[j-nsp] Logging default deny traffic on SSG-550?

Hans Kristian Eiken hans.kristian.eiken at gmail.com
Thu Mar 18 14:14:36 EDT 2010

2010/3/12 TCIS List Acct <listacct at tulsaconnect.com>

> We've got a pair of Juniper SSG-550's in HA mode running Screen OS
> 6.1.0r4.0. For the life of me I can't figure out how to enable logging for
> denied/blocked traffic for the implicit default-deny rule.  I've followed
> the instructions found in the Screen OS Cookbook with no results.
> Anyone have any pointers?

You can find this in the ScreenOS cli guide, at least in ScreenOS 6.2. The
command is "set flow log-dropped-packet". The output can be show using "get
log flow-deny", but a test shows me that it also ends up in the traffic log
as policy id 32000 (ns-5gt).

Be aware of the possible impact on the cpu on logging all denied sessions.

Hans Kristian Eiken

More information about the juniper-nsp mailing list