Admin Strm

Security Threat Response Manager

STRM Administration Guide

Release 2010.0

Juniper Networks, Inc.1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000

www.juniper.netPublished: 2011-10-10

Copyright NoticeCopyright 2011 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

FCC StatementThe following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreens installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

DisclaimerTHE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY. STRM Administration Guide Release 2010.0 Copyright 2011, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History October 2011 R1 STRM Administration Guide The information in this document is current as of the date listed in the revision history.

2

CONTENTSABOUT THIS GUIDEAudience 1 Conventions 1 Technical Documentation 1 Contacting Customer Support

2

1

OVERVIEWAbout the Interface 3 Using the Admin Interface 4 Deploying Changes 5 Updating User Details 5 Resetting SIM 5 About High Availability 6 Monitoring STRM Systems with SNMP

7

2

MANAGING USERSManaging Roles 9 Viewing Roles 9 Creating a Role 10 Editing a Role 15 Deleting a Role 16 Managing User Accounts 16 Creating a User Account 16 Editing a User Account 18 Disabling a User Account 19 Authenticating Users 19 Configuring your SSL Certificate

23

3

MANAGING THE SYSTEMManaging Your License Keys 25 Updating your License Key 26 Exporting Your License Key Information Restarting a System 28 Shutting Down a System 28 Configuring Access Settings 29 Configuring Firewall Access 29

27

Updating Your Host Set-up 31 Configuring Interface Roles 32 Changing Passwords 33 Updating System Time 34

4

MANAGING HIGH AVAILABILITYBefore You Begin 40 HA Deployment Overview 41 HA Clustering 41 Data Storage Strategies 42 Failovers 43 Adding an HA Cluster 44 Editing an HA Cluster 50 Removing an HA Host 52 Setting an HA Host Offline 53 Setting an HA Host Online 53 Restoring a Failed Host 53

5

SETTING UP STRMCreating Your Network Hierarchy 55 Considerations 55 Defining Your Network Hierarchy 56 Scheduling Automatic Updates 60 Scheduling Automatic Updates 61 Updating Your Files On-Demand 64 Configuring System Settings 65 Using Event and Flow Retention Buckets 72 Configuring Event Retention Buckets 73 Configuring Flow Retention Buckets 76 Managing Retention Buckets 79 Configuring System Notifications 81 Configuring the Console Settings 84

6

MANAGING AUTHORIZED SERVICESViewing Authorized Services 89 Adding an Authorized Service 90 Revoking Authorized Services 91 Configuring the Customer Support Service Dismissing an Offense 91 Closing an Offense 92 Adding Notes to an Offense 92

91

7

MANAGING BACKUP AND RECOVERYManaging Backup Archives 93 Viewing Backup Archives 93 Importing an Archive 94

Deleting a Backup Archive 95 Backing Up Your Information 95 Scheduling Your Backup 95 Initiating a Backup 98 Restoring Your Configuration Information 99 Restoring on a System with the Same IP Address Restoring to a System with a Different IP Address

100 101

8

USING THE DEPLOYMENT EDITORAbout the Deployment Editor 106 Accessing the Deployment Editor 107 Using the Editor 107 Building Your Deployment 109 Before you Begin 109 Configuring Deployment Editor Preferences 110 Building Your Event View 110 Adding Components 112 Connecting Components 114 Forwarding Normalized Events and Flows 116 Renaming Components 119 Managing Your System View 120 Setting Up Managed Hosts 120 Using NAT with STRM 126 Configuring a Managed Host 131 Assigning a Component to a Host 131 Configuring Host Context 132 Configuring an Accumulator 135 Configuring STRM Components 137 Configuring a QFlow Collector 137 Configuring an Event Collector 143 Configuring an Event Processor 146 Configuring the Magistrate 148 Configuring an Off-site Source 149 Configuring an Off-site Target 150

9

MANAGING FLOW SOURCESAbout Flow Sources 151 NetFlow 152 sFlow 153 J-Flow 153 Packeteer 153 Flowlog File 154 Napatech Interface 154 Managing Flow Sources 154 Adding a Flow Source 155 Editing a Flow Source 158 Enabling/Disabling a Flow Source

158

Deleting a Flow Source 159 Managing Flow Source Aliases 159 Adding a Flow Source Alias 160 Editing a Flow Source Alias 160 Deleting a Flow Source Alias 161

10

CONFIGURING REMOTE NETWORKS AND SERVICESManaging Remote Networks 163 Default Remote Network Groups 164 Adding a Remote Networks Object 164 Editing a Remote Networks Object 166 Managing Remote Services 167 Default Remote Service Groups 168 Adding a Remote Services Object 168 Editing a Remote Services Object 169 Using Best Practices 171

11

CONFIGURING RULESViewing Rules 174 Creating a Custom Rule 177 Creating an Anomaly Detection Rule 189 Managing Rules 198 Enabling/Disabling Rules 199 Editing a Rule 199 Copying a Rule 199 Deleting a Rule 200 Grouping Rules 200 Viewing Groups 201 Creating a Group 201 Editing a Group 202 Copying an Item to Another Group(s) 203 Deleting an Item from a Group 203 Assigning an Item to a Group 204 Editing Building Blocks 204

12 13

DISCOVERING SERVERS FORWARDING SYSLOG DATAAdding a Syslog Destination Editing a Syslog Destination Delete a Syslog Destination 209 210 211

A B

JUNIPER NETWORKS MIB ENTERPRISE TEMPLATEDefault Rules 1 Default Building Blocks 20

C

RULE TESTSEvent Rule Tests 1 Host Profile Tests 2 IP/Port Tests 4 Event Property Tests 5 Common Property Tests 8 Log Source Tests 9 Function - Sequence Tests 10 Function - Counter Tests 19 Function - Simple Tests 23 Date/Time Tests 23 Network Property Tests 23 Function - Negative Tests 24 Flow Rule Tests 25 Host Profile Tests 26 IP/Port Tests 27 Flow Property Tests 28 Common Property Tests 34 Function - Sequence Tests 35 Function - Counters Tests 43 Function - Simple Tests 47 Date/Time Tests 47 Network Property Tests 47 Function - Negative Tests 48 Common Rule Tests 50 Host Profile Tests 50 IP/Port Tests 52 Common Property Tests 53 Functions - Sequence Tests 56 Function - Counter Tests 64 Function - Simple Tests 68 Date/Time Tests 68 Network Property Tests 68 Functions Negative Tests 69 Offense Rule Tests 70 IP/Port Tests 70 Function Tests 71 Date/Time Tests 71 Log Source Tests 72 Offense Property Tests 72 Anomaly Detection Rule Tests 75

Anomaly Rule Tests 75 Behavioral Rule Tests 77 Threshold Rule Tests 79

D

VIEWING AUDIT LOGSLogged Actions 1 Viewing the Log File 5

E

EVENT CATEGORIESHigh-Level Event Categories Recon 3 DoS 4 Authentication 6 Access 12 Exploit 14 Malware 15 Suspicious Activity 16 System 19 Policy 23 CRE 24 Potential Exploit 24 SIM Audit 25 VIS Host Discovery 26 Application 26 Audit 47 Risk 48 2

F

CONFIGURING FLOW FORWARDING FROM PRE-2010.0 OFF-SITE FLOW SOURCESConfiguring Flow Forwarding from pre-2010.0 Off-site Flow Sources 1 Adding a STRM 2010.0 Off-Site Target to a Pre-2010.0 Off-Site Flow Source Creating a Pre-2010.0 0ff-Site Flow Source 3 Reconfiguring Flow Forwarding from an Upgraded Off-site Flow Sources 5 Removing the Pre-2010.0 Off-Site Flow Source 5 Reconnecting the Off-site Target 5 Adding the Off-site Source 6 1

INDEX

ABOUT THIS GUIDE

The STRM Administration Guide provides you with information for managing STRM functionality requiring administrative access.

Audience

This guide is intended for the system administrator responsible for setting up STRM in your network. This guide assumes that you have STRM administrative access and a knowledge of your corporate network and networking technologies.

Documentation Conventions

Table 1 lists conventions that are used throughout this guide.Table 1 Icons

Icon

Type Information note Caution

Description Information that describes important features or instructions. Information that alerts you to potential loss of data or potential damage to an application, system, device, or network. Information that alerts you to potential personal injury.

Warning

Technical Documentation

You can access technical documentation, technical notes, and release notes directly from the Juniper customer support website at https://www.juniper.net/support/. Once you access the Juniper customer support website, locate the product and software release for which you require documentation. Your comments are important to us. Please send your e-mail comments about this guide or any of the Juniper Networks documentation to: [email protected]. Include the following information with your comments:

Document title Page numberSTRM Administration Guide

2

ABOUT THIS GUIDE

Requesting Technical Support

To help resolve any issues that you may encounter when installing or maintaining STRM, you can contact Customer Support as follows:

Open a support case using the Case Management link at http://www.juniper.net/support Call 1-888-314-JTAC (from the United States, Canada, or Mexico) or1-408-745-9500 (from elsewhere).


1

OVERVIEW

This chapter provides an overview of STRM administrative functionality, including: About the Interface Using the Admin Interface Deploying Changes Resetting SIM Updating User Details About High Availability Monitoring STRM Systems with SNMP

About the Interface

You must have administrative privileges to access administrative functions. To access administrative functions, click the Admin tab in the STRM user interface. The Admin interface provides access to the following functions:

Manage users. See Chapter 2 - Managing Users. Manage your network settings. See Chapter 3 - Managing the System. Manage high availability. See Chapter 4 - Managing High Availability. Manage STRM settings. See Chapter 5 - Setting Up STRM. Manage authorized services. See Chapter 6 - Managing Authorized Services. Backup and recover your data. See Chapter 7 - Managing Backup and Recovery. Manage your deployment views. See Chapter 8 - Using the DeploymentEditor.

Manage flow sources. See Chapter 9 - Managing Flow Sources. Configure remote networks and remote services. See Chapter 10 - ConfiguringRemote Networks and Services.

Configure rules. See Chapter 11 - Configuring Rules. Discover servers. See Chapter 12 - Discovering Servers. Configure syslog forwarding. See Chapter 13 - Forwarding Syslog Data.


4

OVERVIEW

Managing vulnerability scanners. For more information, see the Managing Vulnerability Assessment Guide. Configure plug-ins. For more information, see the associated documentation. Configure the STRM Risk Manager. For more information, see the STRM Risk Manager Users Guide. Manage log sources. For more information, see the Log Sources Users Guide.

All configuration updates using the Admin interface are saved to a staging area. Once all changes are complete, you can deploy the configuration changes or all configuration settings to the remainder of your deployment. For more information, see Deploying Changes.

Using the Admin Interface

The Admin interface provides several tab and menu options that allow you to configure STRM, including:

System Configuration - Provides access to administrative functionality, such as user management, automatic updates, license key, network hierarchy, system notifications, authorized services, backup and recovery, and Console configuration. Data Sources - Provides access to vulnerability scanners, log source management, custom event and flow properties, event and flow retention buckets, and flow sources. Remote Networks and Services Configuration - Provides access to STRM remote networks and services. Plugins - Provides access to plug-in components, such as the plug-in for the STRM Risk Manager. This option only appears if there are plug-ins installed on your Console.

The Admin interface also includes several menu options, including:Table 2-1 Admin Interface Menu Options

Menu Option Deployment Editor

Sub-Menu

Description Opens the deployment editor interface. For more information, see Chapter 8 - Using the Deployment Editor. Deploys any configuration changes from the current session to your deployment.

Deploy Changes

Advanced

Clean SIM Model Deploy Full Configuration

Resets the SIM module. See Resetting SIM. Deploys all changes.


Deploying Changes

5

Deploying Changes

Once you update your configuration settings using the Admin interface, you must save those changes to the staging area. You must either manually deploy all changes using the Deploy Changes button or, upon exiting the Admin interface, a window is displayed, prompting you to deploy changes before you exit. All deployed changes are then applied throughout your deployment. Using the Admin interface menu, you can deploy changes as follows:

Advanced > Deploy Full Configuration - Deploys all configuration settings to your deployment. Deploy Changes - Deploys any configuration changes from the current session to your deployment.

Updating User Details

You can access your administrative user details through the main STRM interface. To access your user information, click Preferences. The User Details window is displayed. You can update your administrative user details, if required.

Note: For information on the pop-up notifications, see the STRM Users Guide.

Resetting SIM

Using the Admin interface, you can reset the SIM module, which allows you to remove all offenses, source IP address, and destination IP address information from the database and the disk. This option is useful after tuning your deployment to avoid receiving any additional false positive information. To reset the SIM module:Step 1 Click the Admin tab. Step 2 From the Advanced menu, select Clean SIM Model.

The Reset SIM Data Module window is displayed.


6

OVERVIEW

Step 3 Read the information in the window. Step 4 Select one of the following options:

Soft Clean - Closes all offenses in the database. If you select the Soft Clean

option, you can also select the Deactivate all offenses check box. Hard Clean - Purges all current and historical SIM data including offenses, source IP addresses, and destination IP addresses.

Step 5 If you want to continue, select the Are you sure you want to reset the data

model? check box.Step 6 Click Proceed.

A message is displayed, indicating that the SIM reset process has started. This process may take several minutes, depending on the amount of data in your system.Step 7 Click Close. Step 8 Once the SIM reset process is complete, reset your browser.

Note: If you attempt to navigate to other areas of the user interface during the SIM reset process, an error message is displayed.

About High Availability

The High Availability (HA) feature ensures availability of STRM data in the event of a hardware or network failure. Each HA cluster consists of a primary host and a standby secondary host. The secondary host maintains the same data as the primary host by either replicating the data on the primary host or accessing a shared external storage. At regular intervals, every 10 seconds by default, the secondary host sends a heartbeat ping to the primary host to detect hardware or network failure. If the secondary host detects a failure, the secondary host automatically assumes all responsibilities of the primary host.


Monitoring STRM Systems with SNMP

7

Note: HA is not supported in an IPv6 environment. For more information on managing HA clusters, see Chapter 4 - Managing HighAvailability.

Monitoring STRM Systems with SNMP

STRM supports the monitoring of our appliances through SNMP polling. STRM uses the Net-SNMP agent, which supports a variety of system resource monitoring MIBs that can be polled by Network Management solutions for the monitoring and alerting of system resources. For more information on Net-SNMP, refer to Net-SNMP documentation. Enabling SNMP support in 2009.1 and 2009.2: SNMP support was previously disabled in STRM versions prior to 2009.1. This was due to a security vulnerability. Solution: The security vulnerability that prevented STRM from using the SNMP Agent for system monitoring has been overcome. If you are running STRM 2009.1 or 2009.2 with the latest patch, then you can use the following instructions to re-enable support for SNMP. This functionality will be available by default in the 2010.1 release of STRM. Download the SNMP Agent RPM from here: http://download.juniper.net/software/strm/snmp_agent-20080205-6.2.0.530_ctrh.i3 86.rpm Connect to the STRM console box via ssh or console connection as the root user.

vi /store/configservices/staging/globalconfig/nva.conf change LINUX_AGENT_ENABLED to yes In the STRM Admin Tab, Deploy changes transfer the snmp agent rpm to the console through scp. rpm -Uvh snmp_agent-20080205-6.2.0.530_ctrh.i386.rpm Edit the crontab with the command crontab -e

Add the following at the bottom of the file:# check snmp agent for death every minute * * * * * if [ -f /var/lock/subsys/snmp_agent ] ; then { if [ `service snmp_agent status 2>&1 | grep -c 'is running'` -eq 0 ] ; then { rm -f /var/lock/subsys/snmp_agent ; service snmp_agent start > /dev/null 2>&1 ; } fi ; } fi

Start the snmp_agent server with the command: service snmp_agent start.


2

MANAGING USERS

You can manage user accounts for all users that require access to STRM. Each user is associated with a role, which determines the privileges the user has to access functionality and information within STRM. You can add and remove user accounts, and restrict or allow access to certain areas of the network. This chapter provides information on managing STRM users, including: Managing Roles Managing User Accounts Authenticating Users

Managing Roles

You must create a role before you can create user accounts. By default, STRM provides a default administrative role, which provides access to all areas of STRM. A user that is assigned administrative privileges (including the default administrative role) cannot edit their own account. Another administrative user must make any account changes. This section includes information on managing user roles, including: Viewing Roles Creating a Role Editing a Role Deleting a Role

Viewing Roles

To view roles:

Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.Step 3 In the User Management section, click the User Roles icon.

The Manage Roles window is displayed.


10MANAGING USERS

The Manage Roles window provides the following information:Table 3-1 Manage Roles Parameters

Parameter Role Log Sources

Description Specifies the defined user role. Specifies the log sources you want this role to access. Note: Log sources are external event log sources such as security equipment (for example, firewalls and IDSs) and network equipment (for example, switches and routers). This allows you to restrict or grant access for users assigned to the role to view logs, events, and offense data received from assigned security and network log sources or log source groups. For non-administrative users, this column indicates a link that allows an administrative user to edit the permissions for the role. For more information on editing a user role, see Editing a Role. To view the list of log sources that have been assigned to this role, move your mouse over the text in the Log Sources column. The list of log sources is displayed below the Manage Roles table.

Associated Users Action

Specifies the users associated with this role. Allows you to edit or delete the user role.

Creating a Role

To create a role:


The System Configuration panel is displayed.Step 3 Click the User Roles icon.

The Manage Roles window is displayed.Step 4 Click Create Role.

The Manage Role Permissions window is displayed.


Managing Roles

11

Step 5 Enter values for the parameters. You must select at least one permission to

proceed to the next step.Table 3-2 Create Roles Parameters

Parameter Role Name

Description Type a unique name for the role. The name can be up to 15 characters in length and must only contain integers and letters.


12MANAGING USERS

Table 3-2 Create Roles Parameters (continued)

Parameter Admin

Description Select this check box if you want to grant this user administrative access to the STRM interface. Once you select the Admin check box, all administrative access check boxes are selected by default. Within the Admin role, you can grant individual access to the following:

Administrator Manager - Select this check box if you want to allow users the ability to create and edit other administrative user accounts. If you select this check box, the System Administrator check box is automatically selected. System Administrator - Select this check box if you want to allow users access to all areas of STRM. Users with this access are not able to edit other administrator accounts. Remote Networks and Services Configuration- Select this check box if you want to allow users the ability to configure remote networks and services in the Admin interface.

Offenses

Select this check box if you want to grant this user access to all Offenses interface functionality. Within the Offenses role, you can grant individual access to the following:

Customized Rule Creation - Select this check box if you want to allow users to create custom rules. Assign Offenses to Users - Select this check box if you want to allow users to assign offenses to other users.

For more information on the Offenses interface, see the STRM Users Guide. Log Activity Select this check box if you want this user to have access to all Log Activity interface functionality. Within the Log Activity role, you can also grant users individual access to the following:

Manage Time Series - Select this check box if you want to allows users the ability to configure and view time series data charts. Customized Rule Creation - Select this check box if you want to allow users to create rules using the Log Activity interface. User Defined Event Properties - Select this check box if you want to allow users the ability to create custom event properties. For more information on custom event properties, see the STRM Users Guide.

For more information on the Log Activity interface, see the STRM Users Guide.


Managing Roles

13


Parameter Assets

Description Select this check box if you want to grant this user access to all Assets interface functionality. Within the Assets role, you can grant individual access to the following:

Remove Vulnerabilities - Select this check box if you want to allows user to remove vulnerabilities from assets. Server Discovery - Select this check box if you want to allow users to discover servers. View VA Data - Select this check box if you want to allow users access to vulnerability assessment data. For more information on vulnerability assessment, see the Managing Vulnerability Assessment guide. Perform VA Scans - Select this check box if you want to allow users to perform vulnerability assessment scans. For more information on vulnerability assessment, see the Managing Vulnerability Assessment guide.

Network Activity

Select this check box if you want to grant this user access to all Network Activity interface functionality. Within the Network Activity role, you can grant individual access to the following:

View Flow Content - Select this check box if you want to allow users access to flow data. For more information on viewing flows, see the STRM Users Guide. Manage Time Series - Select this check box if you want to allow users to configure and view time series data charts. Customized Rule Creation - Select this check box if you want to allow users to create rules using the Log Activity interface. User Defined Flow Properties - Select this check box if you want to allow users the ability to create custom flow properties. For more information on custom flow properties, see the STRM Users Guide.

For more information, see the STRM Users Guide. Reports Select this check box if you want to grant this user access to all Reports interface functionality. Within the Reports role, you can grant users individual access to the following:

Maintain Templates - Select this check box if you want to allow users to maintain reporting templates. Distribute Reports via Email - Select this check box if you want to allow users to distribute reports through e-mail.

For more information, see the STRM Users Guide. IP Right Click Menu Extensions Select this check box if you want to grant this user access to options added to the right-click menu.


14MANAGING USERS


Parameter Risks

Description This option is only available if the STRM Risk Manager is activated. Select this check box if you want to grant users access to STRM Risk Manager functionality. For more information, see the STRM Risk Manager Users Guide.

Step 6 Click Next. Step 7 Choose one of the following options: a

If you selected a role that includes Log Activity permissions, go to Step 8.10.

b If you selected a role that does not include Log Activity permissions, go to Step

The Add Log Sources to User Role window is displayed.

Step 8 Select the log sources you want to add to the user role: a

From the Log Source Group drop-down list box, select a log source group. assigned to this role to have access to.

b From the Log Source list, locate and select the log source(s) you want the user

Hint: You can add an entire log source group by clicking the icon in the Log Source Group section. You can also select multiple log sources by holding the CTRL key while you select each log source you want to add.c

Click the

icon.

The selected log source(s) moves to the Selected Log Source Objects field.Step 9 Click Next.

A confirmation message is displayed.


Managing Roles

15

Step 10 Click Return. Step 11 Close the Manage Roles window.

The Admin interface is displayed.Step 12 From the Admin interface toolbar, click Deploy Changes.

Editing a Role

To edit a role:



The Manage Role window is displayed.Step 4 For the role you want to edit, click the edit icon

.

The Manage Role Permissions window is displayed.Step 5 Update the permissions (see Table 3-2), as necessary. Step 6 Click Next. Step 7 Choose one of the following options: a b

If you are editing a role that includes the Events permissions role, go to Step 8. If you are editing a role that does not include Events permissions, go to Step11.

The Add Log Sources to User Role window is displayed.

Step 8 Update log source permissions, as desired: a

To remove a log source permission, select the log source(s) in the Selected Log Source Objects panel that you want to remove. Click Remove Selected Log Sources.


16MANAGING USERS

b

To add a log source permission, select an object you want to add from the left panel.

Step 9 Repeat for all log sources you want to edit for this role. Step 10 Click Next. Step 11 Click Return. Step 12 Close the Manage Roles window.

The Admin interface is displayed.Step 13 From the Admin interface menu, click Deploy Changes.

Deleting a Role

To delete a role:



The Manage Roles window is displayed.Step 4 For the role you want to delete, click the delete icon

.

A confirmation window is displayed.Step 5 Click OK. Step 6 Close the Manage Roles window.

The Admin interface is displayed.Step 7 From the Admin interface menu, click Deploy Changes.

Managing User Accounts

You can create a STRM user account, which allows a user to access selected network components using the STRM interface. You can also create multiple accounts for your system that include administrative privileges. Only the main administrative account can create accounts that have administrative privileges. This section provides information on managing user accounts, including: Creating a User Account Editing a User Account Disabling a User Account

Creating a User Account

To create an account for a STRM user:


The System Configuration panel is displayed.


Managing User Accounts

17

Step 3 Click the Users icon.

The Manage Users window is displayed.Step 4 In the Manage Users area, click Add.

The User Details window is displayed.

Step 5 Enter values for the following parameters:

Table 3-3 User Details Parameters

Parameter Username Password

Description Type a unique username for the new user. The username must not include spaces or special characters. Type a password for the user to gain access. The password must be at least five characters in length. Type the users e-mail address. From the drop-down list box, select the role you want to assign to this user. For information on roles, see Managing Roles. If you select Admin, this process is complete.

Confirm Password Type the password again for confirmation. Email Address Role

Step 6 Click Next. Step 7 Choose one of the following options: a b

If you select Admin as the user role, go to Step 10. If you select a non-administrative user role, go to Step 8. The Selected Network Objects window is displayed.


18MANAGING USERS

Step 8 From the menu tree, select the network objects you want this user to be able to

monitor. The selected network objects appear in the Selected Network Objects panel.Step 9 Click Finish. Step 10 Close the Manage Users window.

The Admin interface is displayed. Editing a User Account To edit a user account:


The System Configuration panel is displayed.Step 3 Click the Users icon.

The Manage Users window is displayed.Step 4 In the Manage Users section, click the name of the user account you want to edit.

The User Details window is displayed.Step 5 Update values (see Table 3-3), as necessary. Step 6 Click Next.

If you are editing a non-administrative user account, the Selected Network Objects window is displayed. If you are editing an administrative user account, go to Step 10.Step 7 From the menu tree, select the network objects you want this user to access.

The selected network objects appear in the Selected Network Object panel.


Authenticating Users

19

Step 8 For all network objects you want to remove access, select the object from the

Selected Network Objects panel. Click Remove.Step 9 Click Finish. Step 10 Close the Manage Users window.

The Admin interface is displayed. Disabling a User Account To disable a user account:


The System Configuration panel is displayed.Step 3 Click the Users icon.

The Manage Users window is displayed.Step 4 In the Manage Users area, click the user account you want to disable.

The User Details window is displayed.Step 5 In the Role drop-down list box, select Disabled. Step 6 Click Next. Step 7 Close the Manage Users window.

The Admin interface is displayed. This user no longer has access to the STRM interface. If this user attempts to log in to STRM, the following message appears: This account has been disabled. After you delete a user, items, such as saved searches, reports, and assigned offenses, remain associated with the deleted user.


You can configure authentication to validate STRM users and passwords. STRM supports the following user authentication types:

System Authentication - Users are authenticated locally by STRM. This is the default authentication type. RADIUS Authentication - Users are authenticated by a Remote Authentication Dial-in User Service (RADIUS) server. When a user attempts to log in, STRM encrypts the password only, and forwards the username and password to the RADIUS server for authentication. TACACS Authentication - Users are authenticated by a Terminal Access Controller Access Control System (TACACS) server. When a user attempts to log in, STRM encrypts the username and password, and forwards this information to the TACACS server for authentication. Active Directory - Users are authenticated by a Lightweight Directory Access Protocol (LDAP) server using Kerberos. LDAP - Users are authenticated by a Native LDAP server.STRM Administration Guide

20MANAGING USERS

If you want to configure RADIUS, TACACS, Active Directory, or LDAP as the authentication type, you must:

Configure the authentication server before you configure authentication in STRM. Make sure the server has the appropriate user accounts and privilege levels to communicate with STRM. See your server documentation for more information. Make sure the time of the authentication server is synchronized with the time of the STRM server. For more information on setting STRM time, see Chapter 5 - Setting Up STRM. Make sure all users have appropriate user accounts and roles in STRM to allow authentication with the third-party servers.

Once authentication is configured and a user enters an invalid username and password combination, a message appears indicating the login was invalid. If the user attempts to access the system multiple times using invalid information, the user must wait the configured amount of time before attempting to access the system again. For more information on configuring Console settings for authentication, see Chapter 5 - Setting Up STRM - Configuring the Console Settings. An administrative user can access STRM through a third-party authentication module or by using the local STRM Admin password. The STRM Admin password still functions if you have setup and activated a third-party authentication module, however, you can not change the STRM Admin password while the authentication module is active. If you want to change the STRM admin password, you need to temporarily disable the third-party authentication module, reset the password, and then reconfigure the third-party authentication module. To configure authentication:Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.Step 3 Click the Authentication icon.

The Authentication window is displayed.

Step 4 From the Authentication Module drop-down list box, select the authentication

type you want to configure.Step 5 Configure the selected authentication type: a

If you selected System Authentication, go to Step 6.



21

b

If you selected RADIUS Authentication, enter values for the following parameters:

Table 3-4 RADIUS Parameters

Parameter RADIUS Server RADIUS Port Authentication Type

Description Type the hostname or IP address of the RADIUS server. Type the port of the RADIUS server. From the drop-down list box, select the type of authentication you want to perform. The options are:

CHAP (Challenge Handshake Authentication Protocol) Establishes a Point-to-Point Protocol (PPP) connection between the user and the server. MSCHAP (Microsoft Challenge Handshake Authentication Protocol) - Authenticates remote Windows workstations. ARAP (Apple Remote Access Protocol) - Establishes authentication for AppleTalk network traffic. PAP (Password Authentication Protocol) - Sends clear text between the user and the server.

Shared Secret

Type the shared secret that STRM uses to encrypt RADIUS passwords for transmission to the RADIUS server.

c

If you selected TACACS Authentication, enter values for the following parameters:

Table 3-5 TACACS Parameters

Parameter TACACS Server TACACS Port Authentication Type

Description Type the hostname or IP address of the TACACS server. Type the port of the TACACS server. From the drop-down list box, select the type of authentication you want to perform. The options are:

ASCII PAP (Password Authentication Protocol) - Sends clear text between the user and the server. CHAP (Challenge Handshake Authentication Protocol) Establishes a PPP connection between the user and the server. MSCHAP (Microsoft Challenge Handshake Authentication Protocol) - Authenticates remote Windows workstations. MSCHAP2 (Microsoft Challenge Handshake Authentication Protocol version 2) - Authenticates remote Windows workstations using mutual authentication. EAPMD5 (Extensible Authentication Protocol using MD5 Protocol) - Uses MD5 to establish a PPP connection.

Shared Secret

Type the shared secret that STRM uses to encrypt TACACS passwords for transmission to the TACACS server.STRM Administration Guide

22MANAGING USERS

d

If you selected Active Directory, enter values for the following parameters:Active Directory Parameters

Table 3-6

Parameter Server URL LDAP Context LDAP Domaine

Description Type the URL used to connect to the LDAP server. For example, ldap://: Type the LDAP context you want to use, for example, DC=Q1LABS,DC=INC. Type the domain you want to use, for example q1labs.inc.

If you selected LDAP, enter values for the following parameters:

Table 3-7 LDAP Parameters

Parameter Server URL

Description Type the URL used to connect to the LDAP server. For example, ldap://: You can use a space-separated list to specify multiple LDAP servers.

SSL Connection

From the drop-down list box, select True if you want to use Secure Socket Layer (SSL) encryption when connecting to the LDAP server. The default is True. Before enabling the SSL connection to your LDAP server, you must copy the SSL certificate from the LDAP server to the /opt/qradar/conf/trusted_certificates/ directory on your STRM system. For more information on how to configure the SSL certificate, see Configuring your SSL Certificate.

TLS Authentication Search Entire Base

From the drop-down list box, select True if you want to start Transport Layer Security (TLS) encryption when connecting to the LDAP server. The default is True. From the drop-down list box, select one of the following options:

True - Enables searching all subdirectories of the specified Directory Name (DN). False - Enables searching the immediate contents of the Base DN. The subdirectories are not searched.

The default is True. LDAP User Field Type the user field identifier you want to search on, for example, uid. You can use a comma-separated list to search for multiple user identifiers. Type the base DN for performing searches, for example, DC=Q1LABS,DC=INC.

Base DN

Step 6 Click Save.

Your authentication is now configured.



23

Configuring your SSL Certificate

If you use LDAP for user authentication and you want to enable SSL, you must configure your SSL certificate. To configure your SSL certificate for connection to your LDAP server:

Step 1 Log in to STRM as root. Step 2 Type the following command to create the /opt/qradar/conf/trusted_certificates/

directory:mkdir -p /opt/qradar/conf/trusted_certificatesStep 3 Copy the SSL certificate from the LDAP server to the

/opt/qradar/conf/trusted_certificates/ directory on your STRM system.Step 4 Verify that the certificate file name extension is .cert, which indicates that the

certificate is trusted. STRM only loads .cert files.Step 5 Change the permissions of the directory by typing the following commands:

chmod 755 /opt/qradar/conf/trusted_certificates chmod 644 /opt/qradar/conf/trusted_certificates/*.certStep 6 Type the following command to restart the Tomcat service:

service tomcat restart


3

MANAGING THE SYSTEM

This chapter provides information for managing your system, including: Managing Your License Keys Restarting a System Shutting Down a System Configuring Access Settings

Managing Your License Keys

For your STRM Console, a default license key provides you access to the interface for 5 weeks. You must manage your license key using the System and License Management window, which you can access using the Admin interface. This window provides the status of the license key for each system (host) in your deployment. Statuses include:

Valid - The license key is valid. Expired - The license key has expired. To update your license key, see Updating your License Key. Override Console License - This host is using the Console license key. You can use the Console key or apply a license key for this system. If you want to use the Console license for any system in your deployment, click Revert to Console in the Manage License window.

A license key allows a certain number of log sources to be configured in your system. If you exceed the limit of configured logs sources, as established by the license key, an error message is displayed in the interface. If additional log sources are auto-discovered, they are automatically disabled. To extend the number of log sources allowed, contact your sales representative. This section provides information on managing your license keys. including: Updating your License Key Exporting Your License Key Information


26

MANAGING THE SYSTEM

Updating your License Key

For your STRM Console, a default license key provides you with access to the interface for 5 weeks. Choose one of the following options for assistance with your license key:

For a new or updated license key, contact your local sales representative. For all other technical issues, contact Juniper Networks Customer Support.

If you log in to STRM and your Console license key has expired, you are automatically directed to the System and License Management window. You must update the license key before you can continue. If one of your non-Console systems includes an expired license key, a message appears when you log in indicating a system requires a new license key. You must navigate to the System and License Management window to update that license key. To update your license key:Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.Step 3 Click the System and License Management icon.

The System and License Management window is displayed, providing a list of all hosts in your deployment.

Step 4 Select the host for which you want to view the license key. Step 5 From the Actions menu, select Manage License.

The Current License Details window is displayed, providing the current license key limits. If you want to obtain additional licensing capabilities, please contact your sales representative.


Managing Your License Keys

27

Step 6 Click Browse beside the New License Key File field and select the license key. Step 7 Click Open.

The Current License Details window is displayed.Step 8 Click Save. Step 9 In the System and License Management window, click Deploy License Key.

Note: If you want to revert back to the previous license key, click Revert to Deployed. If you revert to the license key used by the STRM Console system, click Revert to Console. The license key information is updated in your deployment. Exporting Your License Key Information To export your license key information for all systems in your deployment:



28

MANAGING THE SYSTEM


The System and License Management window is displayed, providing a list of all hosts in your deployment.

Step 4 Select the system that includes the license you want to export. Step 5 From the Actions menu, select Export Licenses.

The export window is displayed.Step 6 Select one of the following options:

Open with - Opens the license key data using the selected application. Save File - Allows you to save the file to your desktop.

Step 7 Click OK.

Restarting a System

To restart a STRM system:Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.


The System and License Management window is displayed.Step 4 Select the system you want to restart. Step 5 From the Actions menu, select Restart System.

Note: Data collection stops while the system is shutting down and restarting.

Shutting Down a System

To shutdown a STRM system:



The System and License Management window is displayed.Step 4 Select the system you want to shut down. STRM Administration Guide

Configuring Access Settings

29

Step 5 From the Actions menu, select Shutdown.

Note: Data collection stops while the system is shutting down.


The System and License Management window provides access to the web-based system administration interface, which allows you to configure firewall rules, interface roles, passwords, and system time. This section includes:

Firewall access. See Configuring Firewall Access. Update your host set-up. See Updating Your Host Set-up. Configure the interface roles for a host. See Configuring Interface Roles. Change password to a host. See Changing Passwords. Update the system time. See Updating System Time.

Configuring Firewall Access

You can configure local firewall access to enable communications between devices and STRM. Also, you can define access to the web-based system administration interface. To enable STRM managed hosts to access specific devices or interfaces:



The System and License Management window is displayed.Step 4 Select the host for which you want to configure firewall access settings. Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: Note: The username and password are case sensitive.Step 7 From the menu, select Managed Host Config > Local Firewall.


30

MANAGING THE SYSTEM

The Local Firewall window is displayed.

Step 8 In the Device Access box, you must include any STRM systems you want to have

access to this managed host. Only the listed managed hosts have access. For example, if you only enter one IP address, only that one IP address is granted access to the managed host. All other managed hosts are blocked. To configure access:a b

In the IP Address field, type the IP address of the managed host you want to have access. From the Protocol drop-down list box, select the protocol you want to enable access for the specified IP address and port. Options include UDP - Allows UDP traffic. TCP - Allows TCP traffic. Any - Allows any traffic.

c

In the Port field, type the port on which you want to enable communications.

Note: If you change the External Flow Source Monitoring Port parameter in the QFlow configuration, you must also update your firewall access configuration. For more information about QFlow configuration, see Chapter 8 - Using the Deployment Editor.d

Click Allow.STRM Administration Guide


31

Step 9 In the System Administration Web Control box, type the IP address(es) of

managed host(s) that you want to allow access to the web-based system administration interface in the IP Address field. Only IP addresses listed have access to the interface. If you leave the field blank, all IP addresses have access. Click Allow. Note: Make sure you include the IP address of your client desktop you want to use to access the interface. Failing to do so may affect connectivity.Step 10 Click Apply Access Controls. Step 11 Wait for the interface to refresh before continuing.

Updating Your Host Set-up

You can use the web-based system administration interface to configure the mail server you want STRM to use and the global password for STRM configuration: To configure your host set-up:



The System and License Management window is displayed.Step 4 Select the host for which you want to update your host setup settings. Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: Note: The username and password are case sensitive.Step 7 From the menu, select Managed Host Config > STRM Setup.

The STRM Setup window is displayed.


32

MANAGING THE SYSTEM

Step 8 In the Mail Server field, type the address for the mail server you want STRM to

use. STRM uses this mail server to distribute alerts and event messages. To use the mail server provided with STRM, type localhost.Step 9 In the Enter the global configuration password, type the password you want to

use to access the host. Type the password again for confirmation. Note: The global configuration password does not accept special characters. The global configuration password must be the same throughout your deployment. If you edit this password, you must also edit the global configuration password on all systems in your deployment.Step 10 Click Apply Configuration.

Configuring Interface Roles

You can assign specific roles to the network interfaces on each managed host. To assign roles:



The System and License Management window is displayed.Step 4 Select the host for which you want to configure interface role settings. Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: Note: The username and password are case sensitive.Step 7 From the menu, select Managed Host Config > Network Interfaces.

The Network Interfaces window is displayed, including a list of each interface on your managed host. Note: For assistance with determining the appropriate role for each interface, contact Juniper Networks Customer Support.



33

Step 8 For each interface listed, select the role you want to assign to the interface from

the Role drop-down list box.Step 9 Click Save Configuration. Step 10 Wait for the interface to refresh before continuing.

Changing Passwords

To change the passwords:



The System and License Management window is displayed.Step 4 Select the host for which you want to configure interface role settings. Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: Note: The username and password are case sensitive.Step 7 From the menu, select Managed Host Config > Root Password.

The Root Passwords window is displayed.


34

MANAGING THE SYSTEM

Step 8 Update the passwords:

Note: Make sure you record the entered values. The root password does not accept the following special characters: apostrophe (), dollar sign ($), exclamation mark (!).

New Root Password - Type the root password necessary to access the web-based system administration interface. Confirm New Root Password - Type the password again for confirmation.

Step 9 Click Update Password.

Updating System Time

You are able to change the time for the following options:

System time Hardware time Time Zone Time Server

Note: All system time changes must be made within the System Time window. You can only change the system time information on the host operating the Console. The change is then distributed to all managed hosts in your deployment. You can configure time for your system using one of the following methods: Configuring Your Time Server Using RDATE Manually Configuring Time Settings For Your System

Configuring Your Time Server Using RDATE To update the time settings using RDATE:Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.


The System and License Management window is displayed.Step 4 Select the host for which you want to configure system time settings.



35

Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: Note: The username and password are case sensitive.Step 7 From the menu, select Managed Host Config > System Time.

The System Time window is displayed.Step 8 Configure the time zone: a

Click Change time zone. The Time Zone window is displayed.

b c

From the Change timezone to drop-down list box, select the time zone in which this managed host is located. Click Save. Click Time server sync. The Time Server window is displayed.

Step 9 Configure the time server: a


36

MANAGING THE SYSTEM

b

Configure the following parameters:

Table 4-1 Time Server Parameters

Parameter Timeserver hostnames or addresses Set hardware time too Synchronize on schedule?

Description Type the time server hostname or IP address. Select the check box if you want to set the hardware time. Select one of the following options:

No - Select this option if you do not want to synchronize the time. Go to c. Yes - Select this option if you want to synchronize the time.

Simple Schedule

Select this option if you want the time update to occur at a specific time. Once you select this option, select a simple schedule from the drop-down list box. Select this option the time you want the time update to occur. Once you select this option, select the times and dates in the list boxes.

Times and dates are selected below

c

Click Sync and Apply.



37

Manually Configuring Time Settings For Your System To update the time settings for your system:Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.


The System and License Management window is displayed.Step 4 Select the host for which you want to configure system time settings. Step 5 From the Actions menu, select Manage System. Step 6 Log in to the System Administration interface. The default is:

Username: root Password: Note: The username and password are case sensitive.Step 7 From the menu, select Managed Host Config > System Time.

The System Time window is displayed. Caution: The time settings window is divided into two sections. You must save each setting before continuing. For example, when you configure system time, you must click Apply within the System Time section before continuing.Step 8 Click Set time. Step 9 Set the system time:

a

Choose one of the following options: In the System Time panel, using the drop-down list boxes, select the current date and time you want to assign to the managed host. Click Set system time to hardware time.

b

Click Apply.

The Hardware Time window is displayed.


38

MANAGING THE SYSTEM

Step 10 Set the hardware time: a

Choose one of the following options: In the Hardware Time panel, using the drop-down list boxes, select the current date and time you want to assign to the managed host. Click Set hardware time to system time.

b

Click Save. Click Change time zone. The Time Zone window is displayed.

Step 11 Configure the time zone: a

b c

From the Change Timezone To drop-down list box, select the time zone in which this managed host is located. Click Save.


4

MANAGING HIGH AVAILABILITY

The High Availability (HA) feature ensures STRM data remains available in the event of a hardware or network failure. To achieve HA, STRM pairs a primary appliance with a secondary HA appliance to create an HA cluster. The HA cluster uses several monitoring functions, such as a heartbeat ping between the primary and secondary appliances, and network connectivity monitoring to other appliances in the STRM deployment. The secondary host maintains the same data as the primary host by one of two methods: data synchronization between the primary and secondary appliances or shared external storage. If the secondary host detects a failure, the secondary host automatically assumes all responsibilities of the primary host. Scenarios that cause failover include:

Network failure, as detected by network connectivity testing Management interface failure on the primary host Complete Redundant Array of Independent Disks (RAID) failure on the primary host Power supply failure Operating system malfunction that delays or stops the heartbeat ping

Note: Heartbeat messages do not monitor specific STRM processes. Note: You can manually force a failover from a primary host to a secondary host. This is useful for planned maintenance on the primary host. For more information on manually forcing a failover, see Setting an HA Host Offline. This chapter provides information for configuring and managing HA, including: Before You Begin HA Deployment Overview Adding an HA Cluster Editing an HA Cluster Setting an HA Host Offline Setting an HA Host Online Restoring a Failed Host


40


Before You Begin

Before adding an HA cluster, confirm the following: Note: For more information on HA concepts, such as HA clustering and data storage strategies, see HA Deployment Overview.

If you plan to enable disk replication (see Disk Synchronization), we require that the connection between the primary host and secondary host have a minimum bandwidth of 1 gigabits per second (Gbps). Virtual LAN (VLAN) routing, which divides a physical network into multiple subnets, is not recommended. The secondary host is located on the same subnet as the primary host. The new primary host IP address is set up on the same subnet. The management interface only supports one Cluster Virtual IP address. Multihoming is not supported. The secondary host you want to add must have a valid HA activation key. The secondary host must use the same management interface specified as the primary host. For example, if the primary host uses ETH0 as the management interface, the secondary host must also use ETH0. The secondary host you want to add must not already be a component in another HA cluster. The primary and secondary host must have the same STRM software version and patch level installed. If you plan to share storage (see Shared Storage), the secondary host must be configured with the same external iSCSI devices (if any) as the primary host. For more information on configuring iSCSI, see the Configuring iSCSI technical note. The /store partition on the secondary host must be equal to or larger than the /store partition on the primary host. For example, do not pair an primary host with a 3 TB disk with a secondary host with a 2 TB disk. The appliances must be the same model and type, and have the same disk configuration. We recommend that you backup your configuration information and data on all hosts you intend to configure for HA. For more information on backing up your configuration information and data, see Chapter 7 - Managing Backup and Recovery.

Note: Disk replication is not enabled by default on QFlow Collectors and is not required for successful failover.


HA Deployment Overview

41


This overview provides information on the key HA deployment concepts, including: HA Clustering Data Storage Strategies Failovers

HA Clustering

An HA cluster consists of the following:

Primary host - The primary host is the host for which you want to configure HA. You can configure HA for any system (Console or non-Console) in your deployment. When you configure HA, the IP address of the primary host automatically becomes the Cluster Virtual IP address; therefore, you must configure a new IP address for the primary host. Secondary host - The secondary host is the standby for the primary host. If the primary host fails, the secondary host automatically assumes all responsibilities of the primary host. Cluster Virtual IP address - When you configure HA, the current IP address of the primary host automatically becomes the Cluster Virtual IP address and you must assign a new IP address to the primary host. In the event that the primary host fails, the Cluster Virtual IP address is assumed by the secondary host. STRM uses the primary hosts IP address as the Cluster Virtual IP address to allow other hosts in your deployment to continue communicating with the HA cluster without requiring you to reconfigure the hosts to send data to a new IP address.

In the following figure, for example, the current IP address of the primary host is 10.100.1.1 and the IP address of the secondary host is 10.100.1.2.

When configured as an HA cluster, the current primary host IP address (10.100.1.1) automatically becomes the Cluster Virtual IP address. A new IP address must be assigned to the primary host. In this example, the assigned IP address for the primary host is 10.100.1.3.


42


Note: You can view the IP addresses for the HA cluster by pointing your mouse over the Host Name field in the System and License Management window. Data Storage Strategies STRM provides the following data storage strategies in an HA deployment: Disk Synchronization Shared Storage

Disk Synchronization The hosts in an HA cluster must have access to the same data on the /store partition. When you install your secondary host and apply an HA license key, a /store partition is automatically installed and configured on the host. Once an HA cluster is configured with the Disable Disk Replication option cleared (default) and the /store partition is not mounted externally, data in the active hosts /store partition is automatically replicated to the standby hosts /store partition using a disk synchronization system. When you initially add an HA cluster, the first disk synchronization can take an extended period of time to complete, depending on size of your /store partition and your disk synchronization speed. For example, the initial disk synchronization can take an extended period of time, up to 24 hours or more, depending on your deployment. We require that the connection between the primary host and secondary host have a minimum bandwidth of 1 gigabits per second (Gbps). The secondary host only assumes the Standby status after the initial disk synchronization is complete. When the primary host fails over and the secondary host becomes the Active host, the secondary host continues to read and write data on the /store partition. When the primary host is restored, the two /store partitions are no longer synchronized. Therefore, before the primary host can resume the Active state, disk replicationSTRM Administration Guide


43

automatically occurs. When disk replication is complete, the primary host is set to the Offline state and you must manually set the primary host to the Online state. The period of time to perform the post-failover disk synchronization is considerably less than the initial disk synchronization, unless the disk on the primary host disk was replaced or reformatted when the host was manually repaired. Shared Storage If the primary host has the /store partition mounted on an external storage device, the secondary host must also have the /store partition mounted on the same external storage device. Caution: You must configure the external storage on the secondary host before configuring the HA cluster. For more information on configuring external storage, see the Configuring iSCSI technical note. If the primary and secondary host access the shared storage at the same time, data corruption can occur. Before a failover occurs, the secondary host determines if the primary host is still accessing the shared storage. If the secondary host detects the primary host is still reading and writing to the shared storage, failover cannot occur. The secondary host is automatically set to the Offline state. Caution: If your primary host and secondary hosts are geographically isolated, failover may still occur while the primary host is reading or writing to the shared storage. Failovers When the primary host fails over, the secondary host performs the following actions in sequence:1 Mounts any external shared storage devices, if required. 2 Creates a network alias for the management interface. For example, the network

alias for eth0 is eth0:0.3 Assigns the Cluster Virtual IP address to the network alias. 4 Starts all STRM services. 5 Connects to the Console and downloads configuration files.

This section provides information on general failover scenarios, including: Primary Network Failure Primary Disk Failure Secondary Network or Disk Failure

Primary Network Failure The primary host automatically pings all other managed hosts to test its network connection. If the primary host loses network connectivity to a managed host and the connection to the secondary host is still intact, the primary host requests the secondary host to verify that it has full connectivity to other managed hosts in the deployment. The secondary host performs a network connectivity test, testing allSTRM Administration Guide

44


hosts specified in the Advanced Settings of the HA wizard, (Table 5-2). If the test succeeds, the primary host performs a controlled shutdown and fails over to the secondary host. This prevents the primary host failover to a secondary host that is also experiencing network connectivity problems. Primary Disk Failure An HA cluster configured with disk replication monitors disks on which the /store partition is mounted. If RAID completely fails and all disks are unavailable, the primary host performs shuts down and fails over to the secondary host. Secondary Network or Disk Failure If the primary host detects that the secondary host has failed, the primary host generates an event to notify you that the secondary host is no longer providing HA protection.

Adding an HA Cluster

The System and License Management window allows you to manage your HA clusters. To add an HA cluster:Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.


The System and License Management window is displayed.Step 4 Select the host for which you want to configure HA. Step 5 From the Actions menu, select Add HA Host.

Note: If the primary host is a Console, a warning message is displayed to indicate that the user interface restarts after you add the HA host. Click OK to proceed. The HA Wizard is displayed.



45

Note: If you do not want to view the Welcome to the High Availability window again, select the Skip this page when running the High Availability wizard check box.Step 6 Read the introductory text. Click Next.

The Select the High Availability Wizard Options window appears, automatically displaying the Cluster Virtual IP address, which is the IP address of the primary host (Host IP).

Step 7 To configure the HA host information, configure the following parameters:


46


Table 5-1 HA Host Information Parameters

Parameter Primary Host IP Address

Description Type a new primary host IP address. The new primary host IP address is assigned to the primary host, replacing the previous IP address. The current IP address of the primary host becomes the Cluster Virtual IP address. If the primary host fails and the secondary host becomes active, the Cluster Virtual IP address is assigned to the secondary host. Note: The new primary host IP address must be on the same subnet as the Host IP.

Secondary Host IP Address

Type the IP address of the secondary host you want to add. The secondary host must be in the same subnet as the primary host. Type the root password for the secondary host. The password must not include special characters. Type the root password for the secondary host again for confirmation.

Enter the root password of the host Confirm the root password of the host

Step 8 Optional. To configure advanced parameters: a

Click the arrow beside Show Advanced Options. The advanced option parameters are displayed.

b

Configure the following parameters:



47

Table 5-2 Advanced Options Parameters

Parameter Heartbeat Intervals (seconds)

Description Type the time, in seconds, you want to elapse between heartbeat messages. The default is 10 seconds. At the specified interval, the secondary host sends a heartbeat ping to the primary host to detect hardware and network failure. For more information on failover scenarios, see HA Deployment Overview.

Heartbeat Timeout (seconds)

Type the time, in seconds, you want to elapse before the primary host is considered unavailable if there is no heartbeat detected. The default is 30 seconds. If the secondary host detects a failure, the secondary host automatically assumes all responsibilities of the primary host. For more information on failover scenarios, see HA Deployment Overview.

Network Connectivity Test Type the IP address(es) of the host(s) you want the List peer IP addresses (comma secondary host to ping, as a means to test its own delimited) network connection. The default is all other managed hosts in your deployment. For more information on network connectivity testing, see Primary Network Failure. Disk Synchronization Rate (MB/s) Type or select the disk synchronization rate. The default is 100 MB/s. Note: When you initially add an HA cluster, the first disk synchronization can take an extended period of time to complete, depending on size of your /store partition and your disk synchronization speed. For example, the initial disk synchronization can take up to 24 hours or more. The secondary host only assumes the Standby status after the initial disk synchronization is complete. Note: We require that the connection between the primary host and secondary host have a minimum bandwidth of 1 gigabits per second (Gbps). Disable Disk Replication Select this option if you want to disable disk replication. Note: This option is only visible for non-Console hosts.c

Click Next.

The HA Wizard connects to the primary and secondary host to perform the following validations:STRM Administration Guide

48


Verifies that the secondary host has a valid HA activation key. Verifies that the secondary host is not already added to another HA cluster. Verifies that the software versions on the primary and secondary hosts are the same. Verifies that the primary and secondary hosts support the same Device Support Module (DSM), scanner, and protocol RPMs. Verifies if the primary host has an externally mounted storage system. If it does, the HA wizard then verifies that the secondary host also has an externally mounted storage system.

If any of these validations fail, the HA wizard displays an error message and then closes. The Confirm the High Availability Wizard Options window is displayed.

Caution: If the primary host is configured with external storage, you must configure the secondary host with the same external storage before continuing.Step 9 Review the information. Click Finish.

Note: If Disk Synchronization is enabled, it can take 24 hours or more for the data to initially synchronize. Note: If required, click Back to return to the Confirm the High Availability Wizard options window to edit the information. The System and License Management window displays the HA cluster you added. Use the Arrow icon to display or hide the secondary host.



49

The System and License Management window provides the status of your HA clusters, including:Table 5-3 HA Status Descriptions

Status Active

Description Specifies that the host is acting as the active system with all services running. Either the primary or secondary host can display the Active status. If the secondary host is displaying the Active status, failover has occurred. Specifies that the host is acting as the standby system. This status will only display for a secondary host. The standby system has no services running. If disk replication is enabled, the standby system is replicating data from the primary host. If the primary host fails, the standby system automatically assumes the active role. Specifies that the host is in a failed state. Both the primary or secondary host can display the Failed status:

Standby

Failed

If the primary host displays the Failed status, the secondary host takes over the services and should now display the Active status. If the secondary host displays the Failed status, the primary host remains active, but is not protected by HA.

A system in the failed state must be manually repaired (or replaced), and then restored. See Restoring a Failed Host. Note: Depending on the type of failure that caused the failover, you may not be able to access a failed system from the Console. Synchronizing Specifies that the host is synchronizing data on the local disk of the host to match the currently active system. Note: This status only appears if disk replication is enabled. Online Specifies that the host is online.


50


Table 5-3 HA Status Descriptions (continued)

Status Offline

Description Specifies that the host is offline. All processes are stopped and the host is not monitoring the heartbeat from the active system. Both the primary and the secondary can display the Offline status. While in the Offline state, disk replication continues if it is enabled. Once you select High Availability > Restore System to restore a failed host (see Restoring a Failed Host), this status specifies that system is in the process of restoring. Specifies that a license key is required for the HA cluster. See Chapter 3 - Managing the System Updating your License Key. In the Needs License state, no processes are running. Specifies that the host is in the process of changing state from online to offline. Specifies that the host is in the process of changing state from offline to online. Specifies that the host requires a software upgrade, because the primary host has been upgraded to a newer software version. If the secondary host displays the Needs Upgrade status, the primary host remains active, but is not protected by HA. Heartbeat monitoring and disk replication, if enabled, continue to function. Note: Only a secondary host can display a Needs Upgrade status.

Restoring

Needs License

Setting Offline Setting Online Needs Upgrade

Upgrading

Specifies that the host is in the process of upgrading software. If the secondary host displays the Upgrading status, the primary host remains active, but is not protected by HA. Heartbeat monitoring and disk replication, if enabled, continue to function. Note: Only a secondary host can display an Upgrading status.

Editing an HA Cluster

Using the Edit HA Host feature, you can edit the advanced options for your HA cluster. To edit an HA cluster:Step 1 Click the Admin tab. Step 2 In the navigation menu, click System Configuration.

The System Configuration panel is displayed.STRM Administration Guide

Editing an HA Cluster

51

Step 3 Click the System and License Management icon.

The System and License Management window is displayed.Step 4 Select the row for the HA cluster you want to edit. Step 5 From the High Availability menu, select Edit HA Host.

The HA Wizard is displayed.

Step 6 Edit the parameters in the advanced options section. See Table 5-2. Step 7 Click Next.

The Confirm the High Availability Wizard Options window is displayed.


52


Step 8 Review the information. Click Finish.

The secondary host restarts and your HA cluster continues functioning.

Removing an HA Host

You can remove an HA host from a cluster. You cannot remove a host from an HA cluster when the primary HA host is in the Failed, Offline, or Synchronizing state. To remove an HA host:



The System and License Management window is displayed.Step 4 Select the HA host you want to set to remove. Step 5 From the High Availability menu, select Remove HA Host.

A confirmation message is displayed, indicating that removing an HA host reboots the user interface.Step 6 Click OK.

Once you remove an HA host, the host restarts and becomes available to be added to another cluster.


Setting an HA Host Offline

53

Setting an HA Host Offline

You can set either the primary or secondary host to Offline from the Active or Standby state. If you set the active system to Offline, the standby system becomes the active system, thereby forcing a failover. If you set the standby system to Offline, the standby system no longer monitors the heartbeat of the active system, however, continues to synchronize data from the active system. To set an HA host offline:



The System and License Management window is displayed.Step 4 Select the HA host you want to set to offline. Step 5 From the High Availability menu, select Set System Offline.

The status for the host changes to Offline.

Setting an HA Host Online

When you set the secondary host to online, the secondary host becomes the standby system. If you set the primary host to Online while the secondary system is currently the active system, the primary host becomes the active system and the secondary host automatically becomes the standby system. To set an HA host online:



The System and License Management window is displayed.Step 4 Select the offline HA host you want to set to online. Step 5 From the High Availability menu, select Set System Online.

The status for the host changes to Online.

Restoring a Failed Host

If a host displays a status of Failed, a hardware or network failure occurred for that host. Before you can restore the host using the user interface, you must manually repair the host. For more information, see your network administrator. To restore a failed system:

Step 1 Recover the failed host.


54


Note: Recovering a failed host involves re-installing STRM. For more information on recovering a failed host, see the STRM Installation Guide. If you are recovering a primary host and your HA cluster uses shared storage, you must manually configure iSCSI. For more information on configuring iSCSI, see the Configuring iSCSI technical note.Step 2 Click the Admin tab. Step 3 In the navigation menu, click System Configuration.


The System and License Management window is displayed.Step 5 Select the failed HA host you want to restore. Step 6 From the High Availability menu, select Restore System.

The system restores the HA configuration on the failed host. The status of the host changes through the following sequence:a b c

Restoring Synchronizing (if disk synchronization is enabled) Standby (secondary host) or Offline (primary host)

If the restored host is the primary system, you must manually set the primary system to the Online state. See Setting an HA Host Online.


5

SETTING UP STRM

This chapter provides information on setting up STRM, including: Creating Your Network Hierarchy Scheduling Automatic Updates Configuring System Settings Using Event and Flow Retention Buckets Configuring System Notifications Configuring the Console Settings

Creating Your Network Hierarchy

STRM uses the network hierarchy to understand your network traffic and provide you with the ability to view network activity for your entire deployment. When you develop your network hierarchy, you should consider the most effective method for viewing network activity. The network you configure in STRM does not have to resemble the physical deployment of your network. STRM supports any network hierarchy that can be defined by a range of IP addresses. You can create your network based on many different variables, including geographical or business units.

Considerations

Consider the following when defining your network hierarchy:

Group together systems and user groups that have similar behavior. This provides you with a clear view of your network. Create multiple top-level groups if your deployment is processing more than 600,000 flows. Organize your systems/networks by role or similar traffic patterns. For example, mail servers, departmental users, labs, or development groups. This allows you to differentiate network behavior and enforce network management security policies. Do not group together servers that have unique behavior with other servers on your network. For example, placing a unique server alone provides the server greater visibility in STRM, allowing you to enact specific policies.


56

SETTING UP STRM

Within a group, place servers with high volumes of traffic, such as mail servers, at the top of the group. This provides you a clear visual representation when a discrepancy occurs. We recommend that you extend this practice to all groups. Combine multiple Classless Inter-Domain Routings (CIDRs) or subnets into a single network/group to conserve disk space. For example:Group 1 2 3 Description Marketing Sales Database Cluster IP Address 10.10.5.0/24 10.10.8.0/21 10.10.1.3/32 10.10.1.4/32 10.10.1.5/32

Note: We recommend that you do not configure a network group with more than 15 objects. This may cause you difficulty in viewing detailed information for each group. You may also want to define an all-encompassing group so when you define new networks, the appropriate policies and behavioral monitors are applied. For example:Group Cleveland Cleveland Cleveland Subgroup Cleveland misc Cleveland Sales Cleveland Marketing I

Admin Strm

Documents

juniper networks logo

property of juniper

harmful interference

ha host

following information

managing retention buckets

license key information

ha clustering