[j-nsp] Logging default deny traffic on SSG-550?

Barny Sanchez barnys at juniper.net
Fri Mar 12 15:22:49 EST 2010

The easiest is to configure a global policy with a default action of deny and enable logging on it. In that any traffic from any zone to any zone that reaches the default deny policy gets denied (as usual) and logged.  
Conversely you can do a any any any policy for every pair of zones, action deny and enable logging. Depending on how many zones you have then you will end up configuring a whole bunch of these policies, so the first solution offered is more effective.

If you go with the first approach please be careful with the intra-zone traffic if you have any, as this will be dropped. So you would need to configure explicit intra-zone policies where needed.


Barny Sanchez | Consulting Engineer - Security Solutions | Juniper Networks  |  Direct: +1.774.318.9140 | barnys at juniper.net <mailto:barnys at juniper.net>
(Message sent via my mobile device, sorry for any typos and shortness of my response)

----- Original Message -----
From: juniper-nsp-bounces at puck.nether.net <juniper-nsp-bounces at puck.nether.net>
To: 'juniper-nsp at puck.nether.net' <juniper-nsp at puck.nether.net>
Sent: Fri Mar 12 12:13:17 2010
Subject: [j-nsp] Logging default deny traffic on SSG-550?

We've got a pair of Juniper SSG-550's in HA mode running Screen OS 6.1.0r4.0. 
For the life of me I can't figure out how to enable logging for denied/blocked 
traffic for the implicit default-deny rule.  I've followed the instructions 
found in the Screen OS Cookbook with no results.

Anyone have any pointers?


juniper-nsp mailing list juniper-nsp at puck.nether.net

More information about the juniper-nsp mailing list