Security

Hi Team :

I 've got  a project in hand of juniper. ISG was gr8 experience but stuck with STRM 500 Appliance. It is licensed and GUI is up and running , even devices are added from admin section and log sources are defined with success also.

But there are 2 problems.

I am having EVENTS but no OFFENCES and NETWORK SURVILENNACE is not making any graph.

Attached are 3 reference screenshots.

I have done soft reeset and hard reset of sim model also,  any other suggestions...

[ i want to know how to add sentry , i beileve there is a default sentry already present for all rules and packages] isnt it ?

telll me .... this is going to a great expeirence and i want to prove it against MARS .... !

waiting...for suggestions, advice and solutions ? ???

The Network Surveillance Tab is for Flow information (JFLOW, Netflow, Sflow, Qflow) and the ISG itself is not capable of generating any Flow data. The STRM itself can generate Qflow data from one of the spare interfaces (eth1) but you'll need to have that STRM interface connected to a SPAN/MIRROR port on a Switch or Similar. The STRM documentation talks more about this.

Offenses are created when incoming logs/flows match a business rule. If you go into Offenses | Rules you can browse these rules and see which are enabled/disabled. It's possible that your ISG has not seen any events that would cause STRM to create an offense. If you just want to test that offenses can be created, then either adust a rule or create some traffic on the ISG that should create an offense.

One of the ways to do this is to:

- create a SCREEN setting on the ISG with a really low value of "1" for the ICMP flood threshold

- run several icmp ping tests through that interface/zone and check the ISG event log for Screen Events.

- check the STRM to make sure the same events are collected by STRM

- the STRM should have turned these events into a new Offense of category ICMP DoS or similar.

The sentries concept has been retired - the new method of defining sentries is within Offenses | Rules.

Well, to add to the reply a couple of things to explain here. (as per my knowledge and understanding...)

STRM can deal with 2 main types of information sent to it, namely, logs and flow records.

I already have logs being sent to the device, which is good.  However, there are no flows being sent.(tht z right or not ? )

With the default installation, there are several rules and sentries already added and enabled on the system.  If you do have any offenses created, then there have no anomalous or undesired traffic sent to the device that have triggered any offenses.

What i see is that i can access the rules from 2 areas, under the event heading  tab and rules or at the offense heading tab and then rules.

Also, note that sentries are applied to flow traffic being sent to the device and also flows will populate the network surveillance window.  If you are not sending flows to the device, then we will not see any activity under network surveillance and also no sentries will be looked. (is this true  ? how to fix it thru syntax or commands, i have 1 ISG only connecting to STRM , all other units are cisco asa and cisco ids and cisco lan switches )

advice please ????????????????????

<However, there are no flows being sent.(tht z right or not ? )>

That is probably right - the ISG itself cannot send flow information to STRM

<What i see is that i can access the rules from 2 areas, under the event heading  tab and rules or at the offense heading tab and then rules.>

It sounds like you might be running STRM 2009 or STRM2008. STRM 2010 is a major update to how flow data is handled, you really should update to this version first. Sentries do not exist in STRM 2010 and they have been replaced by Rules.

<If you are not sending flows to the device, then we will not see any activity under network surveillance and also no sentries will be looked. (is this true  ?)>

That is true, Network Surveillance is only based on flow data, in STRM 2010 that is now called "Network Activity". In the older STRM sentries were only based on Flow Data. In the new STRM, rules can be based on log or flow or both log and flow data.

<i have 1 ISG only connecting to STRM , all other units are cisco asa and cisco ids and cisco lan switches>

You can add all of those devices. You might want to setup the Cisco Switch to send Flow Data to STRM and your Cisco IDS/ASA to send Log Data. The document here covers how to do this for each device:

http://www.juniper.net/techpubs/software/management/strm/2010_0/DSM_Book.pdf

I wouldn't spend any more time on the older STRM though, the best thing is to upgrade first. The new version technical documentation link is here:

http://www.juniper.net/techpubs/en_US/strm2010.0/information-products/pathway-pages/strm-series/index.html

Well, i need  answers to 2 of my important questions ,

1> what will happen to the license. ? i generated on authorization code that i rcvd? will the same license will work ?

2> i tried to install 2010 before but it did not work on strm 500 (first generation box,  not strm 500 ii ) , and got the dependencies missing error. but now i have 2009.1 installed ? 

what will be the upgrade path , can you refer me to the right documentation please.

thanks , waiting for response.

<a juniper engineer >

The same license should work. in STRM2008 there was an authorization code + license. In this version you only need to worry about the license. If there is any failure to load the license key then you will revert to a 30day evaluation license. This will give you time to regenerate a license key for your system if there are any problems.

I responded to your other post -  but if you want to retain your configuration and logs then you need to upgrade and patch your system to meet the pre-requisites of the 2010.0 upgrade. I think this might just be 2009.2 with one of the latest patches (just install the latest to be safe).

If you are happy with a clean installation then you can probably go to 2010.0 directly using the "recovery.py" script. (in the software downloads section it's called the "restore partition script). As long as you are running 2009.1 or 2009.2 this will work but if you are on 2008.x then you'll need to upgrade to 2009.1 first and then follow this script.

actually i asked this upgrade path question becoz' i had opened a jtac case for it, and i had problem in clean installation with recovery.py script on the ssh console to the appliance.

so just concerned about the upgrade from 2009.1 to 2010.0 ( can i do direct or i have to go first to 2009.2 and then to 2010.0 indirectly, please confirm ! )

. i have the 2010.0 iso image with me and i can mount it from my laptop and i use the winscp program to drag drop the file to the right folder on strm.

do let me know if there are any known hicckups involved.

thanks again.