentials.
Table 4: Parameter Options for Credentials
Parameter
Description
Username
A valid user name to log in to the adapter.
For adapters, the user name and password that you provide
requires access to several files, such as the following files:
Password
8
•
rule.C
•
objects.C
•
implied_rules.C
•
Standard.PF
The password for the device.
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Overview of Adding Network Devices
Table 4: Parameter Options for Credentials (continued)
Parameter
Description
Enable Password
The password for second-level authentication.
This password is required when the credentials prompt you
for user credentials that are required for expert mode access
level.
SNMP Get Community
Optional
SNMPv3 Authentication
Username
Optional
SNMPv3 Authentication
Password
Optional
SNMPv3 Privacy Password
Optional
The protocol that is used to decrypt SNMPv3 traps.
NOTE: If your network device meets one of the following conditions,
you must configure protocols in Configuration Source Management:
•
Your device uses a non-standard port for the communication
protocol.
•
You want to configure the protocol that JSA Risk Manager uses to
communicate with specific IP addresses.
For more information about configuring sources in the Risk Manager Users Guide.
7. On the navigation menu, add a single device or multiple devices.
•
To add one network device, click Add Device.
•
To add multiple IP addresses for network devices, click Discover Devices.
8. Enter the IP address for the device and select the adapter type, and then click Add.
If the device is not backed up, a blue question mark appears beside the adapter.
9. To backup the device that you add to the device list, select the device, and then click
Backup.
10. Repeat these steps for every network device that you want to add to the device list.
What to do next
After you add all of the required devices, you can configure protocols. For more
information, see the Risk Manager Users Guide.
Related
Documentation
•
Installing an Adapter on page 5
Copyright © 2016, Juniper Networks, Inc.
9
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
•
Methods for Adding Network Devices on page 7
•
Adding a Network Device on page 7
Adding devices that are managed by an NSM console
Use Configuration Source Management to add all devices from a Juniper Networks NSM
console to Juniper Secure Analytics (JSA) Risk Manager.
Review the supported software versions, credentials, and required commands for your
network devices. For more information, see “Supported Adapters” on page 19.
To Add a Juniper Networks NSM console Managed Device:
1.
In JSA, click the Admin tab.
2. On the Admin navigation menu, click Plug-ins.
3. On the Risk Manager pane, click Configuration Source Management.
4. On the navigation menu, click Credentials.
5. On the Network Groups pane, click Add a new network group.
a. Type a name for the network group, and click OK.
b. Type the IP address of your device, and click Add.
You can type an IP address, a range of IP addresses, a CIDR subnet, or a wildcard.
Use a wildcard type.
NOTE: Do not replicate device addresses that exist in other network
groups in Configuration Source Management.
c. Ensure that the addresses that you add are displayed in the Network address box
beside the Add address box.
d. Repeat the previous two steps for each IP address that you want to add.
6. On the Credentials pane, click Add a new credential set.
a. Type a name for the credential set, and click OK.
b. Select the name of the credential set that you created and enter values for the
parameters.
Table 5 on page 10 describes the parameter options for credentials.
Table 5: Parameter Options for Credentials
Parameter
Description
Username
A valid user name to log in to the Juniper NSM web services.
For Juniper NSM web services, this user must be able to access
the Juniper NSM server.
10
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Overview of Adding Network Devices
Table 5: Parameter Options for Credentials (continued)
Parameter
Description
Password
The password for the device.
Enable Password
Not required.
NOTE: Juniper Networks NSM does not support SNMP.
7. On the navigation menu, click Discover from NSM.
8. Enter values for the IP address and user credentials, click OK and then click GO.
9. Select the device that you added to the device list, and click Backup and then click
Yes.
What to do next
After you add all of the required devices, you can configure protocols. For more
information, see the Risk Manager Users Guide.
Related
Documentation
•
Adding devices that are managed by an NSM console on page 10
•
Adapters Overview on page 3
•
Installing an Adapter on page 5
Adding Devices that are Managed by a CPSMS Console
Use Configuration Source Management to add devices from a Check Point Security
Manager Server (CPSMS) to Juniper Secure Analytics (JSA) Risk Manager.
Review the supported software versions, credentials, and required commands for your
network devices. For more information, see “Supported Adapters” on page 19.
You must obtain the OPSEC Entity SIC name, OPSEC Application Object SIC name, and
the one-time password for the Pull Certificate password before you begin this procedure.
For more information, see your CPSMS documentation.
NOTE: The Device Import feature is not compatible with CPSMS adapters.
About this task
Repeat the following procedure for each CPSMS that you want to connect to, and to
initiate discovery of its managed firewalls.
Copyright © 2016, Juniper Networks, Inc.
11
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
To Add a CPSMS console managed device:
1.
Click the Admin tab.
2. On the Admin navigation menu, click Plug-ins.
3. On the Risk Manager pane, click Configuration Source Management.
4. On the navigation menu, click Credentials.
5. On the Network Groups pane, click Add a new network group.
a. Type a name for the network group, and then click OK.
b. Type the IP address of your CPSMS device, and then click Add.
NOTE: Do not replicate device addresses that exist in other network
groups in Configuration Source Management.
c. Ensure that the addresses that you add are displayed in the Network address box
beside the Add address box.
6. On the Credentials pane, click Add a new credential set.
a. Type a name for the credential set, and then click OK.
b. Select the name of the credential set that you created and type a valid user name
and password for the device.
7. Type the OPSEC Entity SIC name of the CPSMS that manages the firewall devices to
be discovered. This value must be exact because the format depends on the type of
device that the discovery is coming from. Use the Table 6 on page 12 as a reference
to OPSEC Entity SIC name formats.
Table 6: OPSEC Entity SIC
Type
Name
Management Server
CN=cp_mgmt,O=<take O value from DN field>
Gateway to Management Server
CN=cp_mgmt_<gateway hostname>,O=<take O value from DN field>
For example, when you are discovering from the Management Server:
•
OPSEC Application DN: CN=cpsms226,O=vm226-CPSMS..bs7ocx
•
OPSEC Application Host: vm226-CPSMS
The Entity SIC Name is CN=cp_mgmt,O=vm226-CPSMS..bs7ocx
For example, when you are discovering from the Gateway to Management Server:
12
•
OPSEC Application DN: CN=cpsms230,O=vm226-CPSMS..bs7ocx
•
OPSEC Application Host: vm230-CPSMS2-GW3
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Overview of Adding Network Devices
The Entity SIC Name is
CN=cp_mgmt_vm230-CPSMS2-GW3,O=vm226-CPSMS..bs7ocx
8. Use the Check Point SmartDashboard application to enter the OPSEC Application
Object SIC name that was created on the CPSMS.
For example:
CN=cpsms230,O=vm226-CPSMS..bs7ocx
9. Obtain the OPSEC SSL Certificate:
a. Click Get Certificate.
b. In the Certificate Authority IP field, type the IP address.
c. In the Pull Certificate Password field, type the one-time password for the OPSEC
Application.
d. Click OK.
10. Click OK.
11. Click Discover From Check Point SMS, and then enter the CPSMS IP address.
12. Click OK.
13. Repeat these steps for each CPSMS device that you want to add.
What to do next
When you add all the required devices, backup the devices, and view them in the topology.
Related
Documentation
•
Adding devices that are managed by an NSM console on page 10
•
Adapters Overview on page 3
•
Installing an Adapter on page 5
Adding devices that are managed by SiteProtector
Use Configuration Source Management to add devices from SiteProtector to Juniper
Secure Analytics (JSA) Risk Manager.
The JSA GX and JSA SiteProtector System adapters must be installed before you can
add devices.
The Microsoft SQL protocol must be enabled to use Microsoft SQL Server port 1433.
To Add SiteProtector Managed Device:
1.
Click the Admin tab.
2. On the Admin navigation menu, click Plug-ins.
3. On the Risk Manager pane, click Configuration Source Management.
4. On the navigation menu, click Credentials.
Copyright © 2016, Juniper Networks, Inc.
13
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
5. On the Network Groups pane, click Add a new network group.
a. Type a name for the network group, and then click OK.
b. Type the IP address of your SiteProtector device, and then click Add.
c. Ensure that the addresses that you add are displayed in the Network address box
beside the Add address box.
6. On the Credentials pane, click Add a new credential set.
a. Type a name for the credential set, and then click OK.
b. Select the name of the credential set that you created and then type a valid user
name and password for the device.
NOTE: The user name and password are the same credentials then are
used to access the SiteProtector Microsoft SQL Server database.
7. Click OK.
8. Click Discover From SiteProtector, and then enter the SiteProtector IP address.
9. Click OK.
What to do next
When you add all the required devices, backup the devices, and view them in the topology.
Related
Documentation
14
•
Adding devices that are managed by an NSM console on page 10
•
Adapters Overview on page 3
•
Installing an Adapter on page 5
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 4
Troubleshooting Device Discovery and
Backup
This chapter describes about the following sections:
•
Troubleshooting Device Discovery and Backup Overview on page 15
Troubleshooting Device Discovery and Backup Overview
Fix issues with device discovery and backup. You can look at the details for logs and error
and warning messages to help you troubleshoot.
•
Device Backup Failure on page 15
•
View Device Backup Errors on page 15
•
Backup Completes with Parse Warning on page 16
•
Do you have the most Recent Device Backup? on page 17
•
Error When Importing Configurations from your Devices on page 17
Device Backup Failure
Check device login credentials.
1.
On the Admin tab, click Configuration Source Management.
2. Verify that the credentials to access the target device are correct.
3. Test the credentials on the target device.
View Device Backup Errors
To see backup errors, do the following steps:
1.
On the Admin tab, click Configuration Source Management.
2. Click a device, and then click View error.
Table 7 on page 16 lists the error message identifier, the description of the message and
the suggested troubleshooting action.
Copyright © 2016, Juniper Networks, Inc.
15
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Table 7: Device Backup Errors
Backup errors
Error description
Suggested troubleshooting step
UNEXPECTED_RESPONSE
Connection attempt timed
out
Verify that you're using the correct adapter.
INVALID_CREDENTIALS
Credentials are incorrect
Check credentials in Configuration Source Management.
SSH_ERROR
Connection error
Check that the device is working and is connected to your
network. Use other network connection protocols and
troubleshooting tools to verify that the device is accessible.
Verify that the SSH connection protocol is allowed and that it
is configured correctly.
TELNET_ERROR
Connection error
Check that the device is working and is connected to your
network. Use other network connection protocols and
troubleshooting tools to verify that the device is accessible.
Verify that the Telnet connection protocol is allowed and that
it is configured correctly.
SNMP_ERROR
Connection error
Check that the device is working and is connected to your
network. Use other network connection protocols and
troubleshooting tools to verify that the device is accessible.
Verify that the SNMP is allowed and that it is configured
correctly.
TOO_MANY_USERS
The number of users that
are configured to access
this device is exceeded.
Check the maximum number of users that are allowed to
access the device by logging on to the device and checking the
configuration for the maximum number of users that can access
the device at the same time.
DEVICE_MEMORY_ERROR
Device configuration errors
Verify that the device is working correctly. Access the device
and verify the configuration and check the logs for errors. Use
your device documentation to help you to troubleshoot errors.
NVRAM_CORRUPTION_ERROR
Device access issues
In Configuration Source Management, check the access level
of the user name that is configured to access the device.
INSUFFICIENT_PRIVILEGE
User that is configured to
access the device has
insufficient privilege
In Configuration Source Management, check the access level
of the user name that is configured to access the device.
DEVICE_ISSUE
Error on the device
Select the device in Configuration Source Management and
click View error to see more details.
Backup Completes with Parse Warning
To view more detail about the warning, do the following steps:
1.
Click the Risks tab.
2. From the navigation menu, click Configuration Monitor.
3. Click See Log for the selected device in the Device List table.
16
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Troubleshooting Device Discovery and Backup
Do you have the most Recent Device Backup?
To verify whether you have a recent backup, do these steps:
1.
Click the Risks tab.
2. From the navigation menu, click Configuration Monitor.
3. Double-click the device in the Device List table.
4. From the toolbar, click History. The most recent configuration that is imported is
displayed.
If you don't think that you have the most recent configuration, verify by running the backup
again.
Error When Importing Configurations from your Devices
An incorrectly formatted CSV file can cause a device backup to fail. Do these steps to
check the CSV file:
1.
Review your CSV file to correct any errors.
2. Re-import your device configurations by using the updated CSV file.
Related
Documentation
•
Check Point SecurePlatform Appliances on page 23
•
Adding devices that are managed by an NSM console on page 10
•
Adding Devices that are Managed by a CPSMS Console on page 11
•
Adding devices that are managed by SiteProtector on page 13
Copyright © 2016, Juniper Networks, Inc.
17
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
18
Copyright © 2016, Juniper Networks, Inc.
CHAPTER 5
Overview of Supported Adapters
This chapter describes about the following sections:
•
Supported Adapters on page 19
•
BIG-IP on page 20
•
Check Point SecurePlatform Appliances on page 23
•
Check Point Security Management Server Adapter on page 24
•
Cisco CatOS on page 25
•
Cisco IOS on page 27
•
Cisco Nexus on page 29
•
Methods for Adding VDCs for Cisco Nexus Devices on page 31
•
Cisco Security Appliances on page 33
•
Fortinet FortiOS on page 35
•
Generic SNMP adapter on page 37
•
HP Networking ProVision on page 39
•
Juniper Networks Junos on page 41
•
Juniper Networks NSM on page 42
•
Juniper Networks ScreenOS on page 43
•
Palo Alto on page 45
•
Sidewinder on page 47
•
Sourcefire 3D Sensor on page 48
•
TippingPoint IPS adapter on page 50
Supported Adapters
Juniper Secure Analytics (JSA) Risk Manager integrates with many manufacturers and
vendors of security products.
Table 8 on page 20 provides information for each supported adapter.
Copyright © 2016, Juniper Networks, Inc.
19
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Table 8: Adaptor Information Details
Information Item
Description
Supported versions
Specifies the product name and version supported.
Supports neighbor
data
Specifies whether neighbor data is supported for this adapter. If your
device supports neighbor data, then you get neighbor data from a device
by using Simple Network Management Protocol (SNMP) and a
command-line interface (CLI).
SNMP discovery
Specifies whether the device allows discovery by using SNMP.
Devices must support standard MIB-2 for SNMP discovery to take place,
and the device's SNMP configuration must be supported and configured
correctly.
Required credential
parameters
Specifies the necessary access requirements for Risk Manager and the
device to connect.
Ensure that the device credentials configured in JSA Risk Manager and
in the device are the same.
If a parameter is not required, you can leave that field blank.
To add credentials in JSA, log in as an administrator and use
Configuration Source Management on the Admin tab.
Connection protocols
Specifies the supported protocols for the network device.
To add credentials in JSA, log in as an administrator and use
Configuration Source Management on the Admin tab.
Required commands
Specifies the list of commands that the adapter requires to log in and
collect data.
To run the listed commands on the adapter, the credentials that are
provided in JSA Risk Manager must have the appropriate privileges.
Files collected
Related
Documentation
Specifies the list of files that the adapter must be able to access. To
access these files, the appropriate credentials must be configured for
the adapter.
•
Check Point SecurePlatform Appliances on page 23
•
Adding devices that are managed by an NSM console on page 10
•
Adding Devices that are Managed by a CPSMS Console on page 11
•
Adding devices that are managed by SiteProtector on page 13
BIG-IP
Juniper Secure Analytics (JSA) Risk Manager supports the BIG-IP adapter.
20
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Overview of Supported Adapters
The following features are available with the BIG-IP adapter:
1.
Neighbor data support
2. Dynamic NAT
3. Static NAT
4. SNMP discovery
5. Static routing
6. Telnet and SSH connection protocols
On the Big-IP device, you must configure the Admin role for the user name that JSA Risk
Manager uses for backup, and configure Advanced Shell for Terminal Access.
Table 9 on page 21 describes the integration requirements for the BIG-IP adapter.
Table 9: Integration Requirements for the BIG-IP Adapter
Integration Requirement
Description
Versions
10.1.1
11.4.1
SNMP discovery
Matches BIG-IP in SNMP sysDescr.
Required credential parameters
Username
To add credentials in JSA, log in
as an administrator and use
Password
Configuration Source
Management on the Admin tab.
Connection protocols
SSH
To add credentials in JSA, log in
as an administrator and use
Configuration Source
Management on the Admin tab.
Commands that the adapter
requires to log in and collect data
Copyright © 2016, Juniper Networks, Inc.
cat filename
dmesg
uptime
route -n
ip addr list
snmpwalk -c public localhost
1.3.6.1.4.1.3375.2.1.2.4.3.2.1.1
snmpwalk -c public localhost
1.3.6.1.4.1.3375.2.1.2.4.3.2.1.2
21
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Table 9: Integration Requirements for the BIG-IP Adapter (continued)
22
Integration Requirement
Description
Commands that the adapter
requires to log in and collect
bigpipe data
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
bigpipe
Commands that the adapter
requires to log in and collect data
b db snat.anyipprotocol
Commands that the adapter
requires to log in and collect
tmsh data
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
tmsh
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
-q
global
system hostname
platform
version show
db packetfilter
db packetfilter.defaultaction
packet filter list
nat list all
vlan show all
vlangroup list all
vlangroup
interface show all
interface all media speed
trunk all interfaces
stp show all
route all list all
mgmt show all
mgmt route show all
pool
self
virtual list all
snat list all
snatpool list all
list
show
show
list
show
list
list
list
list
list
list
show
list
list
show
list
list
list
list
list
list
list
list
list
list
list
list
list
list
sys global-settings hostname
sys version
sys hardware
sys snmp sys-contact
sys memory
/net interface all-properties
net trunk
/sys db packetfilter
/sys db packetfilter.defaultaction
/net packet-filter
/net vlan all-properties
/net vlan
/net vlan-group all all-properties
net tunnels
/net vlan-group
ltm virtual
ltm nat
ltm snatpool
ltm snat
sys db snat.anyipprotocol
net stp-globals all-properties
net stp priority
net stp all-properties
net route
sys management-ip
sys management-route
ltm pool
net self
net ipsec
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Overview of Supported Adapters
Table 9: Integration Requirements for the BIG-IP Adapter (continued)
Related
Documentation
Integration Requirement
Description
Files collected
/config/bigip.license
/config/snmp/snmpd.conf
/etc/passwd
•
Check Point SecurePlatform Appliances on page 23
•
Adding devices that are managed by an NSM console on page 10
•
Adding Devices that are Managed by a CPSMS Console on page 11
•
Adding devices that are managed by SiteProtector on page 13
Check Point SecurePlatform Appliances
Juniper Secure Analytics (JSA) Risk Manager supports the Check Point Secure Platform
Appliances adapter.
The following features are available with the Check Point SecurePlatform Appliances
adapter:
•
Dynamic NAT
•
Static NAT
•
SNMP discovery
•
Static routing
•
Telnet and SSH connection protocols
Table 10 on page 23 describes the integration requirements for the Check Point Secure
Platform Appliances adapter.
Table 10: Integration Requirements for the Check Point SecurePlatform
Appliances Adapter
Integration requirement
Description
Versions
R65 to R75
NOTE: Nokia IPSO appliances are not
supported for backup.
Neighbor data support
Not supported
SNMP discovery
Matches NGX in SNMP sysDescr.
Required credential parameters
Username
To add credentials in JSA, log in as an
administrator and use Configuration Source
Management on the Admin tab.
Password
Copyright © 2016, Juniper Networks, Inc.
Enable Password (expert mode)
23
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Table 10: Integration Requirements for the Check Point SecurePlatform
Appliances Adapter (continued)
Related
Documentation
Integration requirement
Description
Connection protocols
Telnet
To add credentials in JSA, log in as an
administrator and use Configuration Source
Management on the Admin tab.
SSH
Commands that the adapter requires to log in and
collect data
hostname
dmidecode
ver
uptime
dmesg
route -n
show users
ifconfig -a
echo $FWDIR
Files collected
rules.C
objects.C
implied_rules.C
Standard.pf
snmpd.com
•
Check Point SecurePlatform Appliances on page 23
•
Adding devices that are managed by an NSM console on page 10
•
Adding Devices that are Managed by a CPSMS Console on page 11
•
Adding devices that are managed by SiteProtector on page 13
Check Point Security Management Server Adapter
You use the Check Point Security Management Server (CPSMS) adapter to discover and
backup end nodes that are managed by the CPSMS. These end nodes are used to run
the CheckPoint FireWall-1 and the VPN-1 product family.
The following features are available with the Check Point Security Management Server
(CPSMS) adapter:
•
OPSEC protocol
•
Dynamic NAT
•
Static NAT
•
Static routing
The CPSMS adapter is built on the OPSEC SDK 6.0, which supports Check Point products
that are configured to use certificates that are signed by using SHA-1 only.
Table 11 on page 25 describes the integration requirements for the CPSMS adapter.
24
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Overview of Supported Adapters
Table 11: Integration requirements for the CPSMS adapter
Integration requirement
Description
Versions
NGX R65 to R75
Neighbor data support
Not supported
SNMP discovery
No
Required credential parameters
Use the credentials that are set from 'Adding devices managed by a CPSMS
console.
To add credentials in JSA, log in as an
administrator and use Configuration Source
Management on the Admin tab.
Connection protocols
CPSMS
To add credentials in JSA, log in as an
administrator and use Configuration Source
Management on the Admin tab.
Configuration requirements
To allow the cpsms_client to communicate with Check Point Management
Server, the $CPDIR/conf/sic_policy.conf on CPSMS must include the
following line:
# OPSEC applications defaultANY ; SAM_clients ; ANY ; sam ;
sslca, local, sslca_comp# sam proxyANY ; Modules, DN_Mgmt ; ANY;
sam ; sslcaANY ; ELA_clients ; ANY ; ela ; sslca, local,
sslca_compANY ; LEA_clients ; ANY ; lea ; sslca, local,
sslca_compANY ; CPMI_clients; ANY ; cpmi ; sslca, local,
sslca_comp
Required ports
The following ports must be open on CPSMS:
Port 18190 for the Check Point Management Interface service (or CPMI)
Port 18210 for the Check Point Internal CA Pull Certificate Service
(orFW1_ica_pull)
If you cannot use 18190 as a listening port for CPMI, then the CPSMS adapter
port number must be similar to the value listed in the
$FWDIR/conf/fwopsec.conf file for CPMI on CPSMS. For example,
cpmi_server auth_port 18190.
Related
Documentation
•
Check Point SecurePlatform Appliances on page 23
•
Adding devices that are managed by an NSM console on page 10
•
Adding Devices that are Managed by a CPSMS Console on page 11
•
Adding devices that are managed by SiteProtector on page 13
Cisco CatOS
Juniper Secure Analytics (JSA) Risk Manager supports the Cisco Catalyst (CatOS) adapter.
Copyright © 2016, Juniper Networks, Inc.
25
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
The Cisco CatOS adapter collects device configurations by backing up CatOS network
devices that JSA Risk Manager can access.
The following features are available with the Cisco CatOS adapter:
•
Neighbor data support
•
SNMP discovery
•
Static routing
•
Telnet and SSH connection protocols
Table 12 on page 26 describes the integration requirements for the Cisco CatOS adapter.
Table 12: Integration Requirements for the Cisco CatOS Adapter
Integration requirement
Description
Versions
Catalyst 6500 series chassis devices.
4.2
6.4
NOTE: The adapter for CatOS backs up only the
essential switching port structure.
Multilayer Switch Feature Card (MSFC) CatOS adapters
are backed up by Cisco IOS adapters.
Firewall Services Module (FWSM) CatOS adapters are
backed up by Cisco ASA adapters.
26
Neighbor data support
Supported
SNMP discovery
Matches CATOS or Catalyst Operating System in SNMP
sysDescr.
Required credential parameters
Username
To add credentials in JSA, log in as an
administrator and use Configuration
Source Management on the Admin tab.
Password
Connection protocols
Telnet
To add credentials in JSA, log in as an
administrator and use Configuration
Source Management on the Admin tab.
SSH
Enable Password (expert mode)
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Overview of Supported Adapters
Table 12: Integration Requirements for the Cisco CatOS
Adapter (continued)
Related
Documentation
Integration requirement
Description
Commands that the adapter requires
to log in and collect data
show version
whichboot
show module
show mod ver
show system
show flash devices
show flash ...
show snmp ifalias
show port ifindex
show interface
show port
show spantree
show ip route
show vlan
show vtp domain
show arp
show cdp
show cam dynamic
show port status
show counters
•
Check Point SecurePlatform Appliances on page 23
•
Adding devices that are managed by an NSM console on page 10
•
Adding Devices that are Managed by a CPSMS Console on page 11
•
Adding devices that are managed by SiteProtector on page 13
Cisco IOS
Juniper Secure Analytics (JSA) Risk Manager supports the Cisco Internet Operating
System (IOS) adapter.
The Cisco IOS adapter collects device configurations by backing up IOS-based network
switches and routers.
The following features are available with the Cisco IOS adapter:
1.
Neighbor data support
2. Dynamic NAT
3. Static NAT
4. SNMP discovery
5. Static routing
6. EIGRP and OSPF dynamic routing
7. P2P Tunneling/VPN
8. Telnet and SSH connection protocols
Copyright © 2016, Juniper Networks, Inc.
27
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Table 13 on page 28 describes the integration requirements for Cisco IOS.
Table 13: Integration Requirements for Cisco IOS
Integration Requirement
Description
Versions
IOS 12.0 to 15.1 for routers and switches
Cisco Catalyst 6500 switches with MSFC.
Use the Cisco IOS adapter to back up the configuration and
state of the MSFC card services.
If a Cisco IOS 7600 series router has an FWSM, use the Cisco
ASA adapter to back up the FWSM.
User Access Level
A user with command exec privilege level for each command
that the adapter requires to log in and collect data. For
example, you can configure a custom privilege level 10 user
that uses local database authentication.
The following example sets all show ip commands, to privilege
level 10.
privilege exec level 10 show ip
28
Neighbor data support
Supported
SNMP discovery
Matches ISO or Cisco Internet Operation System in SNMP
sysDescr.
Required credential parameters
Username
To add credentials in JSA, log in
as an administrator and use
Password
Configuration Source
Management on the Admin tab.
Enable Password (expert mode)
Connection protocols
Telnet
To add credentials in JSA, log in
as an administrator and use
SSH + SCP
Configuration Source
Management on the Admin tab.
SSH
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Overview of Supported Adapters
Table 13: Integration Requirements for Cisco IOS (continued)
Related
Documentation
Integration Requirement
Description
Commands that the adapter
requires to log in and collect
data
show access lists
show cdp neighbors detail
show eigrp neighbors
show diagbus
show diag
show install running
show interfaces
show inventory
show file systems
show mac-address-table dynamic
show module
show mod version
show power
show startup-config
show object-group
show running-config
show snmp
show glbp
show spanning-tree
show standby
set terminal length
show vlan
show vtp status
show version
show vrrp
show ip arp
show ip bgp neighbors
show ip eigrp interface
show ip eigrp neighbors
show ip eigrp topology
show ip ospf
show ip ospf neighbor
show ip protocols
show ipv6 neighbors
show ip ospf interface
show ip route eigrp
terminal length 0
•
Check Point SecurePlatform Appliances on page 23
•
Adding devices that are managed by an NSM console on page 10
•
Adding Devices that are Managed by a CPSMS Console on page 11
•
Adding devices that are managed by SiteProtector on page 13
Cisco Nexus
To integrate Juniper Secure Analytics (JSA) Risk Manager with your network devices,
ensure that you review the requirements for the Cisco Nexus adapter.
Copyright © 2016, Juniper Networks, Inc.
29
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
The following features are available with the Cisco Nexus adapter:
•
Neighbor data support
•
SNMP discovery
•
EIGRP and OSPF dynamic routing
•
Static routing
•
Telnet and SSH connection protocols
Table 14 on page 30 describes the integration requirements for the Cisco Nexus adapter.
Table 14: Integration Requirements for the Cisco Nexus Adapter
Integration Requirement
Description
Versions and supported OS levels
Nexus 5548: OS level 6.0
Nexus 7000 series: OS level 6.2
Nexus 9000 series: OS level 6.1
Neighbor data support
Supported
SNMP discovery
Matches Cisco NX-OS and an optional qualification string
that ends with Software in the SNMP sysDescr.
(Cisco NX\-OS.* Software)
Required credential parameters
Username
To add credentials in JSA, log in
as an administrator and use
Password
Configuration Source Management
on the Admin tab.
Enable Password
If you add virtual device contexts (VDCs) as individual devices,
ensure that the required credentials allow the following
actions:
•
Access the account that is enabled for the VDCs.
•
Use the required commands in that virtual context.
Connection protocols
Telnet
To add credentials in JSA, log in
as an administrator and use
SSH
Configuration Source Management
on the Admin tab.
30
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Overview of Supported Adapters
Table 14: Integration Requirements for the Cisco Nexus
Adapter (continued)
Related
Documentation
Integration Requirement
Description
Commands that the adapter
requires to log in and collect data
terminal length 0
show version
show hostname
show vdc
snow snmp
show module
dir fs(fs is file systems on the device)
show interface brief
show interface snmp-ifindex
show interface if (if is all of the interfaces
from show interface brief with configuration
sections)
show running-config
show startup-config
show static-route
show ip access-lists
show object-group
show vdc
show vdc current-vdc
show vdc <$currentVdc>
show vlan
show vtp status
show hsrp
show vrrp
show vtp
show glbp
show ip arp
show mac address-table
show ip route
show ipv6 route
show ipv6 ndp
show cdp entry all
switchto vdc (for all supported virtual device
contexts)
show cdp entry all
show interface brief
show ip arp
show mac address-table
show ip route
•
Check Point SecurePlatform Appliances on page 23
•
BIG-IP on page 20
•
Check Point SecurePlatform Appliances on page 23
Methods for Adding VDCs for Cisco Nexus Devices
Use Configuration Source Management to add Nexus network devices and Virtual Device
Contexts (VDC) to Juniper Secure Analytics (JSA). There are two ways to add multiple
VDCs to JSA Risk Manager.
You can add VDCs as subdevices of the Nexus device or as individual devices.
Copyright © 2016, Juniper Networks, Inc.
31
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
View Virtual Device Contexts
If you add VDCs as individual devices, then each VDC is displayed as a device in the
topology.
If you add VDCs as a subdevice, they are not displayed in the topology. You can view the
VDCs in the Configuration Monitor Window.
Adding VDCs as subdevices of your Cisco Nexus Device
Use Configuration Source Management to add VDCs as subdevices of your Cisco Nexus
device.
To Add VDCs as sub-devices:
1.
Enable the following commands for the user that is specified in the credentials:
•
show vdc
(at admin context)
•
switchto vdc x
where x is the VDCs that are supported.
In Configuration Monitor, you can view the Nexus device in the topology and the VDC
sub-devices. For information about viewing devices, see the Risk Manager Users Guide.
2. Use Configuration Source Management to add the admin context IP address of the
Nexus device.
Adding VDCs as Individual Devices
Use Configuration Source Manager to add each (virtual device context) VDC as a separate
device. When you use this method, the Nexus device and the VDCs are displayed in the
topology.
When you view your Cisco Nexus device and VDCs in the topology, the chassis
containment is represented separately.
To Add VDCs as Individual Device:
1.
Use Configuration Source Manager to add the admin IP address of each VDC.
For more information, see “Adding a Network Device” on page 7.
2. Use Configuration Source Manager to obtain the configuration information for your
VDCs.
3. On the Cisco Nexus device, use the Cisco Nexus CLI to disable the switchto vdc
command for the user name that is associated with the adapter.
If the user name for a Cisco Nexus device is qrmuser, type the following commands:
NexusDevice(config)# role
NexusDevice(config-role)#
NexusDevice(config-role)#
NexusDevice(config-role)#
NexusDevice(config-role)#
32
name
rule
rule
rule
rule
qrmuser
1 deny command switchto vdc
2 permit command show*
3 permit command terminal
4 permit command dir
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Overview of Supported Adapters
Related
Documentation
•
Check Point SecurePlatform Appliances on page 23
•
BIG-IP on page 20
•
Check Point SecurePlatform Appliances on page 23
Cisco Security Appliances
To integrate Juniper Secure Analytics (JSA) Risk Manager with your network devices,
ensure that you review the requirements for the Cisco Security Appliances adapter.
The following features are available with the Cisco Security Appliances adapter:
•
Neighbor data support
•
Static NAT
•
SNMP discovery
•
EIGRP and OSPF dynamic routing
•
Static routing
•
IPSEC tunneling
•
Telnet and SSH connection protocols
The Cisco Security Appliances adapter collects device configurations by backing up Cisco
family devices.
The following list describes examples of the Cisco firewalls that the adapter for the Cisco
Security Appliances supports:
•
Cisco Adaptive Security Appliances (ASA) 5500 series
•
Firewall Service Module (FWSM)
•
Module in a Catalyst chassis
•
Established Private Internet Exchange (PIX) device.
NOTE: Cisco ASA transparent contexts cannot be placed in the JSA Risk
Manager topology, and you cannot do path searches across these transparent
contexts.
Table 15 on page 34 describes the integration requirements for the Cisco Security
Appliances adapter.
Copyright © 2016, Juniper Networks, Inc.
33
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Table 15: Integration Requirements for the Cisco Security Appliances
Adapter
Integration requirement
Description
Versions
ASA: 8.2, 8.4
PIX: 6.1, 6.3
FWSM: 3.1, 3.2
Minimum User Access Level
privilege level 5
You can back up devices with privilege level 5 access level. For
example, you can configure a level 5 user that uses local database
authentication by running the following commands:
aaa authorization command LOCAL
aaa authentication enable console LOCAL
privilege cmd level 5 mode exec command terminal
privilege cmd level 5 mode exec command changeto
(multi-context only)
privilege show level 5 mode exec command running-config
privilege show level 5 mode exec command startup-config
privilege show level 5 mode exec command version
privilege show level 5 mode exec command shun
privilege show level 5 mode exec command names
privilege show level 5 mode exec command interface
privilege show level 5 mode exec command pager
privilege show level 5 mode exec command arp
privilege show level 5 mode exec command route
privilege show level 5 mode exec command context
privilege show level 5 mode exec command
mac-address-table
Neighbor data support
Supported
SNMP discovery
Matches PIX or Adaptive Security Appliance or Firewall Service
Module in SNMP sysDescr.
Required credential
parameters
Username
Password
To add credentials in JSA,
log in as an administrator
and use Configuration Source
Management on the Admin
tab.
34
Enable Password
Connection protocols
Telnet
To add credentials in JSA,
log in as an administrator
and use Configuration Source
Management on the Admin
tab.
SSH
SCP
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Overview of Supported Adapters
Table 15: Integration Requirements for the Cisco Security Appliances
Adapter (continued)
Integration requirement
Description
Commands that the adapter
requires to log in and collect
data
change context
change context admin-context
change context context
change system
get startup-config
show arp
show context
show interface
show interface detail
show ipv6 interface
show ipv6 neighbor
show mac-address-table
show names
show ospf neighbor
show pager
show route
show running-config
show shun
show version
terminal pager 0
terminal pager 24
The show pager command must be enabled to access accounts
that use Risk Manager.
The change context command is used for each context on the ASA
device.
The change system command detects whether the system has
multi-context configurations and determines the admin-context.
The change context command is required if the change system
command has a multi-context configuration or admin configuration
context.
The terminal pager commands are used to set and reset paging
behavior.
Related
Documentation
•
Check Point SecurePlatform Appliances on page 23
•
BIG-IP on page 20
•
Check Point SecurePlatform Appliances on page 23
Fortinet FortiOS
JSA Risk Manager adapter for Fortinet FortiOS supports Fortinet FortiGate appliances
that run the Fortinet operating system (FortiOS).
The following features are available with the Fortinet FortiOS adapter:
1.
Static NAT
Copyright © 2016, Juniper Networks, Inc.
35
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
2. Static routing
3. Telnet and SSH connection protocols
The Fortinet FortiOS adapter interacts with FortiOS over Telnet or SSH. The following
list describes some limitations of JSA Risk Manager and the Fortinet FortiOS adapter:
•
Geography-based addresses and referenced policies are not supported by JSA Risk
Manager.
•
Identity-based, VPN and Internet Protocol Security policies are not supported by JSA
Risk Manager.
•
Policies that use Unified Threat Management (UTM ) profiles are not supported by the
Fortinet FortiOS adapter. Currently, only Layer 3 firewall policies are supported.
Table 16 on page 36 describes the integration requirements for the Fortinet FortiOS
adapter.
Table 16: Integration Requirements for the Fortinet FortiOS Adapter
36
Integration Requirement
Description
Versions
4.0 MR3
Neighbor data support
No
SNMP discovery
No
Required credential parameters
Username
To add credentials in JSA, log in as an
administrator and use Configuration
Source Management on the Admin
tab.
Password
Connection protocols
Telnet
To add credentials in JSA, log in as an
administrator and use Configuration
Source Management on the Admin
tab.
SSH
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Overview of Supported Adapters
Table 16: Integration Requirements for the Fortinet FortiOS
Adapter (continued)
Integration Requirement
Description
Commands that the adapter requires
to log in and collect data
config system console
- set output standard
NOTE: The config system console and set output
standard commands require a user with read/write access
to System Configuration. If you use a read-only user with
pagination enabled when you back up a Fortigate device,
performance is impaired significantly.
show system interface
get hardware nic < variable >
get system status
get system performance status
show full-configuration
get router info routing-table static
show firewall address
get test dnsproxy 6
show firewall addrgrp
get firewall service predefined < variable >
show firewall service custom
show firewall service group
get system snmp sysinfo
show system snmp community
show firewall policy
show system zone
show firewall vip
show firewall vipgrp
show firewall ippool
show firewall central-nat
Related
Documentation
•
Check Point SecurePlatform Appliances on page 23
•
BIG-IP on page 20
•
Check Point SecurePlatform Appliances on page 23
Generic SNMP adapter
Juniper Secure Analytics (JSA) Risk Manager supports appliances that run an SNMP
agent with the generic SNMP adapter.
This adapter interacts with the SNMP agent by using SNMP queries.
The object identifiers (OIDs) are contained in SNMP MIB-2, and you can expect all SNMP
agents to expose these OIDs.
The following are adapter limitations:
•
Collects basic interface and basic system information only. Rules and routing
information are not collected.
•
Even though displayed in the Configuration Source Management UI, with SNMPv3, the
adapter does not support AES encryption.
Copyright © 2016, Juniper Networks, Inc.
37
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
•
The adapter does not support AES encryption with SNMPv3, even though it might
appear to support it in the Configuration Source Management window.
Table 17 on page 38 describes the integration requirements for the generic SNMP adapter.
Table 17: Integration Requirements for the SNMP Adapter
Integration Requirement
Description
Versions
SNMPv1, SNMPv2c, SNMPv3
Neighbor data support
No
SNMP discovery
No
Required credential parameters
SNMPv1 and SNMPv2c require
To add credentials in JSA, log in as an
administrator and use Configuration
Source Management on the Admin tab.
SNMP Get Community
SNMPv3 requires
SNMPv3 Authentication Username
SNMPv3 can have either one of the following
credentials:
SNMPv3 Authentication Password
SNMPv3 Privacy Password
Connection protocols
SNMPv1
To add credentials in JSA, log in as an
administrator and use Configuration
Source Management on the Admin tab.
SNMPv2c
SNMPv3 using MD5
SHA with DES
Commands that the adapter requires to
log in and collect data
SNMP Get commands
.1.3.6.1.2.1.1.1.0
.1.3.6.1.2.1.1.2.0
.1.3.6.1.2.1.1.3.0
.1.3.6.1.2.1.1.4.0
.1.3.6.1.2.1.1.5.0
.1.3.6.1.2.1.1.6.0
SNMP Walk commands
.1.3.6.1.2.1.2.2.1.2
.1.3.6.1.2.1.2.2.1.3
.1.3.6.1.2.1.2.2.1.4
.1.3.6.1.2.1.2.2.1.5
.1.3.6.1.2.1.2.2.1.6
.1.3.6.1.2.1.2.2.1.7
.1.3.6.1.2.1.4.20
Related
Documentation
38
•
Check Point SecurePlatform Appliances on page 23
•
BIG-IP on page 20
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Overview of Supported Adapters
•
Check Point SecurePlatform Appliances on page 23
HP Networking ProVision
Juniper Secure Analytics (JSA) Risk Manager supports the HP Networking ProVision
adapter.
The following features are available with the HP Networking ProVision adapter:
•
Neighbor data support
•
SNMP discovery
•
RIP dynamic routing
•
Telnet and SSH connection protocols
Table 18 on page 39 describes the integration requirements for the HP Networking
ProVision adapter.
Table 18: Integration Requirements for the HP Networking ProVision
Adapter
Integration Requirement
Description
Versions
HP Networking ProVision Switches K/KA.15.X and later.
NOTE: HP switches that run a Comware operating system
are not supported by this adapter.
Neighbor data support
Supported
SNMP discovery
Matches version numbers with the format
HP(.*)Switch(.*)(revision[A-Z]{1,2}\.(\d+)\.(\d+)) in
sysDescr.
Required credential parameters
Username
To add credentials in JSA, log in as
an administrator and use
Password
Configuration Source Management
on the Admin tab.
Enable Password
Connection protocols
SSH
To add credentials in JSA, log in as
an administrator and use
Configuration Source Management
on the Admin tab.
Copyright © 2016, Juniper Networks, Inc.
39
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Table 18: Integration Requirements for the HP Networking ProVision
Adapter (continued)
Related
Documentation
40
Integration Requirement
Description
Backup operation commands that
are issued by the adapter to the
device
dmesgshow system power-supply
getmib
show access-list vlan <vlan id>
show access-list
show access-list <name or number>
show access-list ports <port number>
show config
show filter
show filter <id>
show running-config
show interfaces brief
show interfaces <interface id> For each
interface.
show jumbos
show trunks
show lacp
show module
show snpm-server
show spanning-tree
show spanning-tree config
show spanning-tree instance <id or list> - for
each spanning tree configured on the device
show spanning-tree mst-config
show system information
show version
show vlans
show vlans <id> For each vlan.
show vrrp
walkmib
show ip backup operation
commands that are issued by the
adapter to the device
show
show
show
show
show
show
show
Telemetry and neighbor data
commands
getmib
show arp
show cdp neighbors
show cdp neighbors detail <port number>
show interfaces brief
show interface
show ip route
show lldp info remote-device
show lldp info remote-device <port number>
show mac-address or show mac address
show system information
show vlans
show vlans custom id state ipaddr ipmask
walkmib
•
Sidewinder on page 47
•
Sourcefire 3D Sensor on page 48
ip
ip route
ip odpf
access-list
ip odpf redistribute
ip rip
ip rip redistribute
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Overview of Supported Adapters
•
TippingPoint IPS adapter on page 50
•
Cisco IOS on page 27
•
Check Point SecurePlatform Appliances on page 23
Juniper Networks Junos
To integrate Juniper Secure Analytics (JSA) Risk Manager with your network devices,
ensure that you review the requirements for the Juniper Networks Junos adapter.
The following features are available with the Juniper Networks JUNOS adapter:
•
Neighbor data support
•
SNMP discovery
•
OSPF dynamic routing
•
Static routing
•
Telnet and SSH connection protocols
Table 19 on page 41 describes the integration requirements for the Juniper Networks
Junos adapter.
Table 19: Integration Requirements for the Juniper Networks Junos Adapter
Integration Requirement
Description
Versions
Versions 10.4
11.2 to 12.3
13.2
Neighbor data support
Supported
SNMP discovery
Matches SNMP sysOID: 1.3.6.1.4.1.2636
Required credential parameters
Username
To add credentials in JSA, log in as an
administrator and use Configuration
Source Management on the Admin tab.
Password
Connection protocols
Telnet
To add credentials in JSA, log in as an
administrator and use Configuration
Source Management on the Admin tab.
SSH + SCP
Copyright © 2016, Juniper Networks, Inc.
41
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Table 19: Integration Requirements for the Juniper Networks Junos
Adapter (continued)
Related
Documentation
Integration Requirement
Description
Commands that the adapter requires to
log in and collect data
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
show
version
system uptime
chassis hardware
chassis firmware
chassis mac-address
chassis routing-engine
configuration snmp
snmp mib walk system configure
configuration firewall
configuration firewall family inet6
configuration security
configuration security zones
interfaces
interfaces filters
ospf interface detail
bgp neighbor
configuration routing-option
arp no-resolve
ospf neighbor
rip neighbor
•
Sidewinder on page 47
•
Sourcefire 3D Sensor on page 48
•
TippingPoint IPS adapter on page 50
•
Cisco IOS on page 27
•
Check Point SecurePlatform Appliances on page 23
Juniper Networks NSM
Juniper Secure Analytics (JSA) Risk Manager adapter supports Juniper Networks NSM
(Network and Security Manager).
You can use the JSA Risk Manager to back up a single Juniper Networks device or obtain
device information from a Juniper Networks NSM console.
The Juniper Networks NSM (Network and Security Manager) console contains the
configuration and device information for Juniper Networks routers and switches that are
managed by the Juniper Networks NSM console.
Table 20 on page 43 describes the supported environments for Juniper Networks NSM.
42
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Overview of Supported Adapters
Table 20: Risk Manager Adapter Supported Environments for Juniper
Networks NSM
Related
Documentation
Supported environment
Description
Versions
IDP appliances that are managed by
NSM (Network and Security
Manager).
Neighbor data support
Not supported
SNMP discovery
Not supported
Required credential parameters
Username
To add credentials in JSA, log in as an administrator and
use Configuration Source Management on the Admin tab.
Password
Connection protocols
SOAP
To add credentials in JSA, log in as an administrator and
use Configuration Source Management on the Admin tab.
HTTP
•
Sidewinder on page 47
•
Sourcefire 3D Sensor on page 48
•
TippingPoint IPS adapter on page 50
•
Cisco IOS on page 27
•
Check Point SecurePlatform Appliances on page 23
Juniper Networks ScreenOS
To integrate Juniper Secure Analytics (JSA) Risk Manager with your network devices,
ensure that you review the requirements for the Juniper Networks ScreenOS adapter.
The following features are available with the Juniper Networks ScreenOS adapter:
•
Neighbor data support
•
Dynamic NAT
•
Static NAT
•
SNMP discovery
•
Static routing
•
Telnet and SSH connection protocols
Table 21 on page 44 describes the integration requirements for the Juniper Networks
ScreenOS adapter.
Copyright © 2016, Juniper Networks, Inc.
43
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Table 21: Integration Requirements for the Juniper Networks ScreenOS
Adapter
Integration requirement
Description
Versions
5.4
6.2
Neighbor data support
Supported
SNMP discovery
Matches netscreen or SSG in SNMP sysDescr
Required credential parameters
Username
To add credentials in JSA, log in as an
administrator and use Configuration
Source Management on the Admin tab.
Password
Connection protocols
Telnet
To add credentials in JSA, log in as an
administrator and use Configuration
Source Management on the Admin tab.
SSH
Commands that the adapter requires to
log in and collect data
set
get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
get
console page 0
system
config
snmp
memory
file info
file
service
group addresszonegroup
address
service group
service group variable
interface
interfacevariable
policy all
policy idvariable
admin user
route
arp
mac-learn
counter statistics interface variable
Where
zone is the zone data that is returned from the get
config command.
group is the group data that is returned from the
getconfig command.
variable is a list of returned data from a get service
group, get interface, or get policy id command.
44
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Overview of Supported Adapters
Related
Documentation
•
Sidewinder on page 47
•
Sourcefire 3D Sensor on page 48
•
TippingPoint IPS adapter on page 50
•
Cisco IOS on page 27
•
Check Point SecurePlatform Appliances on page 23
Palo Alto
Juniper Secure Analytics (JSA) Risk Manager supports the Palo Alto adapter. The Palo
Alto adapter uses the PAN-OS XML-based Rest API to communicate with devices.
The following features are available with the Palo Alto adapter:
•
Neighbor data support
•
Dynamic NAT
•
Static NAT
•
SNMP discovery
•
IPSEC Tunneling/VPN
•
Applications
•
User/Groups
•
HTTPS connection protocol
Table 22 on page 45 describes the integration requirements for the Palo Alto adapter.
Table 22: Integration Requirements for the Palo Alto Adapter
Integration
Requirement
Description
Versions
PAN-OS Version 5.0
Minimum user
access level
Superuser (full access) Required for PA devices that have Dynamic Block Lists to
perform system-level commands.
Superuser (read-only) for all other PA devices.
Neighbor data
support
Supported
SNMP
discovery
SysDescr matches 'Palo Alto Networks(.*)series firewall' or sysOid matches 'panPA'
Copyright © 2016, Juniper Networks, Inc.
45
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Table 22: Integration Requirements for the Palo Alto Adapter (continued)
Integration
Requirement
Required
credential
parameters
Description
Username
Password
To add
credentials in
JSA, log in as an
administrator
and use
Configuration
Source
Management
on the Admin
tab.
Connection
protocols
HTTPS
To add
credentials in
JSA, log in as an
administrator
and use
Configuration
Source
Management
on the Admin
tab.
Related
Documentation
46
•
Commands
that are used
for backup
operation
<show><system><info></info></system></show>
<show><config><running></running></config></show>
<show><routing><route></route></routing></show>
<show><virtual-wire>all</virtual-wire></show>
<show><vlan>all</vlan></show>
<show><interface>all</interface></show>
<show><system><disk-space></disk-space></system></show>
<show><system><resources></resources></system></show>
/config/predefined/service
Commands
that are used
for telemetry
and neighbor
data
<show><system><info></info></system></show>
<show><interface>all</interface></show>
<show><config><running></running></config></show>
<show><routing><interface></interface></routing></show>
<show><counter><interface>all</interface></counter></show>
<show><arp>all</arp></show></p><p><show><mac>all</mac></show>
<show><routing><route></route></routing></show>
Commands
that are used
for
GetApplication
<show><config><running></running></config></show>
/config/predefined/application
Sidewinder on page 47
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Overview of Supported Adapters
•
Sourcefire 3D Sensor on page 48
•
TippingPoint IPS adapter on page 50
•
Cisco IOS on page 27
•
Check Point SecurePlatform Appliances on page 23
Sidewinder
Juniper Secure Analytics (JSA) Risk Manager supports supports McAfee Enterprise Firewall
(Sidewinder) appliances that run SecureOS.
The following features are available with the Sidewinder adapter:
1.
Static NAT
2. Static routing
3. Telnet and SSH connection protocols
The Sidewinder adapter interacts with the CLI-based McAfee operating system
(SecureOS) over Telnet or SSH.
Sidewinder adapter has these limitations:
•
Only Layer 3 firewall policies are supported because the Layer 7 policies that use
Sidewinder application defenses are unsupported.
•
Identity-based, geography-based, and IPv6 policies are dropped, because these policies
are unsupported by JSA Risk Manager.
Table 23 on page 47 describes the integration requirements for the Sidewinder adapter.
Table 23: Integration Requirements for the Sidewinder Adapter
Integration Requirement
Description
Versions
8.3.2
Minimum user access level
admin
The admin user access level is required to retrieve
predefined services information from the database by using
the cf appdb list verbose=on command.
Neighbor data support
No
SNMP discovery
No
Required credential parameters
Username
Password
Copyright © 2016, Juniper Networks, Inc.
47
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Table 23: Integration Requirements for the Sidewinder
Adapter (continued)
Integration Requirement
Description
Connection protocols
SSH
Telnet
Commands that the adapter
requires to log in and collect data
Related
Documentation
hostname
uname -r
uptime
cf license q
cf route status
cf ipaddr q
cf iprange q
cf subnet q
cf domain q
Use "dig $address +noall +answer" for each
domain output from: cf domain q
cf host q
cf netmap q
cf netgroup q
cf appdb list verbose=on
cf application q
cf appgroup q
cf policy q
cf interface q
cf zone q
•
Sidewinder on page 47
•
Sourcefire 3D Sensor on page 48
•
TippingPoint IPS adapter on page 50
•
Cisco IOS on page 27
•
Check Point SecurePlatform Appliances on page 23
Sourcefire 3D Sensor
To integrate Juniper Secure Analytics (JSA) Risk Manager with your network devices,
ensure that you review the requirements for the Sourcefire 3D Sensor adapter.
The following features are available with the Sourcefire 3D Sensor adapter:
•
IPS
•
SSH connection protocol
Table 24 on page 49 describes the integration requirements for the Sourcefire 3D Sensor
adapter.
48
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Overview of Supported Adapters
Limitations:
•
Intrusion policies attached to individual access control rules are not used by QRM. Only
the default intrusion policy is supported.
•
NAT and VPN are not supported.
Table 24: integration Requirements for the Sourcefire 3D Sensor Adapter
Integration requirement
Description
Versions
5.2
Supported 3D sensors (Series 2 devices)
3D500
3D1000
3D2000
3D2100
3D2500
3D3500
3D4500
3D6500
3D9900
Neighbor data support
No
SNMP discovery
No
Required credential parameters
Username
To add credentials in JSA, log in as an administrator and
use Configuration Source Management on the Admin
tab.
Password
Connection protocols
SSH
To add credentials in JSA, log in as an administrator and
use Configuration Source Management on the Admin
tab.
Copyright © 2016, Juniper Networks, Inc.
49
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Table 24: integration Requirements for the Sourcefire 3D Sensor
Adapter (continued)
Related
Documentation
Integration requirement
Description
Commands that the adapter requires to log in and
collect data
show version
show memory
show network
show interfaces
expert
sudo
su
df
hostname
ip addr
route
cat
find
head
mysql
•
Sidewinder on page 47
•
Sourcefire 3D Sensor on page 48
•
TippingPoint IPS adapter on page 50
TippingPoint IPS adapter
Juniper Secure Analytics (JSA) Risk Manager supports TippingPoint IPS (intrusion
prevention system) appliances that run TOS and that are under SMS control.
The following features are available with the TippingPoint IPS adapter:
•
IPS
•
Telnet, SSH+HTTPS connection protocols
This adapter requires interaction with the following devices:
•
IPS directly by using the TippingPoint operating system (TOS) over Telnet or SSH.
•
TippingPoint Secure Management Server (SMS) via the web services API over HTTPS.
A connection to the TippingPoint SMS is required to get the most recent Digital Vaccines
signatures, which are managed by the SMS.
This adapter works only with IPS devices under SMS control. The SMS web services must
be enabled for a successful backup.
NOTE: The following TippingPoint adapter limitations:
50
Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Overview of Supported Adapters
JSA Risk Manager doesn't process source or destination IP addresses in IPS rules or filters.
The following TippingPoint features are not supported:
•
Traffic management filters
•
Profile or filter exceptions and restrictions
•
User-defined filters
•
IPS filters without an associated CVE are not modeled because the IPS cannot be
mapped to any JSA vulnerabilities.
Table 25 on page 51 describes the integration requirements for the TippingPoint adapter.
Table 25: Integration Requirements for the for the TippingPoint Adapter
Integration Requirement
Description
Versions
TOS 3.6 and SMS 4.2
Minimum user access level
IPS: Operator
SMS: Operator (custom)
A user who belongs to a group with a custom operator
role, that has Access SMS Web Services option
enabled.
Neighbor data support
No
SNMP discovery
No
Required credential parameters
Enter the following credentials:
Username: IPS CLI username
Password: IPS CLI password
Enable Username: SMS username
Enable Password: SMS password
Connection protocols
Telnet or SSH for IPS CLI
To add credentials in JSA, log in as an
administrator and use Configuration
Source Management on the Admin tab.
HTTPS for SMS
Commands that the adapter requires to
log in and collect data
show config
show version
show interface
show host
show sms
show filter $filterNumber (for each
signature found in Digital Vaccine)
Copyright © 2016, Juniper Networks, Inc.
51
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
Table 25: Integration Requirements for the for the TippingPoint
Adapter (continued)
Related
Documentation
52
Integration Requirement
Description
API commands sent to the SMS to
retrieve the most recent signatures
https://< sms_server >server>/dbAccess/
tptDBServlet?method=DataDictionary
=SIGNATURE=xml
•
Sidewinder on page 47
•
Sourcefire 3D Sensor on page 48
•
TippingPoint IPS adapter on page 50
Copyright © 2016, Juniper Networks, Inc.
PART 2
Index
•
Index on page 55
Copyright © 2016, Juniper Networks, Inc.
53
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
54
Copyright © 2016, Juniper Networks, Inc.
T
technical support
contacting JTAC.................................................................x
Index
Symbols
#, comments in configuration statements.....................ix
( ), in syntax descriptions.......................................................ix
< >, in syntax descriptions.....................................................ix
[ ], in configuration statements...........................................ix
{ }, in configuration statements..........................................ix
| (pipe), in syntax descriptions............................................ix
B
braces, in configuration statements..................................ix
brackets
angle, in syntax descriptions........................................ix
square, in configuration statements.........................ix
C
comments, in configuration statements.........................ix
conventions
text and syntax................................................................viii
curly braces, in configuration statements.......................ix
customer support......................................................................x
contacting JTAC.................................................................x
D
documentation
comments on....................................................................ix
F
font conventions.....................................................................viii
M
manuals
comments on....................................................................ix
P
parentheses, in syntax descriptions..................................ix
S
support, technical See technical support
syntax conventions................................................................viii
Copyright © 2016, Juniper Networks, Inc.
55
Juniper Secure Analytics Risk Manager Adapter Configuration Guide
56
Copyright © 2016, Juniper Networks, Inc.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising