Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[JSA] Understanding the impact of Deploy Full Configuration on events, flows, and offenses

0

0

Article ID: KB34452 KB Last Updated: 04 Jun 2019Version: 1.0
Summary:

This article explains the impact of ‚Äčinitiating a Deploy Full Configuration on Juniper JSA systems.

Symptoms:

There are occasions when the console will request that you deploy full configuration.

Solution:

7.3.0 and earlier versions

In JSA 7.3.0 and earlier versions, after initiating a Deploy Full Configuration action in JSA, the system stops logging events and flows. It also stops firing offenses. This is because the Deploy Full Configuration action involves restarting the ECS service on all systems.

The ECS is made up of two processes: ecs-ec and ecs-ep

  • The ecs-ec process is responsible for event and flow collection. This includes event parsing, traffic analysis, coalescing, and event forwarding. The ecs-ec process can exist on Consoles, Event Processors, Flow Processors, Event Collectors, and Flow Collectors.

  • The ecs-ep process is responsible for the Custom Rules Engine (CRE), event and flow streaming, and storage. The ecs-ep process can exist on Consoles, Event Processors, and Flow Processors, but does not exist on Flow Collectors. The Magistrate is also part of the ecs-ep process and exists on the Console only. The Magistrate is responsible for offense rules, offense management, and offense storage.

While these processes are restarting, you will not be able to log events or flows, forward events, real-time stream, or search. Consideration must be taken anytime a Deploy Full Configuration is initiated, as ECS service restarts cause an impact to JSA functions.
 

7.3.1 and later versions

As of JSA 7.3.1, event and flow collection is handled by the ecs-ec-ingress service, which is not restarted as part of a Deploy Full Configuration action. Ecs-ec-ingress stores data in a buffer, so event and flow collection continue during the Full Deploy action. Full processing of the events and flows in buffer occurs after the ecs-ec and ecs-ep services restart.
 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search