[j-nsp] SRX policy logging
Stefan Fouant
sfouant at shortestpathfirst.net
Wed May 18 15:39:59 EDT 2011
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Scott T. Cameron
> Sent: Wednesday, May 18, 2011 3:20 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] SRX policy logging
>
> Does anyone have a trick for logging all policies? I'm not
> particularly
> fond of going and tagging each policy with "log".
You can do it with apply-groups:
set groups global-logging security policies from-zone <*> to-zone <*> policy
<*> then log session-init
set security policies apply-groups global-logging
> Worse, is there a way to flag the default-policy with a log statement?
> I
> have deny-all and no options that follow, would be nice to catch them
> all
> with a log as well.
Again, you can do this with an apply-group:
set groups default-log security policies from-zone <*> to-zone <*> policy
log-all-else match source-address any
set groups default-log security policies from-zone <*> to-zone <*> policy
log-all-else match destination-address any
set groups default-log security policies from-zone <*> to-zone <*> policy
log-all-else match application any
set groups default-log security policies from-zone <*> to-zone <*> policy
log-all-else then deny
set groups default-log security policies from-zone <*> to-zone <*> policy
log-all-else then log session-init
set security policies apply-groups default-log
HTHs.
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB4C956EC
More information about the juniper-nsp
mailing list