Intrusion Prevention

  • 1.  How to size EPS for JSA Logging Solution

    Posted 08-03-2021 08:40
    I see JSA Solution is sized by EPS and Flows per minute. 
    Can someone help me understand how best to come up with accurate EPS figure for a JSA Solution? Can some Junos commands on the SRX be useful to get this information?


    Below is the definitions I find on Juniper Website. 

    Events, measured in EPS (events per second), are actual logs (syslog, events) sent from Log Source devices like routers, switches, Windows, Unix hosts, firewalls and intrusion detection and prevention (IDP) systems.

    Flows, measured in FPM (flows per minute), are traffic sessions monitored by STRM between network devices like routers and switches which are running special protocols like J-flow, S-flow, and so on.

    ------------------------------
    WILLYS WENDOH
    ------------------------------


  • 2.  RE: How to size EPS for JSA Logging Solution

    Posted 08-06-2021 08:53
    If you have an existing logging server, you can usually see how many events you've logged in the past 7 days.  With that number, you can get an estimate of the average events per second (7 days divided by 24 hours per day divided by 60 minutes per hour divided by 60 seconds per minute).

    Flows are similar to events per second, but less.  One traffic flow, for example a TCP session, will create at least 2 events.  If you're doing application tracking, then you'll log an application start event, and a follow-on application update event every 5 mins by default.  So it really depends on your application behaviors, whether they are short- or long-lived sessions.  

    It's not easy, but I'd suggest starting with your EPS, and then start low on your FPM, and work your way up.  Your account team can usually provide 60-day licenses to get you an idea of the targeted EPS and FPM.

    Good luck.

    ------------------------------
    Chris Hale
    ------------------------------