[j-nsp] Logging default deny traffic on SSG-550?
Hans Kristian Eiken
hans.kristian.eiken at gmail.com
Thu Mar 18 14:14:36 EDT 2010
2010/3/12 TCIS List Acct <listacct at tulsaconnect.com>
> We've got a pair of Juniper SSG-550's in HA mode running Screen OS
> 6.1.0r4.0. For the life of me I can't figure out how to enable logging for
> denied/blocked traffic for the implicit default-deny rule. I've followed
> the instructions found in the Screen OS Cookbook with no results.
>
> Anyone have any pointers?
>
You can find this in the ScreenOS cli guide, at least in ScreenOS 6.2. The
command is "set flow log-dropped-packet". The output can be show using "get
log flow-deny", but a test shows me that it also ends up in the traffic log
as policy id 32000 (ns-5gt).
Be aware of the possible impact on the cpu on logging all denied sessions.
--
Hans Kristian Eiken
More information about the juniper-nsp
mailing list