Juniper Secure Analytics Risk Manager Adapter Configuration Guide · 2020. 2. 10. ·...

Juniper Secure Analytics Risk ManagerAdapter Configuration Guide

ReleasePublished

2020-02-107.3.3

Juniper Networks, Inc.1133 Innovation WaySunnyvale, California 94089USA408-745-2000www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. inthe United States and other countries. All other trademarks, service marks, registered marks, or registered service marksare the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the rightto change, modify, transfer, or otherwise revise this publication without notice.

Juniper Secure Analytics Risk Manager Adapter Configuration Guide7.3.3Copyright © 2020 Juniper Networks, Inc. All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-relatedlimitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)Juniper Networks software. Use of such software is subject to the terms and conditions of the EndUser License Agreement(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, youagree to the terms and conditions of that EULA.

ii

https://support.juniper.net/support/eula/

Table of Contents

About the Documentation | vii

Documentation and Release Notes | vii

Documentation Conventions | vii

Documentation Feedback | x

Requesting Technical Support | x

Self-Help Online Tools and Resources | xi

Creating a Service Request with JTAC | xi

Adapters Overview1Adapters Overview | 15

Network Topology and Configuration | 15

Process for Integrating Network Devices | 15

Types Of Adapters | 16

Adapter Features | 17

Adapter FAQs | 19

Do Adapters Support All Devices and Versions That JSA Supports? | 19

Do All Adapters Support the Same Features, for Example, OSPF Routing? | 19

What User-access Level Does the Adapter Require to Get Device Configuration? | 20

How do You Configure Credentials to Access Your Network Devices? | 20

What Credential Fields do You Need to Complete for Each Device? | 20

How do You Configure Protocols for Your Devices? | 20

How do You Add Your Network Devices to JSA Risk Manager? | 20

Installing Adapters2Installing Adapters | 25

Uninstalling an Adapter | 26

iii

Methods for Adding Network Devices3Methods for Adding Network Devices | 31

Adding a Network Device | 31

Adding Devices That Are Managed by an NSM Console | 34

Adding Devices to JSA Risk Manager That Are Managed by a CPSMS Console | 36

Adding Devices that are Managed by CPSMS by Using OPSEC | 36

Adding Devices Managed by CPSMS by Using HTTPS | 38

Adding Devices That are Managed by the Palo Alto Panorama | 40

Palo Alto Panorama | 41

Adding Devices That are Managed by a Sourcefire Defense Center | 42

Adding Devices That are Managed by a Cisco Firepower Management Center | 44

Troubleshooting Device Discovery and Backup4Troubleshooting Device Discovery and Backup | 49

Device Backup Failure | 49

View Device Backup Errors | 49

Backup Completes with Parse Warning | 51

Verify whether you have the most recent adapter versions | 51

Verify whether your device backup is current | 52

Error When Importing Configurations from Your Devices | 52

Failure to Discover Devices from Check Point SMS (OPSEC) | 52

Supported Adapters5Supported Adapters | 55

Brocade vRouter | 56

Check Point SecurePlatform Appliances | 57

Check Point Security Management Server Adapter | 58

Check Point Security Management Server OPSEC Adapter | 59

Check Point Security Management Server HTTPS Adapter | 60

Create a Check Point Custom Permission Profile to Permit JSA Risk Manager Access | 62

iv

About the Documentation

IN THIS SECTION

Documentation and Release Notes | vii

Documentation Conventions | vii

Documentation Feedback | x

Requesting Technical Support | x

Use this guide to understand you to integrate Risk Manager with network devices.

Documentation and Release Notes

To obtain the most current version of all Juniper Networks® technical documentation, see the productdocumentation page on the Juniper Networks website at https://www.juniper.net/documentation/.

If the information in the latest release notes differs from the information in the documentation, follow theproduct Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts.These books go beyond the technical documentation to explore the nuances of network architecture,deployment, and administration. The current list can be viewed at https://www.juniper.net/books.

Documentation Conventions

Table 1 on page viii defines notice icons used in this guide.

vii

https://www.juniper.net/documentation/https://www.juniper.net/books

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardwaredamage.

Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Indicates helpful information.Tip

Alerts you to a recommended use or implementation.Best practice

Table 2 on page viii defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, typethe configure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears onthe terminal screen.

Fixed-width text like this

• A policy term is a named structurethat defines match conditions andactions.

• Junos OS CLI User Guide

• RFC 1997, BGP CommunitiesAttribute

• Introduces or emphasizes importantnew terms.

• Identifies guide names.

• Identifies RFC and Internet drafttitles.

Italic text like this

viii

Table 2: Text and Syntax Conventions (continued)


Configure the machine’s domainname:

[edit]root@# set system domain-namedomain-name

Represents variables (options forwhich you substitute a value) incommands or configurationstatements.

Italic text like this

• To configure a stub area, includethe stub statement at the [editprotocols ospf area area-id]hierarchy level.

• The console port is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configuration hierarchylevels; or labels on routing platformcomponents.

Text like this

stub ;Encloses optional keywords orvariables.

< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between themutually exclusive keywords orvariables on either side of the symbol.The set of choices is often enclosedin parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamic MPLSonly

Indicates a comment specified on thesame line as the configurationstatement to which it applies.

# (pound sign)

community name members [community-ids ]

Encloses a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identifies a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

GUI Conventions

ix

Table 2: Text and Syntax Conventions (continued)


• In the Logical Interfaces box, selectAll Interfaces.

• To cancel the configuration, clickCancel.

Represents graphical user interface(GUI) items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy ofmenu selections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback so that we can improve our documentation. You can use eitherof the following methods:

• Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the JuniperNetworks TechLibrary site, and do one of the following:

• Click the thumbs-up icon if the information on the page was helpful to you.

• Click the thumbs-down icon if the information on the page was not helpful to you or if you havesuggestions for improvement, and use the pop-up form to provide feedback.

• E-mail—Send your comments to [email protected]. Include the document or topic name,URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC).If you are a customer with an active Juniper Care or Partner Support Services support contract, or are

x

https://www.juniper.net/documentation/index.htmlhttps://www.juniper.net/documentation/index.htmlmailto:[email protected]?subject=

covered under warranty, and need post-sales technical support, you can access our tools and resourcesonline or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTACUserGuide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Productwarranties—For productwarranty information, visit https://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week,365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal calledthe Customer Support Center (CSC) that provides you with the following features:

• Find CSC offerings: https://www.juniper.net/customers/support/

• Search for known bugs: https://prsearch.juniper.net/

• Find product documentation: https://www.juniper.net/documentation/

• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/

• Download the latest versions of software and review release notes:https://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:https://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:https://www.juniper.net/company/communities/

• Create a service request online: https://myjuniper.juniper.net

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:https://entitlementsearch.juniper.net/entitlementsearch/

Creating a Service Request with JTAC

You can create a service request with JTAC on the Web or by telephone.

• Visit https://myjuniper.juniper.net.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, seehttps://support.juniper.net/support/requesting-support/.

xi

https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttps://www.juniper.net/support/warranty/https://www.juniper.net/customers/support/https://prsearch.juniper.net/https://www.juniper.net/documentation/https://kb.juniper.net/https://www.juniper.net/customers/csc/software/https://kb.juniper.net/InfoCenter/https://www.juniper.net/company/communities/https://myjuniper.juniper.nethttps://entitlementsearch.juniper.net/entitlementsearch/https://myjuniper.juniper.nethttps://support.juniper.net/support/requesting-support/

1CHAPTER

Adapters Overview

Adapters Overview | 15



Adapter FAQs | 19

Adapters Overview

Use adapters to integrate JSA Risk Manager with your network devices. By configuring adapters, JSA RiskManager can interrogate and import the configuration parameters of network devices, such as firewalls,routers, and switches.

Network Topology and Configuration

JSA Risk Manager uses adapters to collect network configurations. The adapters turn the configurationinformation into a standard format that is unified for supported device models, manufacturers, and types.JSA Risk Manager uses the data to understand your network topology and configuration of your networkdevices.

To connect external devices in the network, JSA Risk Manager must be able to access the devices. JSARisk Manager uses the user credentials that are configured in JSA to access the device and to downloadthe configurations.

Process for Integrating Network Devices

To integrate network devices with JSA Risk Manager, follow these steps:

1. Configure the network device to enable communication with JSA Risk Manager.

2. Install the appropriate adapter for your network device on your JSA Risk Manager appliance.

3. Use Configuration Source Management to add your network devices to JSA Risk Manager.

4. Define the network protocol that is required for communication with your network devices.

For more information, see the Juniper Secure Analytics Risk Manager User Guide.

RELATED DOCUMENTATION



Adapter FAQs | 19

15

Types Of Adapters

JSA Risk Manager supports several types of adapters.

The following adapters are supported:

• F5 BIG-IP

• Brocade vRouter

• Check Point SecurePlatform Appliances

• Check Point Security Management Server

• Cisco Catalyst (CatOS)

• Cisco Internet Operating System (IOS)

• Cisco Nexus

• Cisco Security Appliances

• Fortinet FortiOS

• HP Networking ProVision

• Juniper Networks ScreenOS

• Juniper Networks JUNOS OS

• Juniper Networks NSM

• Palo Alto

• Sourcefire 3D Sensor

• Generic SNMP

• TippingPoint IPS

• McAfee Sidewinder



Adapter FAQs | 19


16

Adapter Features

Adapters come with many features to help you integrate your network devices with JSA Risk Manager.

The following table lists common features for the supported adapters.

Table 3: Adapter Features

Other featuresProtocolsTunnellingRoutingNATVersionsAdapter

Telnet,SSH

Static6.7 to 17.1Brocade vRouter

Telnet,SSH

StaticStatic

Dynamic

R65 to R77.30Check PointSecure Platform

CPSMSStaticStatic

Dynamic

NGX R60 to R77Check Point SMSOPSEC

HTTPSStaticStatic

Dynamic

R80Check Point SMSHTTPS

Telnet,SSH, SCP

Static

EIGRP,OSPF

StaticASA: 8.2, 8.4 to9.1.7

PIX: 6.1, 6.3

FWSM: 3.1, 3.2

Cisco ASA

Telnet,SSH

StaticCatalyst 6500series chassisdevices.

4.2, 6.4

Cisco CatOS

Telnet,SSH

Static

EIGRP,OSPF

Nexus 5548: OSlevel 6.0

Nexus 7000 series:OS level 6.2

Nexus 9000 series:OS level 6.1

Cisco Nexus

17

Table 3: Adapter Features (continued)


Telnet,SSH

VPNStatic

EIGRP,OSPF

Static

Dynamic

IOS 12.0 to 15.1for routers andswitches

Cisco Catalyst6500 switcheswith MSFC.

Cisco IOS

SSHVPNStaticStatic

Dynamic

10.1 – 13.1F5 BIG-IP

Telnet,SSH

StaticStatic4.0 MR3 to 5.2.4Fortinet FortiOS

SNMPv1, v2 andv3

Generic SNMP

SSHRIPHP NetworkingProVision SwitchesK/KA.15.X

HP ProCurveProVision

ApplicationsSQLGX appliances thatare managed bySiteProtector.

IBM Proventia GXIPS

Telnet,SSH, SCP

Static

OSPF

10.4, 11.2 to 12.3,and 13.2

Juniper JUNOSOS

HTTPSIDP appliancesthat are managedby NSM (Networkand SecurityManager)

Juniper NSM

Telnet,SSH

StaticStatic

Dynamic

5.4, 6.2Juniper ScreenOS

Telnet,SSH

StaticStatic8.3.2Sidewinder

18

Table 3: Adapter Features (continued)


User/Groups

Applications

HTTPSIPSECStatic

Dynamic

PAN-OS Versions5.0 to 7.0

Palo Alto Firewalls

IPSSSHVPN5.3SourceFire 3DSensor

IPSTelnet,SSH,HTTPS

TOS 3.6 and SMS4.2

Tipping Point IPS


Adapter FAQs | 19



Adapter FAQs

JSA Risk Manager uses adapters to connect and get configuration information from network devices.

Do Adapters Support All Devices and Versions That JSA Supports?

Adapters are a separate integration and are used by JSA RiskManager only to import device configurations.To view a list of supported adapters, see “Supported Adapters” on page 55.

Do All Adapters Support the Same Features, for Example, OSPF Routing?

The range of supported features such as routing support and NAT support vary with the adapters. See“Adapter Features” on page 17.

19

What User-access Level Does the Adapter Require to Get DeviceConfiguration?

The required access levels varies by adapter but it is restricted to read-only for most adapters. See“Supported Adapters” on page 55 and view the user-access level requirements when you select an adapter.

How do You Configure Credentials to Access Your Network Devices?

You must configure credentials to allow JSA Risk Manager to connect to devices in your network.Administrators use Configuration Source Management to input device credentials. Individual devicecredentials can be saved for a specific network device. If multiple network devices use the same credentials,you can assign credentials to a group. For more information, see the Juniper Secure Analytics Risk ManagerUser Guide.

What Credential Fields do You Need to Complete for Each Device?

Some adapters might require only a user name and password while others might need extra credentials,for example, Cisco IOS might require an enable password. See “Supported Adapters” on page 55 and viewthe required credential parameters in the tables.

How do You Configure Protocols for Your Devices?

UseNetwork Groups, which contain protocols that you can use to enable connectivity to IP/CIDR/ addressranges for devices. For more information, see the Juniper Secure Analytics Risk Manager User Guide.

How do You Add Your Network Devices to JSA Risk Manager?

Table 1 lists the methods for adding network devices to JSA Risk Manager.

Table 4: Adding Network Devices

DescriptionMethod

Use this method if you want to run a test backup of a few devices, for example,to check that your credentials and protocols are correctly configured.

Add devices individually

20

Table 4: Adding Network Devices (continued)

DescriptionMethod

Use this method if you have an IP/CIDR address range with SNMP communitystrings that are configured for each device and you want to find all devices inthat address range.

You must have SNMP get community strings defined in your credential set fordevice discovery to work.

Device discovery

Use this method for devices that are managed by a supported managementsystem such as Check Point SMS.

Discovery frommanagement device

If you have several devices in your network, this method is the most reliable.Import devices

For information about adding network devices to JSA Risk Manager, see the Juniper Secure Analytics RiskManager User Guide.





21

2CHAPTER

Installing Adapters

Installing Adapters | 25


Installing Adapters

You must download the adapter files to your JSA console, and then copy them to JSA Risk Manager.

After you establish the initial connection, JSA console is the only device that can communicate directlywith JSA Risk Manager.

1. Using SSH, log in to your JSA console as the root user.

2. Download the compressed file for the JSA Risk Manager adapters from to your JSA console.

3. To copy the compressed file from your JSA console to JSA RiskManager, type the following command:

scp adapters.zip root@IP_address:

The IP_address option is the IP address or host name of JSA Risk Manager.

For example:

scp adapters.bundle-2014-10-972165.zip [email protected]:

4. On your JSA Risk Manager appliance, type the password for the root user.

5. Using SSH from your JSA console, log in to your JSA Risk Manager appliance as the root user.

6. To unpack and install the adapters, type the following commands from the root directory that containsthe compressed file:

unzip adapters.zip

yum install -y adapters*.rpm

For example:

unzip adapters.bundle-2014-10-972165.zip

yum install -y adapters*.rpm

NOTE: For JSA Risk Manager versions prior to 2014.8 use the rpm command

For example:

rpm -Uvh adapters*.rpm

7. To restart the services for the ziptie server and complete the installation, type the following command:

25

service ziptie-server restart

NOTE: Restarting the services for the ziptie server interrupts any device backups thatare in progress from Configuration Source Management.




Adapter FAQs | 19

Uninstalling an Adapter

Use the yum command to remove an adapter from JSA Risk Manager.

1. Using SSH, log in to the JSA console as the root user.

2. To uninstall an adapter, type the following command:

yum remove -y adapter package

For example, yum remove -y adapters.cisco.ios-2011_05-205181.noarch

NOTE: For JSA Risk Manager versions prior to 2014.8 use the rpm command

For example:

rpm -e adapter file

rpm -e adapters.cisco.ios-2011_05-205181.noarch.rpm


Installing Adapters | 25


26

Adapter FAQs | 19

27

3CHAPTER

Methods for Adding Network Devices

Methods for Adding Network Devices | 31




Adding Devices That are Managed by the Palo Alto Panorama | 40

Palo Alto Panorama | 41



Methods for Adding Network Devices

Use Configuration Source Management to add network devices to JSA Risk Manager.

The following table describes the methods that you can use to add a network device.

Table 5: Methods for Adding a Network Device to JSA Risk Manager

DescriptionMethod

Add one deviceAdd Device

Add multiple devicesDiscover Devices

Add devices that are managed by a Juniper Networks NSMconsole

Discover From NSM

Add devices that aremanaged by a Check Point SecurityManagerServer (CPSMS)

Discover Check Point SMS

Add devices from SiteProtectorDiscover From SiteProtector

Add devices from Palo Alto PanoramaDiscover from Palo Alto Panorama

Add devices from Sourcefire Defense CenterDiscover From Defense Center

Add devices from Cisco Firepower Management Center.Discover From Firepower Management Center





Adding a Network Device

To add a network device to JSA Risk Manager, use Configuration Source Management.

31

Review the supported software versions, credentials, and required commands for your network devices.For more information, see “Supported Adapters” on page 55.

1. On the navigation menu, click Admin to open the admin tab :

2. On the Admin navigation menu, click Plug-ins or Apps.

• In JSA 7.3.0 or earlier, click Plug-ins.

• In JSA 7.3.1, click Apps.

3. On the Risk Manager pane, click Configuration Source Management.

4. On the navigation menu, click Credentials.

5. On the Network Groups pane, click Add a new network group.

a. Type a name for the network group, and click OK.

b. Type the IP address of your device, and click Add.

You can type an IP address, a range of IP addresses, a CIDR subnet, or a wildcard.

For example, use the following format for a wildcard, type 10.1.*.*

For example, use the following format for a CIDR, type 10.2.1.0/24.

NOTE: Do not replicate device addresses that exist in other network groups inConfiguration Source Management.

c. Ensure that the addresses that you add are displayed in the Network address box beside the Addaddress box.

d. Repeat the previous two steps for each IP address that you want to add.

6. On the Credentials pane, click Add a new credential set.

a. Type a name for the credential set, and click OK.

b. Select the name of the credential set that you create and enter values for the parameters.

The following table describes the parameters.

32

Table 6: Parameter Options for Credentials

DescriptionParameter

A valid user name to log in to the adapter.

For adapters, the user name and password that you provide requires accessto several files, such as the following files:

rule.C

objects.C

implied_rules.C

Standard.PF

Username

The password for the device.Password

The password for second-level authentication.

This password is required when the credentials prompt you for usercredentials that are required for expert mode access level.

Enable Password

OptionalSNMP Get Community

OptionalSNMPv3 Authentication Username

OptionalSNMPv3 Authentication Password

Optional

The protocol that is used to decrypt SNMPv3 traps.

SNMPv3 Privacy Password

NOTE: If your network device meets one of the following conditions, you mustconfigure protocols in Configuration Source Management:

• Your device uses a non-standard port for the communication protocol.

• You want to configure the protocol that JSA Risk Manager uses to communicatewith specific IP addresses.

For more information about configuring sources, see the Juniper Secure AnalyticsRisk Manager User Guide.

7. On the navigation menu, add a single device or multiple devices.

33

• To add one network device, click Add Device.

• To add multiple IP addresses for network devices, click Discover Devices.

8. Enter the IP address for the device, select the adapter type, and then click Add.

If the device is not backed up, a blue question mark appears beside the adapter.

9. To backup the device that you add to the device list, select the device, and then click Backup.

10.Repeat these steps for every network device that you want to add to the device list.

After you add all of the required devices, you can configure protocols. For more information, see the JuniperSecure Analytics Risk Manager User Guide.




Methods for Adding Network Devices | 31

AddingDevicesThatAreManagedbyanNSMConsole

Use Configuration Source Management to add all devices from a Juniper Networks NSM (Network andSecurity Manager) console to JSA Risk Manager.


1. On the navigation menu, click Admin to open the admin tab.







34

a. Type a name for the network group, and click OK.





d. Repeat the previous two steps for each IP address that you want to add.


a. Type a name for the credential set, and click OK.

b. Select the name of the credential set that you created and enter values for the parameters.

The following table describes the parameters.

Table 7: Parameter Options for Juniper NSMWeb Services Credentials


A valid user name to log in to the Juniper NSM (Network and Security Manager)web services.

For Juniper NSMweb services, this usermust be able to access the Juniper NSMserver.

Username


Not required.Enable Password

NOTE: Juniper Networks NSM (Network and Security Manager) does not supportSNMP.

7. On the navigation menu, click Discover from NSM.

8. Enter values for the IP address and user credentials, click OK and then click GO.

9. Select the device that you added to the device list, and click Backup and then click Yes.

35





Adding Devices to JSA Risk Manager That AreManaged by a CPSMS Console

Use Configuration Source Management to add devices from a Check Point Security Manager Server(CPSMS) to JSA Risk Manager.

Depending on your version of Check Point SecurityManager Server, youmust choose one of the followingdiscovery methods to add your devices to JSA Risk Manager.

Adding Devices that are Managed by CPSMS by Using OPSEC

Add devices that are managed by Check Point Security Manager Server versions NGX R60 to R77 to JSARisk Manager by using OPSEC to discover and add the devices.


You must obtain the OPSEC Entity SIC name, OPSEC Application Object SIC name, and the one-timepassword for the pull certificate password before you begin this procedure. For more information, seeyour CPSMS documentation.

NOTE: The Device Import feature is not compatible with CPSMS adapters.

36

Repeat the following procedure for each CPSMS that you want to connect to, and to initiate discovery ofits managed firewalls.


2. On the Admin navigation menu, click Apps.




a. Type a name for the network group, and then click OK.

b. Type the IP address of your CPSMS device, and then click Add.




a. Type a name for the credential set, and then click OK.

b. Select the name of the credential set that you created, and then type a valid user name and passwordfor the device.

7. Type the OPSEC Entity SIC name of the CPSMS that manages the firewall devices to be discovered.This valuemust be exact because the format depends on the type of device that the discovery is comingfrom. Use the following table as a reference to OPSEC Entity SIC name formats.

NameType

CN=cp_mgmt,O=Management Server

CN=cp_mgmt_,O=

Gateway to Management Server

For example, when you are discovering from the Management Server:

• OPSEC Application DN: CN=cpsms226,O=vm226-CPSMS..bs7ocx

• OPSEC Application Host: vm226-CPSMS

37

The Entity SIC Name is CN=cp_mgmt,O=vm226-CPSMS..bs7ocx

For example, when you are discovering from the Gateway to Management Server:

• OPSEC Application DN: CN=cpsms230,O=vm226-CPSMS..bs7ocx

• OPSEC Application Host: vm230-CPSMS2-GW3

The Entity SIC Name is CN=cp_mgmt_vm230-CPSMS2-GW3,O=vm226-CPSMS..bs7ocx

8. Use the Check Point SmartDashboard application to enter the OPSEC Application Object SIC namethat was created on the CPSMS.

CN=cpsms230,O=vm226-CPSMS..bs7ocx

9. Obtain the OPSEC SSL Certificate:

a. Click Get Certificate.

b. In the Certificate Authority IP field, type the IP address.

c. In the Pull Certificate Password field, type the one-time password for the OPSEC Application.

d. Click OK.

10.Click OK.

11.Click Protocols and verify that the CPSMS protocol is selected.

The default port for the CPSMS protocol is 18190.

12.Click Discover From Check Point OPSEC, and then enter the CPSMS IP address.

13.Click OK.

14.Repeat these steps for each CPSMS device that you want to add.

When you add all the required devices, back up the devices, and view them in the topology.

Adding Devices Managed by CPSMS by Using HTTPS

Add devices that are managed by Check Point Security Manager Server version R80 to JSA Risk Managerby using the HTTPS protocol to discover and add the devices.

38

1. Open the Admin settings:

• In JSA 7.3.0 or earlier, click the Admin tab.

• In JSA 7.3.1, click the navigation menu icon, and then click Admin to open the admin tab.








b. Type the IP address of your Check Point device, and then click Add.

c. Ensure that the address is displayed in the Network address box.




7. Click OK.

8. Click Protocols and verify that the HTTPS protocol is selected.

9. Click Discover From Check Point HTTPS, and then enter the Check Point IP address.

10.Click OK.

After you add all the required devices, back up the devices, and view them in the topology.




39

Adding Devices That are Managed by the Palo AltoPanorama

Use Configuration SourceManagement to add devices from the Palo Alto Panorama to JSA RiskManager.









b. Type the IP address of your Check Point device, and then click Add.

c. Ensure that the address is displayed in the Network address box.

The Palo Alto Panorama supports proxy backups.




7. Click OK.

8. Click Discover From Palo Alto Panorama, and then enter the Palo Alto Panorama IP address.

The Palo Alto Panorama uses the following command for backup:

api/?type=op&cmd=




Palo Alto Panorama

JSA Risk Manager supports the Palo Alto Panorama network security management server.

Palo Alto Panorama supports proxy backups.

Backups of devices that are discovered by the Palo Alto Panorama network security management serverare collected from the Panorama when they are backed up.

The following table describes the integration requirements for the Palo Alto Panorama.

Table 8: Integration Requirements for the Palo Alto Panorama

DescriptionIntegrationrequirement

8.0Versions

Superuser (full access) Required for PA devices that haveDynamic Block Lists to perform system-levelcommands.

Superuser (read-only) for all other PA devices.

Minimum useraccess level

Username

Password

Requiredcredentialparameters

To addcredentials inJSA log in asanadministratorand useConfigurationSourceManagementon the Admintab.

41

Table 8: Integration Requirements for the Palo Alto Panorama (continued)

DescriptionIntegrationrequirement

HTTPSSupportedconnectionprotocols

To addprotocols inJSA, log in asanadministratorand useConfigurationSourceManagementon the Admintab.

api/?type=op&cmd=












c. Ensure that the address that you add are is displayed in the Network address box beside the Addaddress box.

d. Repeat the step 5 (a) and step 5 (b) for each IP address that you want to add.




The following table describes the parameters:

Table 9: Parameter Options for Sourcefire Defense Center Web Services Credentials


A valid user name to log in to the Sourcefire Defense Center.Username


7. On the navigation menu, click Discover from Defense Center.



43






Adding Devices That are Managed by a CiscoFirepower Management Center

Use Configuration Source Management to add all devices from a Cisco Firepower Management Center toJSA Risk Manager.












c. Ensure that the address that you add are is displayed in the Network address box beside the Addaddress box.

d. Repeat the step 5 (a) and step 5 (b) for each IP address that you want to add.

44




The following table describes the parameters:

Table 10: Parameter Options for Cisco Firepower Management Center Web Services Credentials


A valid user name to log in to the Cisco Firepower Management Center.Username


7. On the navigation menu, click Discover from Cisco Firepower Management Center.








45

4CHAPTER

Troubleshooting Device Discovery andBackup

Troubleshooting Device Discovery and Backup | 49

Troubleshooting Device Discovery and Backup

Fix issues with device discovery and backup. You can look at the details for logs and error and warningmessages to help you troubleshoot.

Device Backup Failure

Check device login credentials.

1. On the Admin tab, click Configuration Source Management.

2. Verify that the credentials to access the target device are correct.

3. Test the credentials on the target device.

View Device Backup Errors

To see backup errors, do the following steps:

1. On the Admin tab, click Configuration Source Management.

2. Click a device, and then click View error.

This table lists the error message identifier, the description of the message and the suggestedtroubleshooting action.

Table 11: Device Backup Errors

Suggested troubleshooting stepError descriptionBackup errors

Verify that you're using the correctadapter.

Connection attempt timed outUNEXPECTED_RESPONSE

Check credentials in ConfigurationSource Management.

Credentials are incorrectINVALID_CREDENTIALS

49

Table 11: Device Backup Errors (continued)


Check that the device is working and isconnected to your network. Use othernetwork connection protocols andtroubleshooting tools to verify that thedevice is accessible. Verify that the SSHconnection protocol is allowed and thatit is configured correctly.

Connection errorSSH_ERROR

Check that the device is working and isconnected to your network. Use othernetwork connection protocols andtroubleshooting tools to verify that thedevice is accessible. Verify that theTelnet connection protocol is allowedand that it is configured correctly.

Connection errorTELNET_ERROR

Check that the device is working and isconnected to your network. Use othernetwork connection protocols andtroubleshooting tools to verify that thedevice is accessible. Verify that theSNMP is allowed and that it is configuredcorrectly.

Connection errorSNMP_ERROR

Check themaximumnumber of users thatare allowed to access the device bylogging on to the device and checkingthe configuration for the maximumnumber of users that can access thedevice at the same time.

The number of users that areconfigured to access this device isexceeded.

TOO_MANY_USERS

Verify that the device is workingcorrectly. Access the device and verifythe configuration and check the logs forerrors. Use your device documentationto help you to troubleshoot errors.

Device configuration errorsDEVICE_MEMORY_ERROR

In Configuration Source Management,check the access level of the user namethat is configured to access the device.

Device access issuesNVRAM_CORRUPTION_ERROR

50

Table 11: Device Backup Errors (continued)


In Configuration Source Management,check the access level of the user namethat is configured to access the device.

User that is configured to accessthe device has insufficient privilege

INSUFFICIENT_PRIVILEGE

Select the device inConfiguration SourceManagement and clickViewerror to seemore details.

Error on the deviceDEVICE_ISSUE

Backup Completes with Parse Warning

To view more detail about the warning, do the following steps:

1. Click the Risks tab.

2. From the navigation menu, click Configuration Monitor.

3. Click See Log for the selected device in the Device List table.

Verify whether you have the most recent adapter versions

To check your adapter versions, log in as root to the JSA RiskManager appliance and then type the followingcommand:

yum list adapter\*

You can look for date information in the names of the adapters to help you determine the release dates.

To download the most recent adapter bundle, do the following steps:

1. In the Product selector field type Risk Manager to filter your selection.

2. Click JSA Risk Manager.

3. From the Installed Version list, select the version that is installed on your system.

4. From the Platform list, select the operating system that is installed on your system, and then clickContinue.

51

5. Click Browse for fixes, and then click Continue.

6. To download the most recent adapter bundle, click the adapter-bundle link on the top of the Adapterlist.

Verify whether your device backup is current

To verify whether you have a recent backup, do these steps:

1. Click the Risks tab.

2. From the navigation menu, click Configuration Monitor.

3. Double-click the device in the Device List table.

4. From the toolbar, click History. The most recent configuration that is imported is displayed.

If you don't think that you have the most recent configuration, verify by running the backup again.

Error When Importing Configurations from Your Devices

An incorrectly formatted CSV file can cause a device backup to fail. Do these steps to check the CSV file:

1. Review your CSV file to correct any errors.

2. Re-import your device configurations by using the updated CSV file.

Failure to Discover Devices from Check Point SMS (OPSEC)

Follow all steps in the "Adding devices that aremanaged by a CPSMS console" section of the Juniper SecureAnalytics Risk Manager Adapter Configuration Guide, especially steps 7 and 8 where the OPSEC fields mustbe precise.


Supported Adapters | 55



52

Supported Adapters

JSA Risk Manager integrates with many manufacturers and vendors of security products.

The following information is provided for each supported adapter:

Supported versions

Specifies the product name and version supported.

Supports neighbor data

Specifies whether neighbor data is supported for this adapter. If your device supports neighbor data, thenyou get neighbor data from a device by using Simple Network Management Protocol (SNMP) and acommand-line interface (CLI).

SNMP discovery

Specifies whether the device allows discovery by using SNMP.

Devices must support standard MIB-2 for SNMP discovery to take place, and the device's SNMPconfiguration must be supported and configured correctly.

Required credential parameters

Specifies the necessary access requirements for JSA Risk Manager and the device to connect.

Ensure that the device credentials configured in JSA Risk Manager and in the device are the same.

If a parameter is not required, you can leave that field blank.

To add credentials in JSA, log in as an administrator and use Configuration Source Management on theAdmin tab.

Connection protocols

Specifies the supported protocols for the network device.

To add protocols in JSA, log in as an administrator and use Configuration Source Management on theAdmin tab.

Required commands

Specifies the list of commands that the adapter requires to log in and collect data.

To run the listed commands on the adapter, the credentials that are provided in JSA Risk Manager musthave the appropriate privileges.

Files collected

55

Specifies the list of files that the adapter must be able to access. To access these files, the appropriatecredentials must be configured for the adapter.




Cisco CatOS | 64

Brocade vRouter

JSA Risk Manager supports the Brocade Virtual Router (vRouter) adapter.

The static routing feature is available with the Brocade vRouter adapter.

The integration requirements for the Brocade vRouter adapter are described in the following table:

DescriptionIntegration Requirement

6.7 to 17.1Supported versions

Operator or AdminMinimum user access level

Username

Password


Use one of the following supported connection protocols:

SSH

Telnet

Supported connection protocols

show version

show host name

show system memory

show configuration all | no-more

show interfaces | no-more

Commands that the adapter requires to log in andcollect data

56




Cisco CatOS | 64

Check Point SecurePlatform Appliances

JSA Risk Manager supports the Check Point SecurePlatform Appliances adapter.

The following features are available with the Check Point SecurePlatform Appliances adapter:

• Dynamic NAT

• Static NAT

• SNMP discovery

• Static routing

• Telnet and SSH connection protocols

The following table describes the integration requirements for the Check Point SecurePlatformAppliancesadapter.

Table 12: Integration Requirements for the Check Point SecurePlatform Appliances Adapter

DescriptionIntegration requirement

R65 to R77.30

NOTE: Nokia IPSO appliances are not supported for backup.

Versions

Matches NGX in SNMP sysDescr.SNMP discovery

Username

Password

Enable Password (expert mode)


To add credentials in JSA log in as anadministrator and use Configuration SourceManagement on the Admin tab.

Use any one of the following supported connection protocols:

Telnet

SSH


To add protocols in JSA, log in as anadministrator and use Configuration SourceManagement on the Admin tab.

57

Table 12: Integration Requirements for the Check Point SecurePlatform Appliances Adapter (continued)


hostname

dmidecode

ver

uptime

dmesg

route -n

show users

ifconfig -a

echo $FWDIR

Commands that the adapter requires to log inand collect data

rules.C

objects.C

implied_rules.C

Standard.pf

snmpd.com

Files collected



Cisco CatOS | 64

Cisco IOS | 66

Check Point Security Management Server Adapter

Use the Check Point adapter to discover and backup end nodes that are managed by the SecurityManagement Server (CPSMS).

Choose one of the following adapters to discover and backup end nodes that are managed by the CPSMS.

58

Check Point Security Management Server OPSEC Adapter

Use the Check Point Security Management Server OPSEC adapter to discover and backup end nodes thatare managed by the CPSMS versions NGX R60 to R77.

The following features are available with the Check Point Security Management Server OPSEC adapter:

• OPSEC protocol

• Dynamic NAT

• Static NAT

• Static routing

TheCPSMS adapter is built on theOPSECSDK6.0, which supports Check Point products that are configuredto use certificates that are signed by using SHA-1 only.

The following table describes the integration requirements for the CPSMS adapter.

Table 13: Integration Requirements for the CPSMS Adapter


NGX R60 to R77Versions

Use the credentials that are set from Adding devices managed by a CPSMSconsole.


To add credentials in JSA, log in as anadministrator and use ConfigurationSource Management on the Admin tab.

CPSMSSupported connection protocols

To add credentials in JSA, log in as anadministrator and use ConfigurationSource Management on the Admin tab.

To allow the cpsms_client to communicatewith Check PointManagementServer, the $CPDIR/conf/sic_policy.conf on CPSMS must include thefollowing line:

# OPSEC applications defaultANY ; SAM_clients ;

ANY ; sam ; sslca, local, sslca_comp# sam

proxyANY ; Modules, DN_Mgmt ; ANY; sam ;

sslcaANY ; ELA_clients ; ANY ; ela ; sslca,

local, sslca_compANY ; LEA_clients ; ANY ; lea ;

sslca, local, sslca_compANY ; CPMI_clients; ANY

; cpmi ; sslca, local, sslca_comp

Configuration requirements

59

Table 13: Integration Requirements for the CPSMS Adapter (continued)


The following ports are used by JSA Risk Manager and must be open onCPSMS:

Port 18190 for the Check Point Management Interface service (or CPMI)

Port 18210 for the Check Point Internal CA Pull Certificate Service (orFW1_ica_pull)

If you cannot use 18190 as a listening port for CPMI, then the CPSMSadapter port number must be similar to the value listed in the$FWDIR/conf/fwopsec.conf file for CPMI on CPSMS. For example,cpmi_server auth_port 18190.

Required ports

Check Point Security Management Server HTTPS Adapter

Use the Check Point Security Management Server HTTPS adapter to discover and backup end nodes thatare connected to firewall blades that are managed by the Security Management Server version R80.

The following features are available with the Check Point Security Management Server HTTPS adapter:

• Static NAT

• Static routing

• HTTPS connection protocol

The following features are not supported by the Check Point Security Management Server adapter:

• Dynamic objects (network objects)

• Security Zones (network objects)

• RPC objects (services)

• DCE-RPC objects (services)

• ICMP services (services)

• GTP objects (services)

• Compound TCP objects (services)

• Citrix TCP objects (services)

• Other services (services)

• User objects

60

• Time objects

• Access Control Policy criteria negation

NOTE: If you upgrade to the Check Point Security Management Server R80 from a previousversion of Check Point SMS, you must rediscover your devices by using the Discover FromCheck Point HTTPS discovery method, even if your devices are recorded by ConfigurationSource Management.

The following table describes the integration requirements for the Check Point Security ManagementServer adapter.

Table 14: Integration Requirements for the Check Point Security Management Server Adapter


R80Versions

Username

Password


To add credentials in JSA, log in as an administrator and useConfiguration Source Management on the Admin tab.

NOTE: Youmust add the credentials for the Check Point SecurityManagement Server before you configure device discovery.

Discover From Check Point HTTPSDevice discovery configuration

To configure device discovery in JSA, log in as an administratorand use Configuration Source Management on the Admin tab.

To configure the discovery method, click Discover From CheckPoint HTTPS, enter the IP address of the Check Point SecurityManagement Server, and then click OK.

HTTPSSupported connection protocols

To add protocols in JSA, log in as an administrator and useConfiguration Source Management on the Admin tab.

Read-write access allUser access level requirements

61

Table 14: Integration Requirements for the Check Point Security Management Server Adapter (continued)


Use the following format to issue the listedcommands to devices:

https://:/web_api/

show-simple-gateways

show-hosts

show-networks

show-address-ranges

show-groups

show-groups-with-exclusion

show-services-tcp

show-services-udp

show-service-groups

show-packages

show-access-rulebase

show-nat-rulebase

run-script

show-task

Requested API endpoints

Create aCheckPoint CustomPermissionProfile toPermit JSARiskManagerAccess

To enable JSA Risk Manager access to the Check Point SMS HTTPS adapter API, you must create apermission profile on the Check Point Security Management Server that includes the "Run One TimeScript" permission.

You can create a custom permission profile that includes this permission, but is less permissive than the"Read Write All" or "Read Only All" profile.

NOTE: The custom profile does not work if the SMS version is R80.10 or higher and the gatewayversion is lower than R80.10. This configuration requires a Super User.

62

1. On the SMS Console with SmartDashboard, clickManage & Settings > Permissions & Administrators> Permission Profiles.

2. Click Create New Profile.

3. On the Overview tab, select Customized.

4. On the Gateways tab, select One Time Script.

5. On the Access Control tab, select the following options:

• Show Policy

• Edit layers by the selected profiles in a layer editor

• NAT Policy – Set the permission to Read.

• Access Control Objects and Settings – Set the permission to Read.

6. On the Threat Prevention tab, select Settings and set the permission to Read.

7. On the Others tab, select the following options:

• Common Objects – Set the permission to Read.

• Check Point Users Database – Set the permission to Read.

8. On theMonitoring and Logging tab, leave the check boxes cleared.

9. On theManagement tab, selectManagement API Login.

NOTE: Ensure that any options that are not listed in Steps 3 – 9 are not selected.

10.Click OK and assign your user to this new permission profile.


Cisco CatOS | 64

Cisco IOS | 66

Cisco Nexus | 69

63

Cisco CatOS

JSA Risk Manager supports the Cisco Catalyst (CatOS) adapter.

The Cisco CatOS adapter collects device configurations by backing up CatOS network devices that JSARisk Manager can access.

The following features are available with the Cisco CatOS adapter:

• Neighbor data support

• SNMP discovery

• Static routing


The following table describes the integration requirements for the Cisco CatOS adapter.

Table 15: Integration Requirements for the Cisco CatOS Adapter


Catalyst 6500 series chassis devices.

4.2

6.4

NOTE: The adapter for CatOS backs up only the essential switchingport structure.

Multilayer Switch Feature Card (MSFC) CatOS adapters are backedup by Cisco IOS adapters.

Firewall Services Module (FWSM) CatOS adapters are backed up byCisco ASA adapters.

Versions

Matches CATOS or Catalyst Operating System in SNMP sysDescr.SNMP discovery

Username

Password

Enable Password



64

Table 15: Integration Requirements for the Cisco CatOS Adapter (continued)



Telnet

SSH


To add protocols in JSA log in as anadministrator and use Configuration SourceManagement on the Admin tab.

show version

whichboot

show module

show mod ver

show system

show flash devices

show flash ...

show snmp ifalias

show port ifindex

show interface

show port

show spantree

show ip route

show vlan

show vtp domain

show arp

show cdp

show cam dynamic

show port status

show counters



65

Cisco IOS | 66

Cisco Nexus | 69


Cisco IOS

JSA Risk Manager supports the Cisco Internet Operating System (IOS) adapter.

The Cisco IOS adapter collects device configurations by backing up IOS-based network switches androuters.

The following features are available with the Cisco IOS adapter:


• Dynamic NAT

• Static NAT

• SNMP discovery

• Static routing

• EIGRP and OSPF dynamic routing

• P2P Tunneling/VPN


The following table describes the integration requirements for Cisco IOS.

Table 16: Integration Requirements for Cisco IOS


IOS 12.0 to 15.1 for routers and switches

Cisco Catalyst 6500 switches with MSFC.

Use the Cisco IOS adapter to back up the configuration and state ofthe MSFC card services.

If a Cisco IOS 7600 series router has an FWSM, use the Cisco ASAadapter to back up the FWSM.

Versions

66

Table 16: Integration Requirements for Cisco IOS (continued)


A user with command exec privilege level for each command that theadapter requires to log in and collect data. For example, you canconfigure a custom privilege level 10 user that uses local databaseauthentication.

The following example sets all show ip commands, to privilege level10.

privilege exec level 10 show ip

User Access Level

Matches ISO or Cisco Internet Operation System in SNMP sysDescr.SNMP discovery

Username

Password

Enable Username (Optional)

Use this field, if the user needs to enter a specific privilege level whenlogging in to the device. Use the format level-where n is a privilegelevel [0-15]. For example, to enter privilege level 10, enter the followingcommand:

level-10

This results in sending the enable 10 command to the Cisco device.

Enable Password (Optional)




Telnet

SSH



67

Table 16: Integration Requirements for Cisco IOS (continued)


terminal length 0

show version

show interfaces

show access-lists

show standby

show ip route | exclude ^B

show ip route bgp | include 0.0.0.0/0

show object-group

show vlan

show startup-config

show ip arp

show cdp neighbors detail

show mac address-table dynamic

show ip ospf neighbor

show ip eigrp neighbors


show ip arp

show ip bgp neighbors

show ip eigrp interface

show ip eigrp neighbors

show ip eigrp topology

show ip ospf

show ip ospf interface

show ip ospf neighbor

show ip protocols

show ip route eigrp

terminal length 0

show ip commands that the adapter requiresto log in and collect data

68


Cisco NGIPS | 74

Cisco Nexus | 69


F5 BIG-IP | 81

Cisco Nexus

To integrate JSA Risk Manager with your network devices, ensure that you review the requirements forthe Cisco Nexus adapter.

The following features are available with the Cisco Nexus adapter:


• SNMP discovery


• Static routing


The following table describes the integration requirements for the Cisco Nexus adapter.

Table 17: Integration Requirements for the Cisco Nexus Adapter


Nexus 5548: OS level 6.0

Nexus 7000 series: OS level 6.2

Nexus 9000 series: OS level 6.1

Versions and supported OS levels

Matches Cisco NX-OS and an optional qualification string that endswith Software in the SNMP sysDescr.

SNMP discovery

69

Table 17: Integration Requirements for the Cisco Nexus Adapter (continued)


Username

Password

Enable Password

• If you add virtual device contexts (VDCs) as individual devices,ensure that the required credentials allow the following actions:--Access the account that is enabled for the VDCs.

Use the required commands in that virtual context.




Telnet

SSH



70



show hostname

show version

show vdc

show vdc current-vdc

switchto vdc where vdc is an active vdc that is listed when youenter the command, show vdc.

dir where filesystem is bootflash, slot0, volatile, log,logflash, or system.

show running-config

show startup-config

show module

show interface brief

show interface snmp-ifindex

show ip access-lists

show vlan

show object-group

show interface where interface is any interface that islisted when you enter the command, show running-config.

show ip eigrp

show ip route eigrp

show ip ospf

show ip route ospf

show ip rip

show ip route rip


71



terminal length 0

show hostname

show vdc

switchto vdc where vdc is an active vdc that is listed when youenter the command, show vdc.

show cdp entry all

show interface brief

show ip arp

show mac address-table

show ip route

Telemetry commands

Methods for adding VDCs for Cisco Nexus Devices

Use Configuration SourceManagement to add Nexus network devices and Virtual Device Contexts (VDC)to JSA. There are two ways to add multiple VDCs to JSA Risk Manager.

You can add VDCs as subdevices of the Nexus device or as individual devices.

View Virtual Device Contexts

If you add VDCs as individual devices, then each VDC is displayed as a device in the topology.

If you add VDCs as subdevices, they are not displayed in the topology. You can view the VDCs in theConfiguration Monitor window.

Adding VDCs As Subdevices Of Your Cisco Nexus Device

Use Configuration Source Management to add VDCs as subdevices of your Cisco Nexus device.

1. Enable the following commands for the user that is specified in the credentials:

• show vdc (admin context)

• switchto vdc x , where x is the VDC that is supported.

72

In Configuration Monitor, you can view the Nexus device in the topology and the VDC subdevices.For information about viewing devices, see the Juniper Secure Analytics Risk Manager User Guide.

2. Use Configuration Source Management to add the admin context IP address of the Nexus device.

For more information, see “Adding a Network Device” on page 31.

Adding VDCs As Individual Devices

Use Configuration Source Manager to add each (virtual device context) VDC as a separate device. Whenyou use this method, the Nexus device and the VDCs are displayed in the topology.

When you view your CiscoNexus device and VDCs in the topology, the chassis containment is representedseparately.

1. Use Configuration Source Manager to add the admin IP address of each VDC.

For more information, see “Adding a Network Device” on page 31.

2. Use Configuration Source Manager to obtain the configuration information for your VDCs.

3. On the Cisco Nexus device, use the Cisco Nexus CLI to disable the switchtovdc command for the username that is associated with the adapter.

Example: If the username for a Cisco Nexus device is qrmuser, type the following commands:

NexusDevice(config)# role name qrmuser

NexusDevice(config-role)# rule 1 deny command switchto vdc

NexusDevice(config-role)# rule 2 permit command show *

NexusDevice(config-role)# rule 3 permit command terminal

NexusDevice(config-role)# rule 4 permit command dir



Cisco NGIPS | 74

F5 BIG-IP | 81


73

Cisco NGIPS

To integrate JSA Risk Manager with your network devices, ensure that you review the requirements forthe Cisco Next-Generation Intrusion Prevention System (NGIPS) adapter.

The following features are available with the Cisco NGIPS adapter:

• IPS

• SSH connection protocol

Limitations:

• Intrusion policies attached to individual access control rules are not used by JSA Risk Manager. Only thedefault intrusion policy is supported.

• NAT and VPN are not supported.

The following table describes the integration requirements for the Cisco NGIPS adapter.

Table 18: Integration Requirements for the Cisco NGIPS Adapter


6.2.0Versions

NoSNMP discovery

Username

Password



SSHSupported connection protocols


74

Table 18: Integration Requirements for the Cisco NGIPS Adapter (continued)


show version

show memory

show network

show interfaces

expert

sudo

su

df

hostname

ip addr

route

cat

find

head

mysql


75

Table 18: Integration Requirements for the Cisco NGIPS Adapter (continued)


sudo su df

sudo su hostname

sudo su route -n

/etc/sf/ims.conf

$SNORT_DIR/fwcfg/affinity.conf

$DE_DIR/policyText_full.yaml

$DE_DIR/snort.conf

$DE_DIR/*

$SNORT_DIR/iprep_download

/etc/sf/ims-data.conf

Commands that the adapter uses to readconfiguration information:

To get hardware information.

To get the system host name.

To get routing information.

Use the cat or head command to read filesand get configurations.

Read to get the base directory for the SNORTinstance, which is referenced as $DE_DIR inthe following three examples:

Read the IPS rules and objects.

Read the SNORT configuration.

Files are read in dynamically when they arereferenced in the policyText_full.yaml file.

The adapter uses the find command is tosearch for IP reputation files in this directory.

File that is read to get the databaseconnection credentials.



F5 BIG-IP | 81


Cisco Security Appliances

To integrate JSA Risk Manager with your network devices, ensure that you review the requirements forthe Cisco Security Appliances adapter.

76

The following features are available with the Cisco Security Appliances adapter:


• Static NAT

• SNMP discovery


• Static routing

• IPSEC tunneling


The Cisco Security Appliances adapter collects device configurations by backing up Cisco family devices.The Cisco Security Appliances adapter supports the following firewalls:

• Cisco Adaptive Security Appliances (ASA) 5500 series

• Firewall Service Module (FWSM)

• Module in a Catalyst chassis

• Established Private Internet Exchange (PIX) device.

NOTE: Cisco ASA transparent contexts cannot be placed in the JSA RiskManager topology, andyou cannot do path searches across these transparent contexts.

The following table describes the integration requirements for the Cisco Security Appliances adapter.

Table 19: Integration Requirements for the Cisco Security Appliances Adapter


ASA:

8.2, 8.4 to 9.1.7

PIX:

6.1, 6.3

FWSM:

3.1, 3.2

Versions

77

Table 19: Integration Requirements for the Cisco Security Appliances Adapter (continued)


privilege level 5

You can back up devices with privilege level 5 access level. Forexample, you can configure a level 5 user that uses local databaseauthentication by running the following commands:

aaa authorization command LOCAL

aaa authentication enable console LOCAL

privilege cmd level 5 mode exec command terminal

privilege cmd level 5 mode exec command changeto (multi-contextonly)

privilege show level 5 mode exec command running-config

privilege show level 5 mode exec command startup-config

privilege show level 5 mode exec command version

privilege show level 5 mode exec command shun

privilege show level 5 mode exec command names

privilege show level 5 mode exec command interface

privilege show level 5 mode exec command pager

privilege show level 5 mode exec command arp

privilege show level 5 mode exec command route

privilege show level 5 mode exec command context

privilege show level 5 mode exec command mac-address-table

Minimum User Access Level

Matches PIX or Adaptive Security Appliance or Firewall ServiceModulein SNMP sysDescr.

SNMP discovery

Username

Password

Enable Password



78




Telnet

SSH

SCP



79



changeto context

changeto system

show running-config

show startup-config

show arp

show context

show interface

show mac-address-table

show names

show ospf neighbor

show route

show shun

show version

terminal pager 0

show interface detail

show crypto ipsec sa

show eigrp topology

show eigrp neighbors

show firewall

The changeto context command is used for each contexton the ASA device.

The changeto system command detects whether the system hasmulti-context configurations and determines the admin-context.

The changeto context command is required if the changeto systemcommand has a multi-context configuration or admin-configurationcontext.

The terminal pager command is used to turn off paging behavior.

Required commands that the adapter requiresto log in and collect data

80


F5 BIG-IP | 81



F5 BIG-IP

JSA Risk Manager supports the F5 BIG-IP adapter.

The following features are available with the F5 BIG-IP adapter:


• Dynamic NAT

• Static NAT

• SNMP discovery

• Static routing

• IPv6 support

F5 BIG-IP load balancer appliances that run the Local Traffic Manager (LTM) are supported.

The following table describes the integration requirements for the F5 BIG-IP adapter.

Table 20: Integration Requirements for the F5 BIG-IP Adapter


10.1 - 13.1Versions

Matches F5 BIG-IP in sysOid containing 1.3.6.1.4.1.3375.2SNMP discovery

Username

Password



SSHSupported connection protocols


81

Table 20: Integration Requirements for the F5 BIG-IP Adapter (continued)


82



Version 10 (Bigpipe) backup commands

NOTE: On version 10, the adapter sendsBigpipe commands. On versions 11 and later,the adapter sends tmsh commands.

83



bigpipe global

bigpipe system hostname

bigpipe platform

uptime

bigpipe version show

cat /config/bigip.license

bigpipe db packetfilter

bigpipe db packetfilter.defaultaction

bigpipe packet filter list

bigpipe nat list all

bigpipe vlan show all

bigpipe vlangroup list all

bigpipe vlangroup

ip addr list

bigpipe interface show all

bigpipe interface all media speed

bigpipe trunk all interfaces

route -n

bigpipe route all list all

bigpipe mgmt show all

bigpipe mgmt route show all

bigpipe pool

bigpipe self

bigpipe virtual list all

bigpipe snat list all

bigpipe snatpool list all

84



b db snat.anyipprotocol

list sys global-settings hostname

list sys management-ip show sys memory

show sys hardware

show sys version

list sys db packetfilter

list sys db packetfilter.defaultaction

list sys db snat.anyipprotocol

list net interface all-properties

list net trunk

list net packet-filter

list net vlan all-properties

show net vlan

list net vlan-group all all-properties

show net vlan-group

list itm virtual

list itm nat

list itm snatpool

list itm snat

list net route

list itm pool

list net self

Version 11 and later (tmsh) backup commands

NOTE: On version 10, the adapter sendsBigpipe commands. On versions 11 and later,the adapter sends tmsh commands.

85





Fortinet FortiOS

JSA RiskManager adapter for Fortinet FortiOS supports Fortinet FortiGate appliances that run the Fortinetoperating system (FortiOS).

The following features are available with the Fortinet FortiOS adapter:

• Static NAT

• Static routing


The Fortinet FortiOS adapter interacts with FortiOS over Telnet or SSH. The following list describes somelimitations of JSA Risk Manager and the Fortinet FortiOS adapter:

• Geography-based addresses and referenced policies are not supported by JSA Risk Manager.

• Identity-based, VPN, and Internet Protocol Security policies are not supported by JSA Risk Manager.

• Policies that use Unified Threat Management (UTM) profiles are not supported by the Fortinet FortiOSadapter. Layer 3 firewall policies only are supported.

• Policy Routes are not supported.

• Virtual Domains with Virtual Links that have partial IP addresses or no IP addresses are not supported.

The integration requirements for the Fortinet FortiOS adapter are described in following table:

Table 21: Integration Requirements for the Fortinet FortiOS Adapter


4.0 MR3 to 5.2.4Version

NoSNMP discovery

86

Table 21: Integration Requirements for the Fortinet FortiOS Adapter (continued)


Username

Password


To add credentials in JSA, log in as anadministrator and use Configuration SourceManagement on the Admin tab.


Telnet

SSH



Read-write access for Fortinet firewalls that have VDOMs enabled

Read-only access for Fortinet firewalls that don't haveVDOMs enabled

User access level requirements

87

Table 21: Integration Requirements for the Fortinet FortiOS Adapter (continued)


config system console

set output standard

NOTE: The config systemconsole and set output standard commandsrequire a user with read/write access to system configuration. If youuse a read-only user with pagination enabled when you back up aFortigate device, the performance is impaired significantly.

show system interface

get hardware nic

get system status

get system performance status

get router info routing-table static

get test dnsproxy 6

show firewall addrgrp

show firewall address

show full-configuration

get firewall service predefined

show firewall service custom

show firewall service group

show firewall policy

Juniper Secure Analytics Risk Manager Adapter Configuration Guide · 2020. 2. 10. ·...

Documents

Transcript of Juniper Secure Analytics Risk Manager Adapter Configuration Guide · 2020. 2. 10. ·...