Juniper Secure Analytics Upgrading JSA to 7.3

Juniper Secure Analytics Upgrading JSA to 7.3.0

Release

7.3.0

Modified: 2017-12-11

Copyright © 2017, Juniper Networks, Inc.

Juniper Networks, Inc.1133 InnovationWaySunnyvale, California 94089USA408-745-2000www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates inthe United States and other countries. All other trademarks may be property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Juniper Secure Analytics Upgrading JSA to 7.3.07.3.0Copyright © 2017 Juniper Networks, Inc. All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttp://www.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of thatEULA.

Copyright © 2017, Juniper Networks, Inc.ii

http://www.juniper.net/support/eula/

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Chapter 1 What's NewWhen You Upgrade to JSA 7.3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . 13

What's New When You Upgrade to JSA 7.3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Shared License Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

RHEL V7.3 Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Chapter 2 Preparing for the Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Preparing for the Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Software Version Requirements for Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Memory and Disk Space Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

JSA Memory Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Other Memory Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Disk Space Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Supported Web Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Backing Up Third-party Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Upgrade Sequence in Distributed Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Upgrading High-availability Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Precautions for Upgrading Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 3 Upgrading JSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Administrator Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Staging Files and Pretesting your Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Installing the JSA 7.3.0 ISO on the Console Appliance . . . . . . . . . . . . . . . . . . . . . . 24

Installing the JSA 7.3.0 ISO on all other Managed Hosts . . . . . . . . . . . . . . . . . . . . 25

Installation Wrap-up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Clearing theWeb Browser Cache After Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . 27

iiiCopyright © 2017, Juniper Networks, Inc.

Copyright © 2017, Juniper Networks, Inc.iv


List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Chapter 2 Preparing for the Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Table 3: Minimum and Optional Memory Requirements for JSA Appliances . . . . . 16

Table 4: Supported Web Browsers for JSA Products . . . . . . . . . . . . . . . . . . . . . . . . 17

vCopyright © 2017, Juniper Networks, Inc.

Copyright © 2017, Juniper Networks, Inc.vi


About the Documentation

• Documentation and Release Notes on page vii

• Documentation Conventions on page vii

• Documentation Feedback on page ix

• Requesting Technical Support on page x

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation,

see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the

documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject

matter experts. These books go beyond the technical documentation to explore the

nuances of network architecture, deployment, and administration. The current list can

be viewed at http://www.juniper.net/books.

Documentation Conventions

Table 1 on page viii defines notice icons used in this guide.

viiCopyright © 2017, Juniper Networks, Inc.

http://www.juniper.net/techpubs/

http://www.juniper.net/books

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Indicates helpful information.Tip

Alerts you to a recommended use or implementation.Best practice

Table 2 on page viii defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type theconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

• A policy term is a named structurethat defines match conditions andactions.

• Junos OS CLI User Guide

• RFC 1997,BGPCommunities Attribute

• Introduces or emphasizes importantnew terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure themachine’s domain name:

[edit]root@# set system domain-namedomain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

Copyright © 2017, Juniper Networks, Inc.viii


Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.

• Theconsoleport is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.

Text like this

stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.

# (pound sign)

community namemembers [community-ids ]

Encloses a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identifies a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

GUI Conventions

• In the Logical Interfaces box, selectAll Interfaces.

• To cancel the configuration, clickCancel.

Representsgraphicaluser interface(GUI)items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of menuselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can provide feedback by using either of the following

methods:

• Online feedback rating system—On any page of the Juniper Networks TechLibrary site

athttp://www.juniper.net/techpubs/index.html, simply click the stars to rate thecontent,

and use the pop-up form to provide us with information about your experience.

Alternately, you can use the online feedback form at

http://www.juniper.net/techpubs/feedback/.

ixCopyright © 2017, Juniper Networks, Inc.


http://www.juniper.net/techpubs/index.html

http://www.juniper.net/techpubs/feedback/

• E-mail—Sendyourcommentsto [email protected]. Includethedocument

or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or Partner Support Service

support contract, or are covered under warranty, and need post-sales technical support,

you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: https://prsearch.juniper.net/

• Find product documentation: http://www.juniper.net/documentation/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

Copyright © 2017, Juniper Networks, Inc.x


mailto:[email protected]?subject=

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

http://www.juniper.net/support/warranty/

http://www.juniper.net/customers/support/

https://prsearch.juniper.net/

http://www.juniper.net/documentation/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

http://kb.juniper.net/InfoCenter/

http://www.juniper.net/company/communities/

http://www.juniper.net/cm/

https://entitlementsearch.juniper.net/entitlementsearch/

http://www.juniper.net/cm/

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.

xiCopyright © 2017, Juniper Networks, Inc.


http://www.juniper.net/support/requesting-support.html

Copyright © 2017, Juniper Networks, Inc.xii


CHAPTER 1

What's NewWhen You Upgrade to JSA7.3.0

• What's NewWhen You Upgrade to JSA 7.3.0 on page 13

What's NewWhen You Upgrade to JSA 7.3.0

JSA 7.3.0 introduces a shared license pool for managing EPS and FPM, and now uses

Red Hat Enterprise Linux (RHEL) V7.3.

NOTE: There is a change in the representation of releases for JSA releaseslater than JSA 2014.8. Starting with JSA 7.3.0, JSA releases are representedas 7.x.x releases. There is no change in the representation of JSA Releases2014.1 through 2014.8.

NOTE: You are recommended to apply JSA 7.3.0 patch 6 interim fix 01, if youare on JSA 7.3.0 patch 6. See JSA 7.3.0 patch 6 Interim Fix 01 patch releasenotes for details.

Shared License Pool

You can adapt to workload changes by distributing events per second (EPS) and flows

per minute (FPM) to any host in your deployment, regardless of which appliance the

license is allocated to.

Forexample, youhavea JSA2014.8distributeddeployment thathas twoeventprocessors,

onewith 7,500 EPS and the other with 15,000 EPS.When you upgrade to JSA 7.3.0, each

processor maintains the pre-upgrade EPS allocations, but the combined 22,500 EPS

becomepart of the shared license pool.When the data volumes for the event processors

change, or when you add amanaged host, you can redistribute the EPS capacity.

For more information about managing the shared license pool, see the License

Management chapter in the Juniper Secure Analytics Administration Guide.

13Copyright © 2017, Juniper Networks, Inc.

RHEL V7.3 Benefits

RHELV7.3makes JSAmoresecure.RHELV7.3alsosupportsLogicalVolumeManagement

(LVM), which provides flexible and advanced disk partitioning. With LVM, you can create

partitions, resize them, and aggregate clusters of storage together.

For example, youhavea JSAAll-In-One virtual appliance. Youneedmore local disk space

so that you can store events for a longer time. You can add another disk to extend the

/store partition.

RelatedDocumentation

• Preparing for the Upgrade on page 15

• Software Version Requirements for Upgrades on page 15

• Memory and Disk Space Requirements on page 16

Copyright © 2017, Juniper Networks, Inc.14


CHAPTER 2

Preparing for the Upgrade

• Preparing for the Upgrade on page 15

• Software Version Requirements for Upgrades on page 15


• SupportedWeb Browsers on page 17

• Backing Up Third-party Data on page 17

• Upgrade Sequence in Distributed Deployments on page 18

• Upgrading High-availability Deployments on page 18

• Precautions for Upgrading Appliances on page 19

Preparing for the Upgrade

To successfully upgrade an JSA system, verify your upgrade path, especially when you

upgrade from older versions that require intermediate steps. Youmust also review the

software, hardware, and high availability (HA) requirements.

NOTE: When you upgrade to JSA 2014.6 or later, the SSH keys on everymanaged host are replaced. If you are connecting to or from a JSAmanagedhost and you are using key-based authentication, do not remove or alter theSSH keys. Removing or altering the keysmight disrupt communicationbetween the JSA Console and themanaged hosts, and result in lost data.


Software Version Requirements for Upgrades on page 15•



Software Version Requirements for Upgrades

To ensure that JSA upgrades without errors, ensure that you use only the supported

versions of JSA software:

• Ensure that JSA 2014.8.r2 and later is installed.


• Check the software version in the software by clicking Help >About.

NOTE: Software versions for all JSAappliances in a deploymentmust be thesame version and build. Deployments that use different JSA versions ofsoftware are not supported.

NOTE: For amanagedWinCollect deployment, youmust useWinCollectV7.2.5or later. If youareonanearlier versionofWinCollect, youmustupgradetoWinCollect V7.2.5 before you can apply the JSA 7.3.0 upgrade.


Memory and Disk Space Requirements on page 16•



Memory and Disk Space Requirements

Before you upgrade, ensure that JSAmeets theminimumor suggestedmemory and disk

space requirements.

JSAMemory Requirements

The following table describes the minimum and suggestedmemory requirements for

JSA appliances. Theminimummemory requirement defines the amount ofmemory that

is required by the software features. The suggestedmemory requirements include the

amount of memory that is required by the current software features and extra memory

for possible future capabilities. Appliances that have less than the suggested appliance

memory might experience performance issues during periods of excessive event and

flow traffic.

Table 3: Minimum andOptional Memory Requirements for JSA Appliances

Suggestedmemoryrequirement

MinimummemoryrequirementAppliance

2 GB2 GBFlow Collector Virtual without JSA Vulnerability Scanner

6 GB6 GBFlow Collector Virtual with JSA Vulnerability Scanner

48 GB12 GBJSA Event Collector/ Processor Virtual

48 GB12 GBJSA Flow Processor Virtual

48 GB24 GBJSA SIEM Virtual



Other Memory Requirements

If the following conditions are met, extra memory requirements might be required:

• If you plan to enable payload indexing, your system requires a minimum of 24 GB of

memory. However, 48 GB of memory is suggested.

Disk Space Requirements

Before you upgrade to JSA 7.3.0, ensure that the total size of the primary disk is at least

130 gigabytes (GB).

The upgrade pretest determines whether a partition includes enough free space to

complete an upgrade. Before you can upgrade, youmust free up sufficient disk space on

the partition that is defined in the pretest error message.


SupportedWeb Browsers on page 17•



SupportedWeb Browsers

For the features in JSAproducts towork properly, youmust use a supportedwebbrowser.

The following table lists the supported versions of web browsers.

Table 4: SupportedWeb Browsers for JSA Products

Supported versionsWeb browser

45.2 Extended Support ReleaseMozilla Firefox

11.064-bit Microsoft Internet Explorer with Microsoft Edgemode enabled.


Backing Up Third-party Data on page 17•



Backing Up Third-party Data

Before you upgrade, ensure that you back up all third-party data on the system.

All third-party data on the system is removed during the OS upgrade portion of the JSA

upgrade. Only data stored in the /store partition will be preserved. We recommend that

you back up any such data before performing the upgrade such as:


Chapter 2: Preparing for the Upgrade

• Any third-party user accounts and data

• Any files, scripts, or data in /root


Upgrade Sequence in Distributed Deployments on page 18•



Upgrade Sequence in Distributed Deployments

When you upgrade JSA systems, youmust complete the upgrade process on your JSA

Console first. Youmust be able to access the user interface on your desktop system

before you upgrade your secondary JSA Console andmanaged hosts.

Upgrade your JSA systems in the following order:

1. Console

2. The following JSA systems can be upgraded concurrently:

• Event Processors/ Collectors

• Flow Processors


Upgrading High-availability Deployments on page 18•



Upgrading High-availability Deployments

Before you upgrade the JSA in a high-availability (HA) deployment, the primary host

mustbe theactive system inyourdeployment. Theprimaryhostmustbeupgradedbefore

youmanually upgrade the secondary host.

Before youupgrade the secondaryhost, copy the following file fromtheupgradedprimary

HA host to the secondary HA host to ensure that the management interfaces match

between the two hosts after the upgrade finishes:

scp /opt/qradar/conf/capabilities/map_localhost_interfaces.txt.bak

root@<secondary_ip>:/opt/qradar/ha/map_localhost_interfaces.txt

If the HA cluster is disconnected, or youwant to add a new secondary HA host, youmust

reinstall JSA on the secondary HA. Formore information about reinstalling software, see

the Juniper Secure Analytics Installation Guide for your system. After you reinstall the

secondary HA host, log in to the user interface to reconnect or to create a newHA cluster.



Before you upgrade a disconnected HA cluster, copy the following file from the primary

to the secondary HA host to ensure that the management interfaces match between

the two hosts after the upgrade finishes:

scp /opt/qradar/conf/capabilities/map_localhost_interfaces.txt.bak

root@<secondary_ip>:/opt/qradar/ha/map_localhost_interfaces.txt

NOTE: Disk replication and failover are disabled until the primary andsecondaryhosts synchronizeand theneedsupgradeor failed status is cleared

from the secondary host.

After you upgrade the secondary host, youmight need to restore the configuration of the

secondary host. Formore informationabout restoringa failedhost, see theAdministration

Guide for your product.


Precautions for Upgrading Appliances on page 19•



Precautions for Upgrading Appliances

Follow certain precautions before upgrading JSA appliances.

Ensure that you take the following precautions:

• Back up your data, and confirm that backups are complete before you begin the

upgrade.

For more information about backup and recovery, see the Juniper Secure Analytics

Administration Guide for your product.

• Ensure that youeither havea JSAConsole connected to your hardwareor havea remote

connection to themanagementport (oftencalledanoutofbandmanagement setup).

This is important because, if you encounter a problemwhile you are reinstalling JSA,

you will need to access the server through one of these connections.

• Upgrade all managed hosts before you deploy changes.

• Close all open JSA sessions to avoid excess errors in your log file.

• Confirm that your appliancemeets the minimum requirements for JSA. For more

information about system requirements, see “Memory and Disk Space Requirements”

on page 16.

• Disconnect high availability (HA) hosts before the upgrade if the entire /store directory

is mounted on offboard storage. For more information about disconnecting an HA

cluster, see the High Availability Guide.

• Ensure that theorderofmountpoints in the /etc/fstab filematchesonboth theprimary

and secondary HA host:


Chapter 2: Preparing for the Upgrade

• /store

• /store/tmp

• /store/transient

• Any subdirectory of /store if the partition is mounted on offboard storage

Restart the system after any updates to the /etc/fstab file.

• If theentire /storedirectory ismountedonoffboardstorage, run the followingcommand

to prepare the system for the upgrade:

/media/cdrom/post/prepare_offboard_storage_upgrade.sh

• If you are not prompted to remount your offboard storage solution during the upgrade,

remount the storage when the upgrade finishes.

For additional upgrade steps for iSCSI l offboard storage solutions, and for information

about remounting offboard storage, see the Configuring Offboard Storage Guide.

• For more information about managing licenses, see the Juniper Secure Analytics

Administration Guide.







CHAPTER 3

Upgrading JSA

• Administrator Notes on page 21

• Staging Files and Pretesting your Deployment on page 22

• Installing the JSA 7.3.0 ISO on the Console Appliance on page 24

• Installing the JSA 7.3.0 ISO on all other Managed Hosts on page 25

• InstallationWrap-up on page 26

• Clearing theWeb Browser Cache After Upgrades on page 27

Administrator Notes

1. This update includes a change to how login authentication works for fallback LDAP,

Radius, or Active Directory on administrator accounts. If the external authentication

server is unavailable, not all administrators will be able to fall back to their local

administrator passwords without a configuration change. This change was

implemented in JSA 7.3.0 to raise awareness for this change.

2. TLS v1.0 and TLSv1.1 is disabled in this release and connections to the user interface

for legacy browsers might be rejected.

3. WinCollect agents at version 7.2.2-2 or older use TLSv1.0 and TLS v1.1 connections to

upgrade agents, which is disabled in JSA 7.3.0. Administrators with managed

WinCollect agents must upgrade toWinCollect 7.2.5 before installing JSA 7.3.0 Patch

6. WinCollect 7.2.5 is a pre-requisite for JSA 7.3.0. Stand-aloneWinCollect agents are

not impacted by this requirement.

4. Customized routes or static routes configuredmanually in JSA are not preserved after

the upgrade to JSA 7.3.0 completes.

5. Any iptables rules configured by the administrator should be reviewed and noted for

clean up post installation. The interface names have changed in JSA 7.3.0 due to the

Red Hat Enterprise 7 operating system updates and administrators who reference

interfaces will need to update iptables rules manually.

6. Youmust be on JSA 2014.8.r2 or later to upgrade to JSA 7.3.0.

7. The upgrade from JSA 7.3.0 will use a .ISO file. In the past, support has stated that

ISOs are for new appliance installs only, but JSA 7.3.0 is going to be an exception to

this rule because of the Red Hat kernel update requirements.


8. Each HA appliancemust be updated individually using the ISO file. The SFS file is

capable of allowing the primary appliance to update the secondary, but the ISO file

does not support this functionality. If you run the ISO setup on an HA primary, you

should wait for the update to complete, then run the setup on the HA secondary.

9. There is no patch "All" option as JSA 7.3.0 uses an ISO file to upgrade. The ISOmust

bemounted to the appliance and run locally on each host.

10. The 7.3.0 upgrade will take longer than expected due to the kernel changes to Red

Hat 7 Enterprise. Early upgrade customers are reporting 2 to 2.5 hours to upgrade the

Console appliance. Administrators should be aware of this longer time frame to plan

their maintenance windows.

11. Utilitiesor customscripts thatpowerusersmighthavecreated for their JSAdeployment

should be copied off of the system. During the 7.3.0 update a warning is displayed

that only data in /store is going to be preserved. After the appliance reboots, any

scripts, 3rd party accounts, or utilities in /tmp, or /, or /root will be deleted. This does

not impact ISO filesmounted initially using /root as the this clean up only occurs later

in the installation procedure.

Upgrades to JSA 7.3.0 Patch 6?Current JSA Version

NoJSA 2014.6 (any patch level) or earlier

NoJSA 2014.7 (any patch level)

NoJSA 2014.8

Yes, the latest ISO can upgrade beyond the initial 7.3.0 release versionsand there is no need to install multiple files. Use these release notes tocomplete this process.

JSA 2014.8.r2 or later


Staging Files and Pretesting your Deployment on page 22•

• Installing the JSA 7.3.0 ISO on the Console Appliance on page 24


Staging Files and Pretesting your Deployment

It is important that administrators pretest their deployment to ensure that they will not

experience unexpected issues when updating to JSA 7.3.0. A pretest is a common

precaution that should be taken by all administrators before they install an update to

locate potential issues. The pretest does not restart services and can be completed

without scheduled downtime. The pretest typically takes between 3 to 5minutes to

complete on each appliance. If for some reason your SSH session is disconnected, you

can reconnect to the remote host using screen.



The pretest should be completed on all hosts by the administrator before you attempt

to upgrade to JSA 7.3.0.

1. Download the JSA 7.3.0 ISO (3.8 GB) from the Juniper Support website.

2. Using SSH, log in to your Console as the root user.

3. Type the following command: screen

4. Tomake the directory for the update, type: /opt/qradar/support/all_servers.sh -k“mkdir -p /media/cdrom || umount /media/cdrom"

5. To verify you have enough space (4GB) in /tmp for the ISO on all appliances, type:

/opt/qradar/support/all_servers.sh -k df -h /root /var/log | tee diskchecks.txt

• Best directory option: /root

It is available on all appliance types, is the best option to host the ISO file.

• 2nd best directory option: /var/log

This directory is available on all appliances, but there might not be the required

space available.

• DONOTUSE: /tmp, /store/tmp, or /store/transient for your ISO upgrade. These

directories are partitioned as part of the upgrade and administrators cannot use

them as storage locations or mount points for the ISO file.

If the disk check command fails, retype the quotation marks from your terminal,

then re-run the command. This command returns the details to both the command

windowand toa file on theConsole nameddiskchecks.txt. Review this file to ensure

that all appliances have at minimum 4GB of space available in a directory to copy

the ISO before attempting to move the file to amanaged host. If required, free up

disk space on any host that fails to have less that 4GB available.

Reminder:Utilitiesor customscripts thatadministratorshavecreated for JSAshould

be copied off of the system. During the 7.3.0 update awarning is displayed that only

data in /store will be preserved. Therefore, scripts, 3rd party utilities in /tmp, or /,

or /root will be deleted during the upgrade.

6. If there is not 4GB of space in /root or /var/log, the administratormustmake directory

space for the ISO file.

7. UsingWinSCP or SCP, copy the ISO to the /root or /var/log directory on the JSA

Console with 4GB of disk space for the ISO file.

8. To copy the files to all appliances, type: /opt/qradar/support/all_servers.sh -k -p/root/JSA7.3.0.iso -r /root


Chapter 3: Upgrading JSA

https://www.juniper.net/customers/support/

9. Tomount the ISO on all appliances, type the following command:

/opt/qradar/support/all_servers.sh -C -k “mount -o loop /root/JSA7.3.0.iso/media/cdrom"

10. To pretest the Console appliance, type: /media/cdrom/setup -t

The pretest output will be written to the command window. Review this output after

the pretest completes.

11. Using SSH, open an SSH session to the other appliances in your deployment. JSA

Support recommends that all administrators run the pretest on each host to identify

issues before the update begins.

12. To pretest the managed host, type: /media/cdrom/setup -t

Result

If an appliance in your deployment fails the pretest, the administrators can take the

recommended action from the pretest utility. The issue must be resolved before the

update to 7.3.0 begins to prevent downtime for specific appliances. If there aremessages

you do not understand or want to discuss further, you can open an SR with Juniper

Customer Support.


Installing the JSA 7.3.0 ISO on the Console Appliance on page 24•



Installing the JSA 7.3.0 ISO on the Console Appliance

These instructions guide administrators through the process of upgrading an existing

JSA install at 2014.8.r2 patch or later to JSA software version 7.3.0. The update on the

Console must be completed first, before you attempt to update any managed hosts to

JSA 7.3.0.

Youmust complete: “Staging Files and Pretesting your Deployment” on page 22 before

you begin the installation steps listed below.

1. Using SSH, log in to the Console as the root user.

2. To run the ISO installer on the Console, type the following command:

/media/cdrom/setup

NOTE: Upgrading from JSA 2014.8.r2 patch or later to JSA 7.3.0 shouldtake approximately 2 hours on a Console appliance.



3. Wait for the Console primary update to complete.

4. For HA appliances. If you have an HA Secondary, you can now update the secondary

appliance.

5. Open an SSH session to the HA Console secondary.

6. Type the followingcommand toupdate the secondaryConsole: /media/cdrom/setup

7. Wait for the HA Console secondary to complete the update.

Result

A summary of the ISO installation advises you of any issues. If there are no issues,

administrators can now SSH tomanaged hosts and start the installer on each host to

run the setup in parallel.


Installing the JSA 7.3.0 ISO on all other Managed Hosts on page 25•



Installing the JSA 7.3.0 ISO on all other Managed Hosts

After the Console and Console HA secondary are updated to JSA 7.3.0, then the rest of

the deployment can updated. There is no order required for updating specific appliance

types after the Console is updated. Administrators can update Event Processors, Event

Collectors, flow processors in any order. Youmust open an SSH session to each host to

run the setup command. The all_servers.sh utility is not supported for parallel ISO

installations. Administrators can start the ISOupdate in parallel onmultiple hosts, if they

are not HA pairs.

Administrators with appliances that are HA pairs must upgrade the primary appliance

first, then the secondary managed host.

Youmust complete: “Staging Files and Pretesting your Deployment” on page 22 before

you begin the installation steps listed below.

1. Using SSH, log in to the Console as the root user.

2. Open an SSH session to eachmanaged host and type the following command:

/media/cdrom/setup

NOTE: Upgrades formanagedhosts should take approximately 1.5 hours.



3. Wait for the managed host update to complete.

4. For HA appliances. If you have an HA Secondary, you can now update the secondary

appliance.

5. Open an SSH session to the manage host HA secondary.

6. Type the following command to update the secondary: /media/cdrom/setup

7. Wait for the HA Console secondary to complete the update.

Result

A summary of the ISO installation advises you of any issues. If there are no issues,

administrators can now run the ISO setup on the Console HA secondary appliance, if you

have an HA pair. If you do not have a Console in HA, you can then start SSH sessions to

each host and run the setup in parallel.





InstallationWrap-up

1. After all hosts are updated, administrators can send an email to their team to inform

them that they will need to clear their browser cache before logging in to the JSA.

2. To unmount the /media/cdrom directory on all hosts, type:

/opt/qradar/support/all_servers.sh -C -k “umount /media/cdrom"

3. Administrators can delete the ISO from all appliances.

4. Administrators who useWinCollect agents version 7.2.6 or latest must reinstall the

SFS file on the JSA Console. This is due to issues were the ISO replaces the SFS on

the Console withWinCollect 7.2.5. Once the system is upgrade to 7.3.x, the same

version ofWinCollect must be reinstalled on the JSA console using the appropriate

7.3 SFS for WinCollect. To install the latest WinCollect SFS on the Console, see the

WinCollect release notes.

5. Review any static routes or customized routing. As mentioned in the administrator

notes, all routes were removed and will need to be reconfigured after the upgrade

completes.



6. Any iptable rules configured should be reviewedas the interface nameshave changed

in JSA 7.3.0 due to the Red Hat Enterprise 7 operating system updates. Any iptables

rules that use Red Hat 6 interface naming conventions will need to be updated.

7. Performanautomatic update to ensure that your configuration files contain the latest

network security information. For more information, see the Juniper Secure Analytics

Administration Guide.





Clearing theWeb Browser Cache After Upgrades

After you upgrade, clear the web browser cache before you log in to JSA.

1. To clear your web browser cache, ensure that you have only one instance of your web

browser open, and then clear the cache.

2. Log in to JSA by typing the IP address of the JSA system into a web browser:

https://IP Address

The default user name is admin.







Documents

Juniper Secure Analytics Upgrading JSA to 7.3