Juniper Secure Analytics Risk Manager Adapter Configuration Guide · 2020. 2. 10. ·...
Transcript of Juniper Secure Analytics Risk Manager Adapter Configuration Guide · 2020. 2. 10. ·...
-
Juniper Secure Analytics Risk ManagerAdapter Configuration Guide
ReleasePublished
2020-02-107.3.3
-
Juniper Networks, Inc.1133 Innovation WaySunnyvale, California 94089USA408-745-2000www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. inthe United States and other countries. All other trademarks, service marks, registered marks, or registered service marksare the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the rightto change, modify, transfer, or otherwise revise this publication without notice.
Juniper Secure Analytics Risk Manager Adapter Configuration Guide7.3.3Copyright © 2020 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-relatedlimitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)Juniper Networks software. Use of such software is subject to the terms and conditions of the EndUser License Agreement(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, youagree to the terms and conditions of that EULA.
ii
https://support.juniper.net/support/eula/
-
Table of Contents
About the Documentation | vii
Documentation and Release Notes | vii
Documentation Conventions | vii
Documentation Feedback | x
Requesting Technical Support | x
Self-Help Online Tools and Resources | xi
Creating a Service Request with JTAC | xi
Adapters Overview1Adapters Overview | 15
Network Topology and Configuration | 15
Process for Integrating Network Devices | 15
Types Of Adapters | 16
Adapter Features | 17
Adapter FAQs | 19
Do Adapters Support All Devices and Versions That JSA Supports? | 19
Do All Adapters Support the Same Features, for Example, OSPF Routing? | 19
What User-access Level Does the Adapter Require to Get Device Configuration? | 20
How do You Configure Credentials to Access Your Network Devices? | 20
What Credential Fields do You Need to Complete for Each Device? | 20
How do You Configure Protocols for Your Devices? | 20
How do You Add Your Network Devices to JSA Risk Manager? | 20
Installing Adapters2Installing Adapters | 25
Uninstalling an Adapter | 26
iii
-
Methods for Adding Network Devices3Methods for Adding Network Devices | 31
Adding a Network Device | 31
Adding Devices That Are Managed by an NSM Console | 34
Adding Devices to JSA Risk Manager That Are Managed by a CPSMS Console | 36
Adding Devices that are Managed by CPSMS by Using OPSEC | 36
Adding Devices Managed by CPSMS by Using HTTPS | 38
Adding Devices That are Managed by the Palo Alto Panorama | 40
Palo Alto Panorama | 41
Adding Devices That are Managed by a Sourcefire Defense Center | 42
Adding Devices That are Managed by a Cisco Firepower Management Center | 44
Troubleshooting Device Discovery and Backup4Troubleshooting Device Discovery and Backup | 49
Device Backup Failure | 49
View Device Backup Errors | 49
Backup Completes with Parse Warning | 51
Verify whether you have the most recent adapter versions | 51
Verify whether your device backup is current | 52
Error When Importing Configurations from Your Devices | 52
Failure to Discover Devices from Check Point SMS (OPSEC) | 52
Supported Adapters5Supported Adapters | 55
Brocade vRouter | 56
Check Point SecurePlatform Appliances | 57
Check Point Security Management Server Adapter | 58
Check Point Security Management Server OPSEC Adapter | 59
Check Point Security Management Server HTTPS Adapter | 60
Create a Check Point Custom Permission Profile to Permit JSA Risk Manager Access | 62
iv
-
Cisco CatOS | 64
Cisco IOS | 66
Cisco Nexus | 69
Methods for adding VDCs for Cisco Nexus Devices | 72
Adding VDCs As Subdevices Of Your Cisco Nexus Device | 72
Adding VDCs As Individual Devices | 73
Cisco NGIPS | 74
Cisco Security Appliances | 76
F5 BIG-IP | 81
Fortinet FortiOS | 86
Generic SNMP Adapter | 89
HP Networking ProVision | 91
Juniper Networks JUNOS OS | 96
Juniper Networks NSM | 100
Juniper Networks ScreenOS | 101
Palo Alto | 103
Sidewinder | 107
Sourcefire 3D Sensor | 110
TippingPoint IPS Adapter | 112
v
-
About the Documentation
IN THIS SECTION
Documentation and Release Notes | vii
Documentation Conventions | vii
Documentation Feedback | x
Requesting Technical Support | x
Use this guide to understand you to integrate Risk Manager with network devices.
Documentation and Release Notes
To obtain the most current version of all Juniper Networks® technical documentation, see the productdocumentation page on the Juniper Networks website at https://www.juniper.net/documentation/.
If the information in the latest release notes differs from the information in the documentation, follow theproduct Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts.These books go beyond the technical documentation to explore the nuances of network architecture,deployment, and administration. The current list can be viewed at https://www.juniper.net/books.
Documentation Conventions
Table 1 on page viii defines notice icons used in this guide.
vii
https://www.juniper.net/documentation/https://www.juniper.net/books
-
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardwaredamage.
Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page viii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, typethe configure command:
user@host> configure
Represents text that you type.Bold text like this
user@host> show chassis alarms
No alarms currently active
Represents output that appears onthe terminal screen.
Fixed-width text like this
• A policy term is a named structurethat defines match conditions andactions.
• Junos OS CLI User Guide
• RFC 1997, BGP CommunitiesAttribute
• Introduces or emphasizes importantnew terms.
• Identifies guide names.
• Identifies RFC and Internet drafttitles.
Italic text like this
viii
-
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
Configure the machine’s domainname:
[edit]root@# set system domain-namedomain-name
Represents variables (options forwhich you substitute a value) incommands or configurationstatements.
Italic text like this
• To configure a stub area, includethe stub statement at the [editprotocols ospf area area-id]hierarchy level.
• The console port is labeledCONSOLE.
Represents names of configurationstatements, commands, files, anddirectories; configuration hierarchylevels; or labels on routing platformcomponents.
Text like this
stub ;Encloses optional keywords orvariables.
< > (angle brackets)
broadcast | multicast
(string1 | string2 | string3)
Indicates a choice between themutually exclusive keywords orvariables on either side of the symbol.The set of choices is often enclosedin parentheses for clarity.
| (pipe symbol)
rsvp { # Required for dynamic MPLSonly
Indicates a comment specified on thesame line as the configurationstatement to which it applies.
# (pound sign)
community name members [community-ids ]
Encloses a variable for which you cansubstitute one or more values.
[ ] (square brackets)
[edit]routing-options {static {route default {nexthop address;retain;
}}
}
Identifies a level in the configurationhierarchy.
Indention and braces ( { } )
Identifies a leaf statement at aconfiguration hierarchy level.
; (semicolon)
GUI Conventions
ix
-
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
• In the Logical Interfaces box, selectAll Interfaces.
• To cancel the configuration, clickCancel.
Represents graphical user interface(GUI) items you click or select.
Bold text like this
In the configuration editor hierarchy,select Protocols>Ospf.
Separates levels in a hierarchy ofmenu selections.
> (bold right angle bracket)
Documentation Feedback
We encourage you to provide feedback so that we can improve our documentation. You can use eitherof the following methods:
• Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the JuniperNetworks TechLibrary site, and do one of the following:
• Click the thumbs-up icon if the information on the page was helpful to you.
• Click the thumbs-down icon if the information on the page was not helpful to you or if you havesuggestions for improvement, and use the pop-up form to provide feedback.
• E-mail—Send your comments to [email protected]. Include the document or topic name,URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC).If you are a customer with an active Juniper Care or Partner Support Services support contract, or are
x
https://www.juniper.net/documentation/index.htmlhttps://www.juniper.net/documentation/index.htmlmailto:[email protected]?subject=
-
covered under warranty, and need post-sales technical support, you can access our tools and resourcesonline or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTACUserGuide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Productwarranties—For productwarranty information, visit https://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week,365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online self-service portal calledthe Customer Support Center (CSC) that provides you with the following features:
• Find CSC offerings: https://www.juniper.net/customers/support/
• Search for known bugs: https://prsearch.juniper.net/
• Find product documentation: https://www.juniper.net/documentation/
• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
• Download the latest versions of software and review release notes:https://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:https://kb.juniper.net/InfoCenter/
• Join and participate in the Juniper Networks Community Forum:https://www.juniper.net/company/communities/
• Create a service request online: https://myjuniper.juniper.net
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:https://entitlementsearch.juniper.net/entitlementsearch/
Creating a Service Request with JTAC
You can create a service request with JTAC on the Web or by telephone.
• Visit https://myjuniper.juniper.net.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, seehttps://support.juniper.net/support/requesting-support/.
xi
https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttps://www.juniper.net/support/warranty/https://www.juniper.net/customers/support/https://prsearch.juniper.net/https://www.juniper.net/documentation/https://kb.juniper.net/https://www.juniper.net/customers/csc/software/https://kb.juniper.net/InfoCenter/https://www.juniper.net/company/communities/https://myjuniper.juniper.nethttps://entitlementsearch.juniper.net/entitlementsearch/https://myjuniper.juniper.nethttps://support.juniper.net/support/requesting-support/
-
1CHAPTER
Adapters Overview
Adapters Overview | 15
Types Of Adapters | 16
Adapter Features | 17
Adapter FAQs | 19
-
Adapters Overview
Use adapters to integrate JSA Risk Manager with your network devices. By configuring adapters, JSA RiskManager can interrogate and import the configuration parameters of network devices, such as firewalls,routers, and switches.
Network Topology and Configuration
JSA Risk Manager uses adapters to collect network configurations. The adapters turn the configurationinformation into a standard format that is unified for supported device models, manufacturers, and types.JSA Risk Manager uses the data to understand your network topology and configuration of your networkdevices.
To connect external devices in the network, JSA Risk Manager must be able to access the devices. JSARisk Manager uses the user credentials that are configured in JSA to access the device and to downloadthe configurations.
Process for Integrating Network Devices
To integrate network devices with JSA Risk Manager, follow these steps:
1. Configure the network device to enable communication with JSA Risk Manager.
2. Install the appropriate adapter for your network device on your JSA Risk Manager appliance.
3. Use Configuration Source Management to add your network devices to JSA Risk Manager.
4. Define the network protocol that is required for communication with your network devices.
For more information, see the Juniper Secure Analytics Risk Manager User Guide.
RELATED DOCUMENTATION
Types Of Adapters | 16
Adapter Features | 17
Adapter FAQs | 19
15
-
Types Of Adapters
JSA Risk Manager supports several types of adapters.
The following adapters are supported:
• F5 BIG-IP
• Brocade vRouter
• Check Point SecurePlatform Appliances
• Check Point Security Management Server
• Cisco Catalyst (CatOS)
• Cisco Internet Operating System (IOS)
• Cisco Nexus
• Cisco Security Appliances
• Fortinet FortiOS
• HP Networking ProVision
• Juniper Networks ScreenOS
• Juniper Networks JUNOS OS
• Juniper Networks NSM
• Palo Alto
• Sourcefire 3D Sensor
• Generic SNMP
• TippingPoint IPS
• McAfee Sidewinder
RELATED DOCUMENTATION
Adapter Features | 17
Adapter FAQs | 19
Adapters Overview | 15
16
-
Adapter Features
Adapters come with many features to help you integrate your network devices with JSA Risk Manager.
The following table lists common features for the supported adapters.
Table 3: Adapter Features
Other featuresProtocolsTunnellingRoutingNATVersionsAdapter
Telnet,SSH
Static6.7 to 17.1Brocade vRouter
Telnet,SSH
StaticStatic
Dynamic
R65 to R77.30Check PointSecure Platform
CPSMSStaticStatic
Dynamic
NGX R60 to R77Check Point SMSOPSEC
HTTPSStaticStatic
Dynamic
R80Check Point SMSHTTPS
Telnet,SSH, SCP
Static
EIGRP,OSPF
StaticASA: 8.2, 8.4 to9.1.7
PIX: 6.1, 6.3
FWSM: 3.1, 3.2
Cisco ASA
Telnet,SSH
StaticCatalyst 6500series chassisdevices.
4.2, 6.4
Cisco CatOS
Telnet,SSH
Static
EIGRP,OSPF
Nexus 5548: OSlevel 6.0
Nexus 7000 series:OS level 6.2
Nexus 9000 series:OS level 6.1
Cisco Nexus
17
-
Table 3: Adapter Features (continued)
Other featuresProtocolsTunnellingRoutingNATVersionsAdapter
Telnet,SSH
VPNStatic
EIGRP,OSPF
Static
Dynamic
IOS 12.0 to 15.1for routers andswitches
Cisco Catalyst6500 switcheswith MSFC.
Cisco IOS
SSHVPNStaticStatic
Dynamic
10.1 – 13.1F5 BIG-IP
Telnet,SSH
StaticStatic4.0 MR3 to 5.2.4Fortinet FortiOS
SNMPv1, v2 andv3
Generic SNMP
SSHRIPHP NetworkingProVision SwitchesK/KA.15.X
HP ProCurveProVision
ApplicationsSQLGX appliances thatare managed bySiteProtector.
IBM Proventia GXIPS
Telnet,SSH, SCP
Static
OSPF
10.4, 11.2 to 12.3,and 13.2
Juniper JUNOSOS
HTTPSIDP appliancesthat are managedby NSM (Networkand SecurityManager)
Juniper NSM
Telnet,SSH
StaticStatic
Dynamic
5.4, 6.2Juniper ScreenOS
Telnet,SSH
StaticStatic8.3.2Sidewinder
18
-
Table 3: Adapter Features (continued)
Other featuresProtocolsTunnellingRoutingNATVersionsAdapter
User/Groups
Applications
HTTPSIPSECStatic
Dynamic
PAN-OS Versions5.0 to 7.0
Palo Alto Firewalls
IPSSSHVPN5.3SourceFire 3DSensor
IPSTelnet,SSH,HTTPS
TOS 3.6 and SMS4.2
Tipping Point IPS
RELATED DOCUMENTATION
Adapter FAQs | 19
Types Of Adapters | 16
Adapters Overview | 15
Adapter FAQs
JSA Risk Manager uses adapters to connect and get configuration information from network devices.
Do Adapters Support All Devices and Versions That JSA Supports?
Adapters are a separate integration and are used by JSA RiskManager only to import device configurations.To view a list of supported adapters, see “Supported Adapters” on page 55.
Do All Adapters Support the Same Features, for Example, OSPF Routing?
The range of supported features such as routing support and NAT support vary with the adapters. See“Adapter Features” on page 17.
19
-
What User-access Level Does the Adapter Require to Get DeviceConfiguration?
The required access levels varies by adapter but it is restricted to read-only for most adapters. See“Supported Adapters” on page 55 and view the user-access level requirements when you select an adapter.
How do You Configure Credentials to Access Your Network Devices?
You must configure credentials to allow JSA Risk Manager to connect to devices in your network.Administrators use Configuration Source Management to input device credentials. Individual devicecredentials can be saved for a specific network device. If multiple network devices use the same credentials,you can assign credentials to a group. For more information, see the Juniper Secure Analytics Risk ManagerUser Guide.
What Credential Fields do You Need to Complete for Each Device?
Some adapters might require only a user name and password while others might need extra credentials,for example, Cisco IOS might require an enable password. See “Supported Adapters” on page 55 and viewthe required credential parameters in the tables.
How do You Configure Protocols for Your Devices?
UseNetwork Groups, which contain protocols that you can use to enable connectivity to IP/CIDR/ addressranges for devices. For more information, see the Juniper Secure Analytics Risk Manager User Guide.
How do You Add Your Network Devices to JSA Risk Manager?
Table 1 lists the methods for adding network devices to JSA Risk Manager.
Table 4: Adding Network Devices
DescriptionMethod
Use this method if you want to run a test backup of a few devices, for example,to check that your credentials and protocols are correctly configured.
Add devices individually
20
-
Table 4: Adding Network Devices (continued)
DescriptionMethod
Use this method if you have an IP/CIDR address range with SNMP communitystrings that are configured for each device and you want to find all devices inthat address range.
You must have SNMP get community strings defined in your credential set fordevice discovery to work.
Device discovery
Use this method for devices that are managed by a supported managementsystem such as Check Point SMS.
Discovery frommanagement device
If you have several devices in your network, this method is the most reliable.Import devices
For information about adding network devices to JSA Risk Manager, see the Juniper Secure Analytics RiskManager User Guide.
RELATED DOCUMENTATION
Types Of Adapters | 16
Adapter Features | 17
Adapters Overview | 15
21
-
2CHAPTER
Installing Adapters
Installing Adapters | 25
Uninstalling an Adapter | 26
-
Installing Adapters
You must download the adapter files to your JSA console, and then copy them to JSA Risk Manager.
After you establish the initial connection, JSA console is the only device that can communicate directlywith JSA Risk Manager.
1. Using SSH, log in to your JSA console as the root user.
2. Download the compressed file for the JSA Risk Manager adapters from to your JSA console.
3. To copy the compressed file from your JSA console to JSA RiskManager, type the following command:
scp adapters.zip root@IP_address:
The IP_address option is the IP address or host name of JSA Risk Manager.
For example:
scp adapters.bundle-2014-10-972165.zip [email protected]:
4. On your JSA Risk Manager appliance, type the password for the root user.
5. Using SSH from your JSA console, log in to your JSA Risk Manager appliance as the root user.
6. To unpack and install the adapters, type the following commands from the root directory that containsthe compressed file:
unzip adapters.zip
yum install -y adapters*.rpm
For example:
unzip adapters.bundle-2014-10-972165.zip
yum install -y adapters*.rpm
NOTE: For JSA Risk Manager versions prior to 2014.8 use the rpm command
For example:
rpm -Uvh adapters*.rpm
7. To restart the services for the ziptie server and complete the installation, type the following command:
25
-
service ziptie-server restart
NOTE: Restarting the services for the ziptie server interrupts any device backups thatare in progress from Configuration Source Management.
RELATED DOCUMENTATION
Uninstalling an Adapter | 26
Adapter Features | 17
Adapter FAQs | 19
Uninstalling an Adapter
Use the yum command to remove an adapter from JSA Risk Manager.
1. Using SSH, log in to the JSA console as the root user.
2. To uninstall an adapter, type the following command:
yum remove -y adapter package
For example, yum remove -y adapters.cisco.ios-2011_05-205181.noarch
NOTE: For JSA Risk Manager versions prior to 2014.8 use the rpm command
For example:
rpm -e adapter file
rpm -e adapters.cisco.ios-2011_05-205181.noarch.rpm
RELATED DOCUMENTATION
Installing Adapters | 25
Adapter Features | 17
26
-
Adapter FAQs | 19
27
-
3CHAPTER
Methods for Adding Network Devices
Methods for Adding Network Devices | 31
Adding a Network Device | 31
Adding Devices That Are Managed by an NSM Console | 34
Adding Devices to JSA Risk Manager That Are Managed by a CPSMS Console | 36
Adding Devices That are Managed by the Palo Alto Panorama | 40
Palo Alto Panorama | 41
Adding Devices That are Managed by a Sourcefire Defense Center | 42
Adding Devices That are Managed by a Cisco Firepower Management Center | 44
-
Methods for Adding Network Devices
Use Configuration Source Management to add network devices to JSA Risk Manager.
The following table describes the methods that you can use to add a network device.
Table 5: Methods for Adding a Network Device to JSA Risk Manager
DescriptionMethod
Add one deviceAdd Device
Add multiple devicesDiscover Devices
Add devices that are managed by a Juniper Networks NSMconsole
Discover From NSM
Add devices that aremanaged by a Check Point SecurityManagerServer (CPSMS)
Discover Check Point SMS
Add devices from SiteProtectorDiscover From SiteProtector
Add devices from Palo Alto PanoramaDiscover from Palo Alto Panorama
Add devices from Sourcefire Defense CenterDiscover From Defense Center
Add devices from Cisco Firepower Management Center.Discover From Firepower Management Center
RELATED DOCUMENTATION
Adding a Network Device | 31
Adding Devices That Are Managed by an NSM Console | 34
Adding Devices to JSA Risk Manager That Are Managed by a CPSMS Console | 36
Adding a Network Device
To add a network device to JSA Risk Manager, use Configuration Source Management.
31
-
Review the supported software versions, credentials, and required commands for your network devices.For more information, see “Supported Adapters” on page 55.
1. On the navigation menu, click Admin to open the admin tab :
2. On the Admin navigation menu, click Plug-ins or Apps.
• In JSA 7.3.0 or earlier, click Plug-ins.
• In JSA 7.3.1, click Apps.
3. On the Risk Manager pane, click Configuration Source Management.
4. On the navigation menu, click Credentials.
5. On the Network Groups pane, click Add a new network group.
a. Type a name for the network group, and click OK.
b. Type the IP address of your device, and click Add.
You can type an IP address, a range of IP addresses, a CIDR subnet, or a wildcard.
For example, use the following format for a wildcard, type 10.1.*.*
For example, use the following format for a CIDR, type 10.2.1.0/24.
NOTE: Do not replicate device addresses that exist in other network groups inConfiguration Source Management.
c. Ensure that the addresses that you add are displayed in the Network address box beside the Addaddress box.
d. Repeat the previous two steps for each IP address that you want to add.
6. On the Credentials pane, click Add a new credential set.
a. Type a name for the credential set, and click OK.
b. Select the name of the credential set that you create and enter values for the parameters.
The following table describes the parameters.
32
-
Table 6: Parameter Options for Credentials
DescriptionParameter
A valid user name to log in to the adapter.
For adapters, the user name and password that you provide requires accessto several files, such as the following files:
rule.C
objects.C
implied_rules.C
Standard.PF
Username
The password for the device.Password
The password for second-level authentication.
This password is required when the credentials prompt you for usercredentials that are required for expert mode access level.
Enable Password
OptionalSNMP Get Community
OptionalSNMPv3 Authentication Username
OptionalSNMPv3 Authentication Password
Optional
The protocol that is used to decrypt SNMPv3 traps.
SNMPv3 Privacy Password
NOTE: If your network device meets one of the following conditions, you mustconfigure protocols in Configuration Source Management:
• Your device uses a non-standard port for the communication protocol.
• You want to configure the protocol that JSA Risk Manager uses to communicatewith specific IP addresses.
For more information about configuring sources, see the Juniper Secure AnalyticsRisk Manager User Guide.
7. On the navigation menu, add a single device or multiple devices.
33
-
• To add one network device, click Add Device.
• To add multiple IP addresses for network devices, click Discover Devices.
8. Enter the IP address for the device, select the adapter type, and then click Add.
If the device is not backed up, a blue question mark appears beside the adapter.
9. To backup the device that you add to the device list, select the device, and then click Backup.
10.Repeat these steps for every network device that you want to add to the device list.
After you add all of the required devices, you can configure protocols. For more information, see the JuniperSecure Analytics Risk Manager User Guide.
RELATED DOCUMENTATION
Adding Devices That Are Managed by an NSM Console | 34
Adding Devices to JSA Risk Manager That Are Managed by a CPSMS Console | 36
Methods for Adding Network Devices | 31
AddingDevicesThatAreManagedbyanNSMConsole
Use Configuration Source Management to add all devices from a Juniper Networks NSM (Network andSecurity Manager) console to JSA Risk Manager.
Review the supported software versions, credentials, and required commands for your network devices.For more information, see “Supported Adapters” on page 55.
1. On the navigation menu, click Admin to open the admin tab.
2. On the Admin navigation menu, click Plug-ins or Apps.
• In JSA 7.3.0 or earlier, click Plug-ins.
• In JSA 7.3.1, click Apps.
3. On the Risk Manager pane, click Configuration Source Management.
4. On the navigation menu, click Credentials.
5. On the Network Groups pane, click Add a new network group.
34
-
a. Type a name for the network group, and click OK.
b. Type the IP address of your device, and click Add.
You can type an IP address, a range of IP addresses, a CIDR subnet, or a wildcard.
NOTE: Do not replicate device addresses that exist in other network groups inConfiguration Source Management.
c. Ensure that the addresses that you add are displayed in the Network address box beside the Addaddress box.
d. Repeat the previous two steps for each IP address that you want to add.
6. On the Credentials pane, click Add a new credential set.
a. Type a name for the credential set, and click OK.
b. Select the name of the credential set that you created and enter values for the parameters.
The following table describes the parameters.
Table 7: Parameter Options for Juniper NSMWeb Services Credentials
DescriptionParameter
A valid user name to log in to the Juniper NSM (Network and Security Manager)web services.
For Juniper NSMweb services, this usermust be able to access the Juniper NSMserver.
Username
The password for the device.Password
Not required.Enable Password
NOTE: Juniper Networks NSM (Network and Security Manager) does not supportSNMP.
7. On the navigation menu, click Discover from NSM.
8. Enter values for the IP address and user credentials, click OK and then click GO.
9. Select the device that you added to the device list, and click Backup and then click Yes.
35
-
After you add all of the required devices, you can configure protocols. For more information, see the JuniperSecure Analytics Risk Manager User Guide.
RELATED DOCUMENTATION
Adding Devices to JSA Risk Manager That Are Managed by a CPSMS Console | 36
Adding a Network Device | 31
Adding Devices to JSA Risk Manager That AreManaged by a CPSMS Console
Use Configuration Source Management to add devices from a Check Point Security Manager Server(CPSMS) to JSA Risk Manager.
Depending on your version of Check Point SecurityManager Server, youmust choose one of the followingdiscovery methods to add your devices to JSA Risk Manager.
Adding Devices that are Managed by CPSMS by Using OPSEC
Add devices that are managed by Check Point Security Manager Server versions NGX R60 to R77 to JSARisk Manager by using OPSEC to discover and add the devices.
Review the supported software versions, credentials, and required commands for your network devices.For more information, see “Supported Adapters” on page 55.
You must obtain the OPSEC Entity SIC name, OPSEC Application Object SIC name, and the one-timepassword for the pull certificate password before you begin this procedure. For more information, seeyour CPSMS documentation.
NOTE: The Device Import feature is not compatible with CPSMS adapters.
36
-
Repeat the following procedure for each CPSMS that you want to connect to, and to initiate discovery ofits managed firewalls.
1. On the navigation menu, click Admin to open the admin tab.
2. On the Admin navigation menu, click Apps.
3. On the Risk Manager pane, click Configuration Source Management.
4. On the navigation menu, click Credentials.
5. On the Network Groups pane, click Add a new network group.
a. Type a name for the network group, and then click OK.
b. Type the IP address of your CPSMS device, and then click Add.
NOTE: Do not replicate device addresses that exist in other network groups inConfiguration Source Management.
c. Ensure that the addresses that you add are displayed in the Network address box beside the Addaddress box.
6. On the Credentials pane, click Add a new credential set.
a. Type a name for the credential set, and then click OK.
b. Select the name of the credential set that you created, and then type a valid user name and passwordfor the device.
7. Type the OPSEC Entity SIC name of the CPSMS that manages the firewall devices to be discovered.This valuemust be exact because the format depends on the type of device that the discovery is comingfrom. Use the following table as a reference to OPSEC Entity SIC name formats.
NameType
CN=cp_mgmt,O=Management Server
CN=cp_mgmt_,O=
Gateway to Management Server
For example, when you are discovering from the Management Server:
• OPSEC Application DN: CN=cpsms226,O=vm226-CPSMS..bs7ocx
• OPSEC Application Host: vm226-CPSMS
37
-
The Entity SIC Name is CN=cp_mgmt,O=vm226-CPSMS..bs7ocx
For example, when you are discovering from the Gateway to Management Server:
• OPSEC Application DN: CN=cpsms230,O=vm226-CPSMS..bs7ocx
• OPSEC Application Host: vm230-CPSMS2-GW3
The Entity SIC Name is CN=cp_mgmt_vm230-CPSMS2-GW3,O=vm226-CPSMS..bs7ocx
8. Use the Check Point SmartDashboard application to enter the OPSEC Application Object SIC namethat was created on the CPSMS.
CN=cpsms230,O=vm226-CPSMS..bs7ocx
9. Obtain the OPSEC SSL Certificate:
a. Click Get Certificate.
b. In the Certificate Authority IP field, type the IP address.
c. In the Pull Certificate Password field, type the one-time password for the OPSEC Application.
d. Click OK.
10.Click OK.
11.Click Protocols and verify that the CPSMS protocol is selected.
The default port for the CPSMS protocol is 18190.
12.Click Discover From Check Point OPSEC, and then enter the CPSMS IP address.
13.Click OK.
14.Repeat these steps for each CPSMS device that you want to add.
When you add all the required devices, back up the devices, and view them in the topology.
Adding Devices Managed by CPSMS by Using HTTPS
Add devices that are managed by Check Point Security Manager Server version R80 to JSA Risk Managerby using the HTTPS protocol to discover and add the devices.
38
-
1. Open the Admin settings:
• In JSA 7.3.0 or earlier, click the Admin tab.
• In JSA 7.3.1, click the navigation menu icon, and then click Admin to open the admin tab.
2. On the Admin navigation menu, click Plug-ins or Apps.
• In JSA 7.3.0 or earlier, click Plug-ins.
• In JSA 7.3.1, click Apps.
3. On the Risk Manager pane, click Configuration Source Management.
4. On the navigation menu, click Credentials.
5. On the Network Groups pane, click Add a new network group.
a. Type a name for the network group, and then click OK.
b. Type the IP address of your Check Point device, and then click Add.
c. Ensure that the address is displayed in the Network address box.
6. On the Credentials pane, click Add a new credential set.
a. Type a name for the credential set, and then click OK.
b. Select the name of the credential set that you created, and then type a valid user name and passwordfor the device.
7. Click OK.
8. Click Protocols and verify that the HTTPS protocol is selected.
9. Click Discover From Check Point HTTPS, and then enter the Check Point IP address.
10.Click OK.
After you add all the required devices, back up the devices, and view them in the topology.
RELATED DOCUMENTATION
Adding a Network Device | 31
Adding Devices That Are Managed by an NSM Console | 34
39
-
Adding Devices That are Managed by the Palo AltoPanorama
Use Configuration SourceManagement to add devices from the Palo Alto Panorama to JSA RiskManager.
1. On the navigation menu, click Admin to open the admin tab.
2. On the Admin navigation menu, click Plug-ins or Apps.
• In JSA 7.3.0 or earlier, click Plug-ins.
• In JSA 7.3.1, click Apps.
3. On the Risk Manager pane, click Configuration Source Management.
4. On the navigation menu, click Credentials.
5. On the Network Groups pane, click Add a new network group.
a. Type a name for the network group, and then click OK.
b. Type the IP address of your Check Point device, and then click Add.
c. Ensure that the address is displayed in the Network address box.
The Palo Alto Panorama supports proxy backups.
6. On the Credentials pane, click Add a new credential set.
a. Type a name for the credential set, and then click OK.
b. Select the name of the credential set that you created, and then type a valid user name and passwordfor the device.
7. Click OK.
8. Click Discover From Palo Alto Panorama, and then enter the Palo Alto Panorama IP address.
The Palo Alto Panorama uses the following command for backup:
api/?type=op&cmd=
-
RELATED DOCUMENTATION
Adding a Network Device | 31
Adding Devices That Are Managed by an NSM Console | 34
Palo Alto Panorama
JSA Risk Manager supports the Palo Alto Panorama network security management server.
Palo Alto Panorama supports proxy backups.
Backups of devices that are discovered by the Palo Alto Panorama network security management serverare collected from the Panorama when they are backed up.
The following table describes the integration requirements for the Palo Alto Panorama.
Table 8: Integration Requirements for the Palo Alto Panorama
DescriptionIntegrationrequirement
8.0Versions
Superuser (full access) Required for PA devices that haveDynamic Block Lists to perform system-levelcommands.
Superuser (read-only) for all other PA devices.
Minimum useraccess level
Username
Password
Requiredcredentialparameters
To addcredentials inJSA log in asanadministratorand useConfigurationSourceManagementon the Admintab.
41
-
Table 8: Integration Requirements for the Palo Alto Panorama (continued)
DescriptionIntegrationrequirement
HTTPSSupportedconnectionprotocols
To addprotocols inJSA, log in asanadministratorand useConfigurationSourceManagementon the Admintab.
api/?type=op&cmd=
-
Review the supported software versions, credentials, and required commands for your network devices.For more information, see “Supported Adapters” on page 55.
1. On the navigation menu, click Admin to open the admin tab.
2. On the Admin navigation menu, click Plug-ins or Apps.
• In JSA 7.3.0 or earlier, click Plug-ins.
• In JSA 7.3.1, click Apps.
3. On the Risk Manager pane, click Configuration Source Management.
4. On the navigation menu, click Credentials.
5. On the Network Groups pane, click Add a new network group.
a. Type a name for the network group, and then click OK.
b. Type the IP address of your device, and click Add.
You can type an IP address, a range of IP addresses, a CIDR subnet, or a wildcard.
c. Ensure that the address that you add are is displayed in the Network address box beside the Addaddress box.
d. Repeat the step 5 (a) and step 5 (b) for each IP address that you want to add.
6. On the Credentials pane, click Add a new credential set.
a. Type a name for the credential set, and then click OK.
b. Select the name of the credential set that you created and enter values for the parameters.
The following table describes the parameters:
Table 9: Parameter Options for Sourcefire Defense Center Web Services Credentials
DescriptionParameter
A valid user name to log in to the Sourcefire Defense Center.Username
The password for the device.Password
7. On the navigation menu, click Discover from Defense Center.
8. Enter values for the IP address and user credentials, click OK and then click GO.
9. Select the device that you added to the device list, and click Backup and then click Yes.
43
-
After you add all of the required devices, you can configure protocols. For more information, see the JuniperSecure Analytics Risk Manager User Guide.
RELATED DOCUMENTATION
Adding a Network Device | 31
Adding Devices That Are Managed by an NSM Console | 34
Adding Devices That are Managed by a Cisco Firepower Management Center | 44
Adding Devices That are Managed by a CiscoFirepower Management Center
Use Configuration Source Management to add all devices from a Cisco Firepower Management Center toJSA Risk Manager.
Review the supported software versions, credentials, and required commands for your network devices.For more information, see “Supported Adapters” on page 55.
1. On the navigation menu, click Admin to open the admin tab.
2. On the Admin navigation menu, click Plug-ins or Apps.
• In JSA 7.3.0 or earlier, click Plug-ins.
• In JSA 7.3.1, click Apps.
3. On the Risk Manager pane, click Configuration Source Management.
4. On the navigation menu, click Credentials.
5. On the Network Groups pane, click Add a new network group.
a. Type a name for the network group, and then click OK.
b. Type the IP address of your device, and click Add.
You can type an IP address, a range of IP addresses, a CIDR subnet, or a wildcard.
c. Ensure that the address that you add are is displayed in the Network address box beside the Addaddress box.
d. Repeat the step 5 (a) and step 5 (b) for each IP address that you want to add.
44
-
6. On the Credentials pane, click Add a new credential set.
a. Type a name for the credential set, and then click OK.
b. Select the name of the credential set that you created and enter values for the parameters.
The following table describes the parameters:
Table 10: Parameter Options for Cisco Firepower Management Center Web Services Credentials
DescriptionParameter
A valid user name to log in to the Cisco Firepower Management Center.Username
The password for the device.Password
7. On the navigation menu, click Discover from Cisco Firepower Management Center.
8. Enter values for the IP address and user credentials, click OK and then click GO.
9. Select the device that you added to the device list, and click Backup and then click Yes.
After you add all of the required devices, you can configure protocols. For more information, see the JuniperSecure Analytics Risk Manager User Guide.
RELATED DOCUMENTATION
Adding a Network Device | 31
Adding Devices That Are Managed by an NSM Console | 34
Adding Devices That are Managed by a Sourcefire Defense Center | 42
45
-
4CHAPTER
Troubleshooting Device Discovery andBackup
Troubleshooting Device Discovery and Backup | 49
-
Troubleshooting Device Discovery and Backup
Fix issues with device discovery and backup. You can look at the details for logs and error and warningmessages to help you troubleshoot.
Device Backup Failure
Check device login credentials.
1. On the Admin tab, click Configuration Source Management.
2. Verify that the credentials to access the target device are correct.
3. Test the credentials on the target device.
View Device Backup Errors
To see backup errors, do the following steps:
1. On the Admin tab, click Configuration Source Management.
2. Click a device, and then click View error.
This table lists the error message identifier, the description of the message and the suggestedtroubleshooting action.
Table 11: Device Backup Errors
Suggested troubleshooting stepError descriptionBackup errors
Verify that you're using the correctadapter.
Connection attempt timed outUNEXPECTED_RESPONSE
Check credentials in ConfigurationSource Management.
Credentials are incorrectINVALID_CREDENTIALS
49
-
Table 11: Device Backup Errors (continued)
Suggested troubleshooting stepError descriptionBackup errors
Check that the device is working and isconnected to your network. Use othernetwork connection protocols andtroubleshooting tools to verify that thedevice is accessible. Verify that the SSHconnection protocol is allowed and thatit is configured correctly.
Connection errorSSH_ERROR
Check that the device is working and isconnected to your network. Use othernetwork connection protocols andtroubleshooting tools to verify that thedevice is accessible. Verify that theTelnet connection protocol is allowedand that it is configured correctly.
Connection errorTELNET_ERROR
Check that the device is working and isconnected to your network. Use othernetwork connection protocols andtroubleshooting tools to verify that thedevice is accessible. Verify that theSNMP is allowed and that it is configuredcorrectly.
Connection errorSNMP_ERROR
Check themaximumnumber of users thatare allowed to access the device bylogging on to the device and checkingthe configuration for the maximumnumber of users that can access thedevice at the same time.
The number of users that areconfigured to access this device isexceeded.
TOO_MANY_USERS
Verify that the device is workingcorrectly. Access the device and verifythe configuration and check the logs forerrors. Use your device documentationto help you to troubleshoot errors.
Device configuration errorsDEVICE_MEMORY_ERROR
In Configuration Source Management,check the access level of the user namethat is configured to access the device.
Device access issuesNVRAM_CORRUPTION_ERROR
50
-
Table 11: Device Backup Errors (continued)
Suggested troubleshooting stepError descriptionBackup errors
In Configuration Source Management,check the access level of the user namethat is configured to access the device.
User that is configured to accessthe device has insufficient privilege
INSUFFICIENT_PRIVILEGE
Select the device inConfiguration SourceManagement and clickViewerror to seemore details.
Error on the deviceDEVICE_ISSUE
Backup Completes with Parse Warning
To view more detail about the warning, do the following steps:
1. Click the Risks tab.
2. From the navigation menu, click Configuration Monitor.
3. Click See Log for the selected device in the Device List table.
Verify whether you have the most recent adapter versions
To check your adapter versions, log in as root to the JSA RiskManager appliance and then type the followingcommand:
yum list adapter\*
You can look for date information in the names of the adapters to help you determine the release dates.
To download the most recent adapter bundle, do the following steps:
1. In the Product selector field type Risk Manager to filter your selection.
2. Click JSA Risk Manager.
3. From the Installed Version list, select the version that is installed on your system.
4. From the Platform list, select the operating system that is installed on your system, and then clickContinue.
51
-
5. Click Browse for fixes, and then click Continue.
6. To download the most recent adapter bundle, click the adapter-bundle link on the top of the Adapterlist.
Verify whether your device backup is current
To verify whether you have a recent backup, do these steps:
1. Click the Risks tab.
2. From the navigation menu, click Configuration Monitor.
3. Double-click the device in the Device List table.
4. From the toolbar, click History. The most recent configuration that is imported is displayed.
If you don't think that you have the most recent configuration, verify by running the backup again.
Error When Importing Configurations from Your Devices
An incorrectly formatted CSV file can cause a device backup to fail. Do these steps to check the CSV file:
1. Review your CSV file to correct any errors.
2. Re-import your device configurations by using the updated CSV file.
Failure to Discover Devices from Check Point SMS (OPSEC)
Follow all steps in the "Adding devices that aremanaged by a CPSMS console" section of the Juniper SecureAnalytics Risk Manager Adapter Configuration Guide, especially steps 7 and 8 where the OPSEC fields mustbe precise.
RELATED DOCUMENTATION
Supported Adapters | 55
Check Point SecurePlatform Appliances | 57
Check Point Security Management Server Adapter | 58
52
-
5CHAPTER
Supported Adapters
Supported Adapters | 55
Brocade vRouter | 56
Check Point SecurePlatform Appliances | 57
Check Point Security Management Server Adapter | 58
Cisco CatOS | 64
Cisco IOS | 66
Cisco Nexus | 69
Cisco NGIPS | 74
Cisco Security Appliances | 76
F5 BIG-IP | 81
Fortinet FortiOS | 86
Generic SNMP Adapter | 89
HP Networking ProVision | 91
Juniper Networks JUNOS OS | 96
Juniper Networks NSM | 100
-
Juniper Networks ScreenOS | 101
Palo Alto | 103
Sidewinder | 107
Sourcefire 3D Sensor | 110
TippingPoint IPS Adapter | 112
-
Supported Adapters
JSA Risk Manager integrates with many manufacturers and vendors of security products.
The following information is provided for each supported adapter:
Supported versions
Specifies the product name and version supported.
Supports neighbor data
Specifies whether neighbor data is supported for this adapter. If your device supports neighbor data, thenyou get neighbor data from a device by using Simple Network Management Protocol (SNMP) and acommand-line interface (CLI).
SNMP discovery
Specifies whether the device allows discovery by using SNMP.
Devices must support standard MIB-2 for SNMP discovery to take place, and the device's SNMPconfiguration must be supported and configured correctly.
Required credential parameters
Specifies the necessary access requirements for JSA Risk Manager and the device to connect.
Ensure that the device credentials configured in JSA Risk Manager and in the device are the same.
If a parameter is not required, you can leave that field blank.
To add credentials in JSA, log in as an administrator and use Configuration Source Management on theAdmin tab.
Connection protocols
Specifies the supported protocols for the network device.
To add protocols in JSA, log in as an administrator and use Configuration Source Management on theAdmin tab.
Required commands
Specifies the list of commands that the adapter requires to log in and collect data.
To run the listed commands on the adapter, the credentials that are provided in JSA Risk Manager musthave the appropriate privileges.
Files collected
55
-
Specifies the list of files that the adapter must be able to access. To access these files, the appropriatecredentials must be configured for the adapter.
RELATED DOCUMENTATION
Check Point SecurePlatform Appliances | 57
Check Point Security Management Server Adapter | 58
Cisco CatOS | 64
Brocade vRouter
JSA Risk Manager supports the Brocade Virtual Router (vRouter) adapter.
The static routing feature is available with the Brocade vRouter adapter.
The integration requirements for the Brocade vRouter adapter are described in the following table:
DescriptionIntegration Requirement
6.7 to 17.1Supported versions
Operator or AdminMinimum user access level
Username
Password
Required credential parameters
Use one of the following supported connection protocols:
SSH
Telnet
Supported connection protocols
show version
show host name
show system memory
show configuration all | no-more
show interfaces | no-more
Commands that the adapter requires to log in andcollect data
56
-
RELATED DOCUMENTATION
Check Point SecurePlatform Appliances | 57
Check Point Security Management Server Adapter | 58
Cisco CatOS | 64
Check Point SecurePlatform Appliances
JSA Risk Manager supports the Check Point SecurePlatform Appliances adapter.
The following features are available with the Check Point SecurePlatform Appliances adapter:
• Dynamic NAT
• Static NAT
• SNMP discovery
• Static routing
• Telnet and SSH connection protocols
The following table describes the integration requirements for the Check Point SecurePlatformAppliancesadapter.
Table 12: Integration Requirements for the Check Point SecurePlatform Appliances Adapter
DescriptionIntegration requirement
R65 to R77.30
NOTE: Nokia IPSO appliances are not supported for backup.
Versions
Matches NGX in SNMP sysDescr.SNMP discovery
Username
Password
Enable Password (expert mode)
Required credential parameters
To add credentials in JSA log in as anadministrator and use Configuration SourceManagement on the Admin tab.
Use any one of the following supported connection protocols:
Telnet
SSH
Supported connection protocols
To add protocols in JSA, log in as anadministrator and use Configuration SourceManagement on the Admin tab.
57
-
Table 12: Integration Requirements for the Check Point SecurePlatform Appliances Adapter (continued)
DescriptionIntegration requirement
hostname
dmidecode
ver
uptime
dmesg
route -n
show users
ifconfig -a
echo $FWDIR
Commands that the adapter requires to log inand collect data
rules.C
objects.C
implied_rules.C
Standard.pf
snmpd.com
Files collected
RELATED DOCUMENTATION
Check Point Security Management Server Adapter | 58
Cisco CatOS | 64
Cisco IOS | 66
Check Point Security Management Server Adapter
Use the Check Point adapter to discover and backup end nodes that are managed by the SecurityManagement Server (CPSMS).
Choose one of the following adapters to discover and backup end nodes that are managed by the CPSMS.
58
-
Check Point Security Management Server OPSEC Adapter
Use the Check Point Security Management Server OPSEC adapter to discover and backup end nodes thatare managed by the CPSMS versions NGX R60 to R77.
The following features are available with the Check Point Security Management Server OPSEC adapter:
• OPSEC protocol
• Dynamic NAT
• Static NAT
• Static routing
TheCPSMS adapter is built on theOPSECSDK6.0, which supports Check Point products that are configuredto use certificates that are signed by using SHA-1 only.
The following table describes the integration requirements for the CPSMS adapter.
Table 13: Integration Requirements for the CPSMS Adapter
DescriptionIntegration requirement
NGX R60 to R77Versions
Use the credentials that are set from Adding devices managed by a CPSMSconsole.
Required credential parameters
To add credentials in JSA, log in as anadministrator and use ConfigurationSource Management on the Admin tab.
CPSMSSupported connection protocols
To add credentials in JSA, log in as anadministrator and use ConfigurationSource Management on the Admin tab.
To allow the cpsms_client to communicatewith Check PointManagementServer, the $CPDIR/conf/sic_policy.conf on CPSMS must include thefollowing line:
# OPSEC applications defaultANY ; SAM_clients ;
ANY ; sam ; sslca, local, sslca_comp# sam
proxyANY ; Modules, DN_Mgmt ; ANY; sam ;
sslcaANY ; ELA_clients ; ANY ; ela ; sslca,
local, sslca_compANY ; LEA_clients ; ANY ; lea ;
sslca, local, sslca_compANY ; CPMI_clients; ANY
; cpmi ; sslca, local, sslca_comp
Configuration requirements
59
-
Table 13: Integration Requirements for the CPSMS Adapter (continued)
DescriptionIntegration requirement
The following ports are used by JSA Risk Manager and must be open onCPSMS:
Port 18190 for the Check Point Management Interface service (or CPMI)
Port 18210 for the Check Point Internal CA Pull Certificate Service (orFW1_ica_pull)
If you cannot use 18190 as a listening port for CPMI, then the CPSMSadapter port number must be similar to the value listed in the$FWDIR/conf/fwopsec.conf file for CPMI on CPSMS. For example,cpmi_server auth_port 18190.
Required ports
Check Point Security Management Server HTTPS Adapter
Use the Check Point Security Management Server HTTPS adapter to discover and backup end nodes thatare connected to firewall blades that are managed by the Security Management Server version R80.
The following features are available with the Check Point Security Management Server HTTPS adapter:
• Static NAT
• Static routing
• HTTPS connection protocol
The following features are not supported by the Check Point Security Management Server adapter:
• Dynamic objects (network objects)
• Security Zones (network objects)
• RPC objects (services)
• DCE-RPC objects (services)
• ICMP services (services)
• GTP objects (services)
• Compound TCP objects (services)
• Citrix TCP objects (services)
• Other services (services)
• User objects
60
-
• Time objects
• Access Control Policy criteria negation
NOTE: If you upgrade to the Check Point Security Management Server R80 from a previousversion of Check Point SMS, you must rediscover your devices by using the Discover FromCheck Point HTTPS discovery method, even if your devices are recorded by ConfigurationSource Management.
The following table describes the integration requirements for the Check Point Security ManagementServer adapter.
Table 14: Integration Requirements for the Check Point Security Management Server Adapter
DescriptionIntegration requirement
R80Versions
Username
Password
Required credential parameters
To add credentials in JSA, log in as an administrator and useConfiguration Source Management on the Admin tab.
NOTE: Youmust add the credentials for the Check Point SecurityManagement Server before you configure device discovery.
Discover From Check Point HTTPSDevice discovery configuration
To configure device discovery in JSA, log in as an administratorand use Configuration Source Management on the Admin tab.
To configure the discovery method, click Discover From CheckPoint HTTPS, enter the IP address of the Check Point SecurityManagement Server, and then click OK.
HTTPSSupported connection protocols
To add protocols in JSA, log in as an administrator and useConfiguration Source Management on the Admin tab.
Read-write access allUser access level requirements
61
-
Table 14: Integration Requirements for the Check Point Security Management Server Adapter (continued)
DescriptionIntegration requirement
Use the following format to issue the listedcommands to devices:
https://:/web_api/
show-simple-gateways
show-hosts
show-networks
show-address-ranges
show-groups
show-groups-with-exclusion
show-services-tcp
show-services-udp
show-service-groups
show-packages
show-access-rulebase
show-nat-rulebase
run-script
show-task
Requested API endpoints
Create aCheckPoint CustomPermissionProfile toPermit JSARiskManagerAccess
To enable JSA Risk Manager access to the Check Point SMS HTTPS adapter API, you must create apermission profile on the Check Point Security Management Server that includes the "Run One TimeScript" permission.
You can create a custom permission profile that includes this permission, but is less permissive than the"Read Write All" or "Read Only All" profile.
NOTE: The custom profile does not work if the SMS version is R80.10 or higher and the gatewayversion is lower than R80.10. This configuration requires a Super User.
62
-
1. On the SMS Console with SmartDashboard, clickManage & Settings > Permissions & Administrators> Permission Profiles.
2. Click Create New Profile.
3. On the Overview tab, select Customized.
4. On the Gateways tab, select One Time Script.
5. On the Access Control tab, select the following options:
• Show Policy
• Edit layers by the selected profiles in a layer editor
• NAT Policy – Set the permission to Read.
• Access Control Objects and Settings – Set the permission to Read.
6. On the Threat Prevention tab, select Settings and set the permission to Read.
7. On the Others tab, select the following options:
• Common Objects – Set the permission to Read.
• Check Point Users Database – Set the permission to Read.
8. On theMonitoring and Logging tab, leave the check boxes cleared.
9. On theManagement tab, selectManagement API Login.
NOTE: Ensure that any options that are not listed in Steps 3 – 9 are not selected.
10.Click OK and assign your user to this new permission profile.
RELATED DOCUMENTATION
Cisco CatOS | 64
Cisco IOS | 66
Cisco Nexus | 69
63
-
Cisco CatOS
JSA Risk Manager supports the Cisco Catalyst (CatOS) adapter.
The Cisco CatOS adapter collects device configurations by backing up CatOS network devices that JSARisk Manager can access.
The following features are available with the Cisco CatOS adapter:
• Neighbor data support
• SNMP discovery
• Static routing
• Telnet and SSH connection protocols
The following table describes the integration requirements for the Cisco CatOS adapter.
Table 15: Integration Requirements for the Cisco CatOS Adapter
DescriptionIntegration requirement
Catalyst 6500 series chassis devices.
4.2
6.4
NOTE: The adapter for CatOS backs up only the essential switchingport structure.
Multilayer Switch Feature Card (MSFC) CatOS adapters are backedup by Cisco IOS adapters.
Firewall Services Module (FWSM) CatOS adapters are backed up byCisco ASA adapters.
Versions
Matches CATOS or Catalyst Operating System in SNMP sysDescr.SNMP discovery
Username
Password
Enable Password
Required credential parameters
To add credentials in JSA log in as anadministrator and use Configuration SourceManagement on the Admin tab.
64
-
Table 15: Integration Requirements for the Cisco CatOS Adapter (continued)
DescriptionIntegration requirement
Use any one of the following supported connection protocols:
Telnet
SSH
Supported connection protocols
To add protocols in JSA log in as anadministrator and use Configuration SourceManagement on the Admin tab.
show version
whichboot
show module
show mod ver
show system
show flash devices
show flash ...
show snmp ifalias
show port ifindex
show interface
show port
show spantree
show ip route
show vlan
show vtp domain
show arp
show cdp
show cam dynamic
show port status
show counters
Commands that the adapter requires to log inand collect data
RELATED DOCUMENTATION
65
-
Cisco IOS | 66
Cisco Nexus | 69
Cisco Security Appliances | 76
Cisco IOS
JSA Risk Manager supports the Cisco Internet Operating System (IOS) adapter.
The Cisco IOS adapter collects device configurations by backing up IOS-based network switches androuters.
The following features are available with the Cisco IOS adapter:
• Neighbor data support
• Dynamic NAT
• Static NAT
• SNMP discovery
• Static routing
• EIGRP and OSPF dynamic routing
• P2P Tunneling/VPN
• Telnet and SSH connection protocols
The following table describes the integration requirements for Cisco IOS.
Table 16: Integration Requirements for Cisco IOS
DescriptionIntegration requirement
IOS 12.0 to 15.1 for routers and switches
Cisco Catalyst 6500 switches with MSFC.
Use the Cisco IOS adapter to back up the configuration and state ofthe MSFC card services.
If a Cisco IOS 7600 series router has an FWSM, use the Cisco ASAadapter to back up the FWSM.
Versions
66
-
Table 16: Integration Requirements for Cisco IOS (continued)
DescriptionIntegration requirement
A user with command exec privilege level for each command that theadapter requires to log in and collect data. For example, you canconfigure a custom privilege level 10 user that uses local databaseauthentication.
The following example sets all show ip commands, to privilege level10.
privilege exec level 10 show ip
User Access Level
Matches ISO or Cisco Internet Operation System in SNMP sysDescr.SNMP discovery
Username
Password
Enable Username (Optional)
Use this field, if the user needs to enter a specific privilege level whenlogging in to the device. Use the format level-where n is a privilegelevel [0-15]. For example, to enter privilege level 10, enter the followingcommand:
level-10
This results in sending the enable 10 command to the Cisco device.
Enable Password (Optional)
Required credential parameters
To add credentials in JSA log in as anadministrator and use Configuration SourceManagement on the Admin tab.
Use any one of the following supported connection protocols:
Telnet
SSH
Supported connection protocols
To add protocols in JSA, log in as anadministrator and use Configuration SourceManagement on the Admin tab.
67
-
Table 16: Integration Requirements for Cisco IOS (continued)
DescriptionIntegration requirement
terminal length 0
show version
show interfaces
show access-lists
show standby
show ip route | exclude ^B
show ip route bgp | include 0.0.0.0/0
show object-group
show vlan
show startup-config
show ip arp
show cdp neighbors detail
show mac address-table dynamic
show ip ospf neighbor
show ip eigrp neighbors
Commands that the adapter requires to log inand collect data
show ip arp
show ip bgp neighbors
show ip eigrp interface
show ip eigrp neighbors
show ip eigrp topology
show ip ospf
show ip ospf interface
show ip ospf neighbor
show ip protocols
show ip route eigrp
terminal length 0
show ip commands that the adapter requiresto log in and collect data
68
-
RELATED DOCUMENTATION
Cisco NGIPS | 74
Cisco Nexus | 69
Cisco Security Appliances | 76
F5 BIG-IP | 81
Cisco Nexus
To integrate JSA Risk Manager with your network devices, ensure that you review the requirements forthe Cisco Nexus adapter.
The following features are available with the Cisco Nexus adapter:
• Neighbor data support
• SNMP discovery
• EIGRP and OSPF dynamic routing
• Static routing
• Telnet and SSH connection protocols
The following table describes the integration requirements for the Cisco Nexus adapter.
Table 17: Integration Requirements for the Cisco Nexus Adapter
DescriptionIntegration requirement
Nexus 5548: OS level 6.0
Nexus 7000 series: OS level 6.2
Nexus 9000 series: OS level 6.1
Versions and supported OS levels
Matches Cisco NX-OS and an optional qualification string that endswith Software in the SNMP sysDescr.
SNMP discovery
69
-
Table 17: Integration Requirements for the Cisco Nexus Adapter (continued)
DescriptionIntegration requirement
Username
Password
Enable Password
• If you add virtual device contexts (VDCs) as individual devices,ensure that the required credentials allow the following actions:--Access the account that is enabled for the VDCs.
Use the required commands in that virtual context.
Required credential parameters
To add credentials in JSA log in as anadministrator and use Configuration SourceManagement on the Admin tab.
Use any one of the following supported connection protocols:
Telnet
SSH
Supported connection protocols
To add protocols in JSA, log in as anadministrator and use Configuration SourceManagement on the Admin tab.
70
-
Table 17: Integration Requirements for the Cisco Nexus Adapter (continued)
DescriptionIntegration requirement
show hostname
show version
show vdc
show vdc current-vdc
switchto vdc where vdc is an active vdc that is listed when youenter the command, show vdc.
dir where filesystem is bootflash, slot0, volatile, log,logflash, or system.
show running-config
show startup-config
show module
show interface brief
show interface snmp-ifindex
show ip access-lists
show vlan
show object-group
show interface where interface is any interface that islisted when you enter the command, show running-config.
show ip eigrp
show ip route eigrp
show ip ospf
show ip route ospf
show ip rip
show ip route rip
Commands that the adapter requires to log inand collect data
71
-
Table 17: Integration Requirements for the Cisco Nexus Adapter (continued)
DescriptionIntegration requirement
terminal length 0
show hostname
show vdc
switchto vdc where vdc is an active vdc that is listed when youenter the command, show vdc.
show cdp entry all
show interface brief
show ip arp
show mac address-table
show ip route
Telemetry commands
Methods for adding VDCs for Cisco Nexus Devices
Use Configuration SourceManagement to add Nexus network devices and Virtual Device Contexts (VDC)to JSA. There are two ways to add multiple VDCs to JSA Risk Manager.
You can add VDCs as subdevices of the Nexus device or as individual devices.
View Virtual Device Contexts
If you add VDCs as individual devices, then each VDC is displayed as a device in the topology.
If you add VDCs as subdevices, they are not displayed in the topology. You can view the VDCs in theConfiguration Monitor window.
Adding VDCs As Subdevices Of Your Cisco Nexus Device
Use Configuration Source Management to add VDCs as subdevices of your Cisco Nexus device.
1. Enable the following commands for the user that is specified in the credentials:
• show vdc (admin context)
• switchto vdc x , where x is the VDC that is supported.
72
-
In Configuration Monitor, you can view the Nexus device in the topology and the VDC subdevices.For information about viewing devices, see the Juniper Secure Analytics Risk Manager User Guide.
2. Use Configuration Source Management to add the admin context IP address of the Nexus device.
For more information, see “Adding a Network Device” on page 31.
Adding VDCs As Individual Devices
Use Configuration Source Manager to add each (virtual device context) VDC as a separate device. Whenyou use this method, the Nexus device and the VDCs are displayed in the topology.
When you view your CiscoNexus device and VDCs in the topology, the chassis containment is representedseparately.
1. Use Configuration Source Manager to add the admin IP address of each VDC.
For more information, see “Adding a Network Device” on page 31.
2. Use Configuration Source Manager to obtain the configuration information for your VDCs.
3. On the Cisco Nexus device, use the Cisco Nexus CLI to disable the switchtovdc command for the username that is associated with the adapter.
Example: If the username for a Cisco Nexus device is qrmuser, type the following commands:
NexusDevice(config)# role name qrmuser
NexusDevice(config-role)# rule 1 deny command switchto vdc
NexusDevice(config-role)# rule 2 permit command show *
NexusDevice(config-role)# rule 3 permit command terminal
NexusDevice(config-role)# rule 4 permit command dir
RELATED DOCUMENTATION
Cisco Security Appliances | 76
Cisco NGIPS | 74
F5 BIG-IP | 81
Fortinet FortiOS | 86
73
-
Cisco NGIPS
To integrate JSA Risk Manager with your network devices, ensure that you review the requirements forthe Cisco Next-Generation Intrusion Prevention System (NGIPS) adapter.
The following features are available with the Cisco NGIPS adapter:
• IPS
• SSH connection protocol
Limitations:
• Intrusion policies attached to individual access control rules are not used by JSA Risk Manager. Only thedefault intrusion policy is supported.
• NAT and VPN are not supported.
The following table describes the integration requirements for the Cisco NGIPS adapter.
Table 18: Integration Requirements for the Cisco NGIPS Adapter
DescriptionIntegration requirement
6.2.0Versions
NoSNMP discovery
Username
Password
Required credential parameters
To add credentials in JSA log in as anadministrator and use Configuration SourceManagement on the Admin tab.
SSHSupported connection protocols
To add protocols in JSA, log in as anadministrator and use Configuration SourceManagement on the Admin tab.
74
-
Table 18: Integration Requirements for the Cisco NGIPS Adapter (continued)
DescriptionIntegration requirement
show version
show memory
show network
show interfaces
expert
sudo
su
df
hostname
ip addr
route
cat
find
head
mysql
Commands that the adapter requires to log inand collect data
75
-
Table 18: Integration Requirements for the Cisco NGIPS Adapter (continued)
DescriptionIntegration requirement
sudo su df
sudo su hostname
sudo su route -n
/etc/sf/ims.conf
$SNORT_DIR/fwcfg/affinity.conf
$DE_DIR/policyText_full.yaml
$DE_DIR/snort.conf
$DE_DIR/*
$SNORT_DIR/iprep_download
/etc/sf/ims-data.conf
Commands that the adapter uses to readconfiguration information:
To get hardware information.
To get the system host name.
To get routing information.
Use the cat or head command to read filesand get configurations.
Read to get the base directory for the SNORTinstance, which is referenced as $DE_DIR inthe following three examples:
Read the IPS rules and objects.
Read the SNORT configuration.
Files are read in dynamically when they arereferenced in the policyText_full.yaml file.
The adapter uses the find command is tosearch for IP reputation files in this directory.
File that is read to get the databaseconnection credentials.
RELATED DOCUMENTATION
Cisco Security Appliances | 76
F5 BIG-IP | 81
Fortinet FortiOS | 86
Cisco Security Appliances
To integrate JSA Risk Manager with your network devices, ensure that you review the requirements forthe Cisco Security Appliances adapter.
76
-
The following features are available with the Cisco Security Appliances adapter:
• Neighbor data support
• Static NAT
• SNMP discovery
• EIGRP and OSPF dynamic routing
• Static routing
• IPSEC tunneling
• Telnet and SSH connection protocols
The Cisco Security Appliances adapter collects device configurations by backing up Cisco family devices.The Cisco Security Appliances adapter supports the following firewalls:
• Cisco Adaptive Security Appliances (ASA) 5500 series
• Firewall Service Module (FWSM)
• Module in a Catalyst chassis
• Established Private Internet Exchange (PIX) device.
NOTE: Cisco ASA transparent contexts cannot be placed in the JSA RiskManager topology, andyou cannot do path searches across these transparent contexts.
The following table describes the integration requirements for the Cisco Security Appliances adapter.
Table 19: Integration Requirements for the Cisco Security Appliances Adapter
DescriptionIntegration requirement
ASA:
8.2, 8.4 to 9.1.7
PIX:
6.1, 6.3
FWSM:
3.1, 3.2
Versions
77
-
Table 19: Integration Requirements for the Cisco Security Appliances Adapter (continued)
DescriptionIntegration requirement
privilege level 5
You can back up devices with privilege level 5 access level. Forexample, you can configure a level 5 user that uses local databaseauthentication by running the following commands:
aaa authorization command LOCAL
aaa authentication enable console LOCAL
privilege cmd level 5 mode exec command terminal
privilege cmd level 5 mode exec command changeto (multi-contextonly)
privilege show level 5 mode exec command running-config
privilege show level 5 mode exec command startup-config
privilege show level 5 mode exec command version
privilege show level 5 mode exec command shun
privilege show level 5 mode exec command names
privilege show level 5 mode exec command interface
privilege show level 5 mode exec command pager
privilege show level 5 mode exec command arp
privilege show level 5 mode exec command route
privilege show level 5 mode exec command context
privilege show level 5 mode exec command mac-address-table
Minimum User Access Level
Matches PIX or Adaptive Security Appliance or Firewall ServiceModulein SNMP sysDescr.
SNMP discovery
Username
Password
Enable Password
Required credential parameters
To add credentials in JSA log in as anadministrator and use Configuration SourceManagement on the Admin tab.
78
-
Table 19: Integration Requirements for the Cisco Security Appliances Adapter (continued)
DescriptionIntegration requirement
Use any one of the following supported connection protocols:
Telnet
SSH
SCP
Supported connection protocols
To add protocols in JSA, log in as anadministrator and use Configuration SourceManagement on the Admin tab.
79
-
Table 19: Integration Requirements for the Cisco Security Appliances Adapter (continued)
DescriptionIntegration requirement
changeto context
changeto system
show running-config
show startup-config
show arp
show context
show interface
show mac-address-table
show names
show ospf neighbor
show route
show shun
show version
terminal pager 0
show interface detail
show crypto ipsec sa
show eigrp topology
show eigrp neighbors
show firewall
The changeto context command is used for each contexton the ASA device.
The changeto system command detects whether the system hasmulti-context configurations and determines the admin-context.
The changeto context command is required if the changeto systemcommand has a multi-context configuration or admin-configurationcontext.
The terminal pager command is used to turn off paging behavior.
Required commands that the adapter requiresto log in and collect data
80
-
RELATED DOCUMENTATION
F5 BIG-IP | 81
Fortinet FortiOS | 86
Generic SNMP Adapter | 89
F5 BIG-IP
JSA Risk Manager supports the F5 BIG-IP adapter.
The following features are available with the F5 BIG-IP adapter:
• Neighbor data support
• Dynamic NAT
• Static NAT
• SNMP discovery
• Static routing
• IPv6 support
F5 BIG-IP load balancer appliances that run the Local Traffic Manager (LTM) are supported.
The following table describes the integration requirements for the F5 BIG-IP adapter.
Table 20: Integration Requirements for the F5 BIG-IP Adapter
DescriptionIntegration requirement
10.1 - 13.1Versions
Matches F5 BIG-IP in sysOid containing 1.3.6.1.4.1.3375.2SNMP discovery
Username
Password
Required credential parameters
To add credentials in JSA log in as anadministrator and use Configuration SourceManagement on the Admin tab.
SSHSupported connection protocols
To add protocols in JSA, log in as anadministrator and use Configuration SourceManagement on the Admin tab.
81
-
Table 20: Integration Requirements for the F5 BIG-IP Adapter (continued)
DescriptionIntegration requirement
82
-
Table 20: Integration Requirements for the F5 BIG-IP Adapter (continued)
DescriptionIntegration requirement
Version 10 (Bigpipe) backup commands
NOTE: On version 10, the adapter sendsBigpipe commands. On versions 11 and later,the adapter sends tmsh commands.
83
-
Table 20: Integration Requirements for the F5 BIG-IP Adapter (continued)
DescriptionIntegration requirement
bigpipe global
bigpipe system hostname
bigpipe platform
uptime
bigpipe version show
cat /config/bigip.license
bigpipe db packetfilter
bigpipe db packetfilter.defaultaction
bigpipe packet filter list
bigpipe nat list all
bigpipe vlan show all
bigpipe vlangroup list all
bigpipe vlangroup
ip addr list
bigpipe interface show all
bigpipe interface all media speed
bigpipe trunk all interfaces
route -n
bigpipe route all list all
bigpipe mgmt show all
bigpipe mgmt route show all
bigpipe pool
bigpipe self
bigpipe virtual list all
bigpipe snat list all
bigpipe snatpool list all
84
-
Table 20: Integration Requirements for the F5 BIG-IP Adapter (continued)
DescriptionIntegration requirement
b db snat.anyipprotocol
list sys global-settings hostname
list sys management-ip show sys memory
show sys hardware
show sys version
list sys db packetfilter
list sys db packetfilter.defaultaction
list sys db snat.anyipprotocol
list net interface all-properties
list net trunk
list net packet-filter
list net vlan all-properties
show net vlan
list net vlan-group all all-properties
show net vlan-group
list itm virtual
list itm nat
list itm snatpool
list itm snat
list net route
list itm pool
list net self
Version 11 and later (tmsh) backup commands
NOTE: On version 10, the adapter sendsBigpipe commands. On versions 11 and later,the adapter sends tmsh commands.
85
-
RELATED DOCUMENTATION
Fortinet FortiOS | 86
Generic SNMP Adapter | 89
HP Networking ProVision | 91
Fortinet FortiOS
JSA RiskManager adapter for Fortinet FortiOS supports Fortinet FortiGate appliances that run the Fortinetoperating system (FortiOS).
The following features are available with the Fortinet FortiOS adapter:
• Static NAT
• Static routing
• Telnet and SSH connection protocols
The Fortinet FortiOS adapter interacts with FortiOS over Telnet or SSH. The following list describes somelimitations of JSA Risk Manager and the Fortinet FortiOS adapter:
• Geography-based addresses and referenced policies are not supported by JSA Risk Manager.
• Identity-based, VPN, and Internet Protocol Security policies are not supported by JSA Risk Manager.
• Policies that use Unified Threat Management (UTM) profiles are not supported by the Fortinet FortiOSadapter. Layer 3 firewall policies only are supported.
• Policy Routes are not supported.
• Virtual Domains with Virtual Links that have partial IP addresses or no IP addresses are not supported.
The integration requirements for the Fortinet FortiOS adapter are described in following table:
Table 21: Integration Requirements for the Fortinet FortiOS Adapter
DescriptionIntegration Requirement
4.0 MR3 to 5.2.4Version
NoSNMP discovery
86
-
Table 21: Integration Requirements for the Fortinet FortiOS Adapter (continued)
DescriptionIntegration Requirement
Username
Password
Required credential parameters
To add credentials in JSA, log in as anadministrator and use Configuration SourceManagement on the Admin tab.
Use any one of the following supported connection protocols:
Telnet
SSH
Supported connection protocols
To add protocols in JSA, log in as anadministrator and use Configuration SourceManagement on the Admin tab.
Read-write access for Fortinet firewalls that have VDOMs enabled
Read-only access for Fortinet firewalls that don't haveVDOMs enabled
User access level requirements
87
-
Table 21: Integration Requirements for the Fortinet FortiOS Adapter (continued)
DescriptionIntegration Requirement
config system console
set output standard
NOTE: The config systemconsole and set output standard commandsrequire a user with read/write access to system configuration. If youuse a read-only user with pagination enabled when you back up aFortigate device, the performance is impaired significantly.
show system interface
get hardware nic
get system status
get system performance status
get router info routing-table static
get test dnsproxy 6
show firewall addrgrp
show firewall address
show full-configuration
get firewall service predefined
show firewall service custom
show firewall service group
show firewall policy