Release Notes Patch 1

Similar documents
Patch Release Notes. Release Juniper Secure Analytics. Juniper Networks, Inc.

Partition Splitting. Release Juniper Secure Analytics. Juniper Networks, Inc.

Deploying JSA in an IPV6 Environment

Customizing the Right-Click Menu

SETTING UP A JSA SERVER

Deploying STRM in an IPV6 Environment

Restore Data. Release Juniper Secure Analytics. Juniper Networks, Inc.

JSA Common Ports Lists

Setting Up an STRM Update Server

Managing User-Defined QID Map Entries

Release Notes. Juniper Secure Analytics. Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA

Installing JSA Using a Bootable USB Flash Drive

Patch Release Notes. Release Juniper Secure Analytics. Juniper Networks, Inc.

Reference Data Collections

Forwarding Logs Using Tail2Syslog. Release Security Threat Response Manager. Juniper Networks, Inc.

NSM Plug-In Users Guide

Upgrading STRM to

Troubleshooting Guide

Juniper Secure Analytics Patch Release Notes

Reconfigure Offboard Storage During a JSA Upgrade

NSM Plug-In Users Guide

Juniper Secure Analytics Patch Release Notes

UPGRADING STRM TO R1 PATCH

Juniper Secure Analytics Patch Release Notes

STRM Administration Guide

NSM Plug-In Users Guide

CUSTOM EVENT PROPERTIES FOR IBM Z/OS

High Availability Guide

STRM Getting Started Guide. Release Security Threat Response Manager. Juniper Networks, Inc.

Juniper Secure Analytics Patch Release Notes

Adaptive Log Exporter Users Guide

Patch Release Notes. Release Juniper Secure Analytics. Juniper Networks, Inc.

STRM Log Manager Administration Guide

WinCollect User Guide

Juniper Secure Analytics Patch Release Notes

Customizing SNMP Traps

Cisco Meeting Management

Cisco Meeting Management

ScreenOS 5.4.0r4 FIPS Reference Note

Cisco Unified Communications Manager Device Package 10.5(1)( ) Release Notes

STRM Adaptive Log Exporter

Cisco Videoscape Distribution Suite Transparent Caching Troubleshooting Guide

Wireless LAN. SmartPass Quick Start Guide. Release 9.0. Published: Copyright 2013, Juniper Networks, Inc.

Cisco Unified IP Conference Phone 8831 and 8831NR Release Notes for Firmware Release 10.3(1)SR3

Tetration Cluster Cloud Deployment Guide

Bluetooth Micro Dongle User s Guide. Rating: 5V DC 80mA Made in China

Cisco Unified Communications Manager Device Package 8.6(2)( ) Release Notes

RFID SIP Firmware Update Instructions for minipad / rpad

STRM Series to JSA Series

Blackwire C610 Blackwire C620

Web Device Manager Guide

Log Sources Users Guide

Juniper Secure Analytics

HomePlug Ethernet Bridge

Polycom RealPresence Resource Manager System

USER GUIDE. Element Wireless Smart Plug Model: E1C-NB6

SV PRO Network Security Appliance Quick Start Guide

Hardware Installation 1. Install two AA batteries in the mouse. Pairing Process in Vista and Windows XP SP2

Intrusion Detection and Prevention Release Notes

WL556E Portable Wireless-N Repeater

Addendum to Cisco Physical Security Operations Manager Documentation, Release 6.1

LaserJet Pro M501 Getting Started Guide

Steel-Belted Radius Installation Instructions for EAP-FAST Security Patch

Single Port Serial PC Card User Manual

APC-100. IEEE g Wireless USB Adapter. User s Guide v1.0

Cisco Meeting App. User Guide. Version December Cisco Systems, Inc.

2. PRINT SERVER INSTALLATION...

WLAN a+b+g mini-pci Module

USB Ultra-Mini Bluetooth 2.0 Adapter with EDR USER GUIDE

Zodiac WX QUICK START GUIDE

Juniper Secure Analytics Quick Start Guide

Intrusion Detection and Prevention IDP 4.1r4 Release Notes

Don t plug me in just yet.

Cisco Meeting App. What's new in Cisco Meeting App Version December 17

AIRNET 54Mb b/g High Power USB Adapter. User s Manual

Home Automation by Reliant User Manual

Upgrade Guide. ScreenOS 6.1.0, Rev. 03. Security Products. Juniper Networks, Inc.

TABLE OF CONTENTS Folding the Jacket Case into a Stand... 2 FCC Information... 3 Location of Parts and Controls... 4 Charging the Keyboard...

User Guide of AU-4612

WebRamp M3 Quick Start. for Windows and Macintosh

Considerations for Deploying Cisco Expressway Solutions on a Business Edition Server

VS0801H 8-Port HDMI Switch RS-232 Control Tool V User Manual

User Manual. Copyright Thursby Software Systems, Inc. February 2015 Revision 4

Wireless Dongle. Networking. Wireless N + USB Adapter AU-4512S. User Manual

User Manual ZKBioBL.

Table 1 List of Common Ports Used by STRM Components. Port Direction Reason. components. your SMTP gateway

Lantronix Wi-Fi Module Configuration Guide

ViewXnet. Ethernet to DVI/VGA adapter USER S MANUAL

Bluetooth USB Adapter TALUS. User Guide

Juniper Secure Analytics Virtual Appliance Installation Guide

Wireless-N PCI Adapter User Manual

Quick Start Guide X7 Portable High Resolution Music Player

FlyTV MCE Installation Guide Animation Technologies Inc.

Quick Start Guide Bluetooth to Serial Adapter

IDP NetScreen-Security Manager Migration Guide

READ FIRST! Bluetooth USB Adapter 2.0 Manual. Included in This Package Bluetooth USB Adapter CD-ROM with Bluetooth software and manual

HDD external enclosure for data-storage mobility with LAN sharing LAN MAC. USER Manual

USB Hub-Audio Series. January 1999 A

DATALOCKER H100 ENCRYPTED HARD DRIVE. User Guide

SR70 and SkyeReader Console User Guide

Transcription:

Juniper Secure Analytics Release Notes Patch 1 Release 2014.1 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net Published: 2014-03-18

Copyright Notice Copyright 2014 Juniper Networks, Inc. All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. The following terms are trademarks or registered trademarks of other companies: Java TM and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. FCC Statement The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Juniper Networks installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/tv technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device. Disclaimer THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT, SUBJECT TO THE MODIFICTAIONS SET FORTH BELOW ON THIS PAGE, ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY. Release 2014.1 Copyright 2014, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History March 2014 The information in this document is current as of the date listed in the revision history. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at http://www.juniper.net/support/eula.html, as modified by the following text, which shall be treated under the EULA as an Entitlement Document taking precedence over any conflicting provisions of such EULA as regards such software: As regards software accompanying the JSA products (the Program ), such software contains software licensed by Q1 Labs and is further accompanied by third-party software that is described in the applicable documentation or materials provided by Juniper Networks. 2

For the convenience of Licensee, the Program may be accompanied by a third party operating system. The operating system is not part of the Program, and is licensed directly by the operating system provider (e.g., Red Hat Inc., Novell Inc., etc.) to Licensee. Neither Juniper Networks nor Q1 Labs is a party to the license between Licensee and the third party operating system provider, and the Program includes the third party operating system AS IS, without representation or warranty, express or implied, including any implied warranty of merchantability, fitness for a particular purpose or non-infringement. For an installed Red Hat operating system, see the license file: /usr/share/doc/redhat-release-server-6server/eula. By downloading, installing or using such software, you agree to the terms and conditions of that EULA as so modified. 3

4

CONTENTS 1 JSA RELEASE NOTES Installing 2014.1.r1 Patch............................................ 7 Clearing the Cache................................................... 9 Resolved Issues..................................................... 10

1 JSA RELEASE NOTES 2014.1.r1.734536 patch resolves several known issues in Juniper Secure Analytics (JSA). Installing 2014.1.r1 Patch Clearing the Cache Resolved Issues Installing 2014.1.r1 Patch If your deployment is installed with version of 2013.2.r3 or later, you can install 2014.1.r1.734536 patch Before you begin Ensure that you take the following precautions: Back up your data before you begin any software upgrade. For more information about backup and recovery, see the Juniper Secure Analytics Administration Guide. To avoid access errors in your log file, close all open JSA WebUI sessions. The patch for JSA cannot install on a managed host that is at a different software version from the console. All appliances in the deployment must be at the same software revision to patch the entire deployment. Verify that all changes are deployed on your appliances. The patch cannot install on appliances that have changes that are not deployed. About this task Patches are cumulative software updates to fix known software issues in your JSA deployment. JSA patches are installed by using an SFS file. The patch can update any appliance attached to the JSA console that is at the same software version as the console.

8 JSA RELEASE NOTES Step 1 Step 2 Step 3 Procedure Download the 2014.1.r1.734536 patch from the Juniper Customer Support website. www.juniper.net/support/products Using SSH, log into your system as the root user. Copy the patch to the /tmp directory on the JSA console. NOTE Note: If space in the /tmp directory is limited, copy the patch to another location that has sufficient space. Step 4 Step 5 Step 6 Step 7 Step 8 Unzip the file in the /tmp directory using the bunzip utility: bunzip2 2014.1.r1.734536.sfs.bz2 To create the /media/updates directory, type the following command: mkdir -p /media/updates Change to the directory where you copied the patch file. For example, cd /tmp To mount the patch file to the /media/updates directory, type the following command: mount -o loop -t squashfs 2014.1.r1.734536.sfs /media/updates/ To run the patch installer, type the following command: /media/updates/installer NOTE Note: If you have logged in through serial-based console, run the following command to install the patch automatically: /media/updates/installer --no-screen NOTE Note: The first time that you run the patch, there might be a delay before the patch install menu is displayed. Step 9 Using the patch installer, select all. The all option updates the software on all systems in your deployment. In HA deployments, primary HA appliances are patched and replicate the patch update to the secondary HA appliance.

Clearing the Cache 9 If you do not select the all option, you copy the fix to each appliance in your deployment and install the patch. If you manually install patch in your deployment, you must update your appliances in the following order: 1 Console 2 Event Processors 3 Event Collectors 4 Flow Processors 5 Flow Collectors If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes. Results A summary of the patch installation advises you of any managed host that were not updated. If the patch fails to update a managed host, you can copy the patch to the host and run the installation locally. What to do next You are now ready to clear the Java cache and the browser cache. Clearing the Cache After you install the patch, you must clear your Java cache and your web browser cache before you log into JSA. Before you begin Ensure that you have only one instance of your browser open. If you have multiple versions of your browser open, the cache might fail to clear. Ensure that the Java Runtime Environment is installed on the desktop system that you use to view the user interface. You can download Java version 1.7 from the Java website: http://java.com/. About this task If you use the Microsoft Windows 7 operating system, the Java icon is typically located under the Programs pane. Step 1 Procedure Clear your Java cache: a On your desktop, select Start > Control Panel. b Double-click the Java icon. c In the Temporary Internet Files pane, click View. d On the Java Cache Viewer window, select all Deployment Editor entries. e Click the Delete icon.

Resolved Issues 10 Step 2 Step 3 Step 4 f g Click Close. Click OK. Open your web browser. Clear the cache of your web browser. If you use the Mozilla Firefox web browser, you must clear the cache in the Microsoft Internet Explorer and Mozilla Firefox web browsers. Log in to JSA. Resolved Issues The following issues are resolved in the patch for 2014.1.r1: Default searches do not show up in quick searches or dashboards for new non-admin users After you upgrade your system to 2013.2.r3, default quick searches may not be listed in the Quick Searches list box for administrative users that you create after the upgrade. The same issue exists for searches availalble in the dashboard for these new admin users. Workaround: Load the search in the Edit Search screen and check: Include in my Quick Searches Include in my Dashboard Then click 'Filter'. The asset profiler mat store IP addresses in the Netbios field In 2014.1 there is a condition which may result in an IP address being stored in the Netbios field for an asset. This can result in incorrect IPs being shown in the Offense Tab or Event/Flow Details. In those pages the product will do a lookup for local ips in the database and replace the IP with the hostname or netbios name. In the case where an IP is in the netbios field this leads to confusion. Workaround: None. After an upgrade to 2014.1, the secondary HA host might transition to the active system when the primary reboots After an upgrade to 2014.1, the system restarts to complete the upgrade on the system. When the system restarts, the secondary HA system unexpectedly switches to the active system, thinking that the primary system is unavailable. When this issue occurs, the administrator might need to manually set the primary system online after the system restarts.

Resolved Issues 11 Step 1 Step 2 Step 3 Step 4 Workaround: To set an HA primary or secondary system in the online (active) state: Click the Admin tab. Click the System and License Management icon. Select the offline HA host that you want to set to Online. From the toolbar, select High Availability > Set System Online. An application error can occur when a log source list is filtered by modification date or creation date In the Log Sources window, the column headings for the list of log sources can be selected to organize the values in ascending or descending order. When the Modification Data column or Creation Date column is select, an application error might occur. Workaround: None. Deploy changes fails to complete and continually prompts the administrator that there are undeployed changes On the Admin tab, the deploy changes status message continually informs the administrator that a deploy changes is required. When the administrator attempts to complete a deploy changes, the process fails to complete. This issue might be due to a lock condition in the database where competing actions are waiting on each other to finish. Typically a restart of the web server from the Admin tab can resolve this issue. Workaround: The workaround to resolve this situation is to restart Tomcat on the console. To restart Tomcat from the user interface: 1 Log in to JSA 2 Click the Admin tab. 3 Select Advanced > Restart Web Server. A restart of the web server forces all users to log out of the console. The user interface is unavailable until the web server restarts; however, event collection is not affected. NOTE Note: If the administrator notices this issue occurring often, then the administrator can contact customer support for assistance.

12 JSA RELEASE NOTES Log sources that were modified after being bulk added in the user interface might display a duplicate key error After an upgrade to 2014.1, an error for duplicate key violation can occur when an administrator attempts to edit a log source that was added through the bulk add interface. When this issue occurs, the following error message might be displayed in /var/log/qradar.log: [tomcat] [username@ip Address (1552) /console/do/sem/maintainbulksensordevice] <openjpa-2.2.1-r422266:1396819 fatal store error> org.apache.openjpa.persistence.entityexistsexception: ERROR: duplicate key value violates unique constraint "sensordevicebulkadd_pkey" Detail: Key (id)=(1) already exists. {prepstmnt -168569596 INSERT INTO SensorDeviceBulkAdd (id, bulk_group_name) VALUES (?,?)} [code=0, state=23505] Workaround: None. A report may fail to generate from raw data when the database query requires more than 20 minutes to complete Reports that use raw data, instead of aggregated data, where the database query takes more than 20 minutes to complete might not complete as expected. When a report fails to generate during this condition, an error message that the connection has been closed is displayed in qradar.log. For example, Nov 6 02:59:42 [IP address] [report_runner] [main] com.q1labs.reporting.reportservices: [ERROR] [NOT:0000003000][IP Address/- -] [-/- -]This connection has been closed. {SELECT is_raw FROM report_queue_status WHERE generate_start_time is not NULL AND generate_end_time is NULL AND err_text is NULL AND template_name =? ORDER BY id DESC} [code=0, state=08003] NOTE Note: The error message above is a sample, but represents the type of error that is generated in qradar.log. Workaround: Contact Juniper Customer support for assistance.

Resolved Issues 13 JSA might stop processing events when a remote procedure call (RPC) error is generated with Too many open files A file handle leak in JSA Remote Procedure Call (RPC) code can cause Java to reach the maximum number of allowed file handles on systems with large amounts of physical RAM. This issue affects the Event Correlation Server (ECS) before other console processes because ECS generates a large number of RPC requests. When this issue occurs, the following exception might be displayed in /var/log/qradar.log: java.io.filenotfoundexception: /store/ec/jdbc/7 (Too many open files) Workaround: A restart of ECS allows the event pipeline process to resume. However, the file handle limit will occur again in time (hours to days, depending on several factors). To restart ECS: 1 Using SSH, log in to the Console as the root user. 2 To restart ECS, type the following command: service ecs restart. 3 Wait for the service to restart and verify event collection on the Log Activity tab. If this issue continues to occur, administrators can contact Juniper Customer Support for further assistance. Closing an offense from the Offense Summary window might cause the user interface to display improperly and generate an error On the Offenses tab, when a user double clicks an offense, the system displays the Offense Summary. If a user attempts to close an offense from the Offense Summary window, the user interface refreshes and the content of the summary page does not display correctly. Step 1 Step 2 Step 3 Workaround: If the Offense Summary window displays incorrectly, the following procedure can be followed to close an offense until the error is resolved. Click the Offenses tab to return to the main offense view. Highlight the offense the user wants to close. From the navigation menu, select Actions > Close. After an upgrade to 2014.1.r1 Patch 1, the Ariel database did not start as expected After an upgrade to 2014.1.r1 Patch 1, the Ariel database did not start as expected. When this issue occurs, the following error message is generated in /var/log/qradar.error: [ecs] [MPCEventQueryProcessor [0]]

14 JSA RELEASE NOTES com.q1labs.sem.magi.eventquery.mpceventqueryprocessor: [WARN] [NOT:0000004000][IP Address/- -] [-/- -]Error while getting ariel client, it will retry at Wed Dec 27 14:19:57 CET 2013 [ariel.ariel_proxy_server] [main] com.q1labs.ariel.cursorrepository: [ERROR] [NOT:0000003000][IP Address/- -] [-/- -]Can't de-serialize object from /store/ariel/persistent_data/ariel.ariel_proxy_server/cursor_re pository.ser [ariel.ariel_proxy_server] [main] java.lang.class NotFoundException: com.q1labs.core.types.event.userhasaccess Workaround: None. An application error might display when a rule uses the rule test when the event matches this search filter On the Offenses tab, when a rule is created or edited an application error might display if it contains the rule test "event matches this search filter". The application error can occur when the user clicks, the term "this search filter" to select a custom property to filter. When this issue occurs, the following message is generated in /var/log/qradar.log: Nov 29 16:05:11 150.2.45.86 [tomcat] [IP Address (4833) /console/do/rulewizard/customizeconditionparameter] org.apache.jasper.jasperexception: Unable to compile class for JSP: An error occurred at line: 96 in the jsp file: /sem/jsp/rulewizard/customizeparameter-arielfitler.jsp REFERENCE_TABLE_CONDITION_SEPARATOR cannot be resolved or is not a field Workaround: None. New vulnerability data may become unavailable due to an exception in the asset profiler Rules or searches that contain parameters for New Vulnerability Discovered might not trigger the rule or return a search result as expected. If the administrator has scheduled scans that were completed, but searches or rules that look for new vulnerabilities discovered are not returning results, then an exception may have occurred. To determine if the Asset Profiler is the root cause of the issue, the administrator can review error messages in /var/log/qradar.log. The following error message might be displayed if there is an exception with the Asset Profiler: Jan 5 10:08:57 IP Address [assetprofiler.assetprofiler]

Resolved Issues 15 [AssetProfilePersister-BottomTier] com.q1labs.assetprofile.persistence.assetprofilepersistencework erthread: [ERROR] [NOT:0000003000][IP Address/- -] [-/- -]Root cause: ERROR: record "vulnrec" has no field "lastscannedfor" Where: SQL statement "UPDATE asset.vulninstance vuln SET vuln.osid = CASE WHEN ( vulnrec.fromlastseen > vulnrec.tolastseen) THEN vulnrec.fromosid ELSE vuln.osid END, vuln.firstseen = LEAST( vulnrec.fromfirstseen, vuln.firstseen ), vuln.lastseen = GREATEST( vulnrec.fromlastseen, vuln.lastseen ), vuln.lastscannedfor = GREATEST( vulnrec.lastscannedfor, vuln.lastscannedfor ) WHERE vuln.id = vulnrec.toid" PL/pgSQL function asset.movevulninstances(bigint,bigint) line 77 at SQL statement Jan 5 10:08:57 IP Address [assetprofiler.assetprofiler] [AssetProfilePersister-BottomTier] com.q1labs.assetprofile.persistence.assetprofilepersistencework e rthread: [ERROR] [NOT:0000003000][IP Address/- -] [-/- -]Asset Profile Persister is rolling back its current transaction due to the above exceptions. The following message indicates that the persistence queue (which is responsible for updating the profile values for an set) did not update with the new vulnerability: "Asset Profile Persister is rolling back its current transaction due to the above exceptions." Workaround: None. After an upgrade, EPS & FPS graphs might not display content from managed hosts with encryption enabled On the Dashboard under System Monitoring, event per second (EPS) and flow per second (FPS) rates are displayed from the console and each managed host in the deployment. After an upgrade to 2014.1 or 2014.1.r1.734536 Patch 1, managed hosts with encryption enabled (tunneled connections) do not provide their EPS and FPS rate information to the Dashboard. Workaround: None.

16 JSA RELEASE NOTES

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback