[j-nsp] SRX Remote log denied traffic

Mike Devlin juniper at meeksnet.ca
Thu Feb 21 20:39:04 EST 2013 

So fingers crossed that this is an easy one for you guys,

Device is an SRX210BE running 11.4R5.5 code.

ive added the syslog host to the config

meeks at MeeksNet-SRX210> show configuration system syslog
archive size 100k files 3;
user * {
    any emergency;
}
host 192.168.1.12 {
    any any;
}
file messages {
    any critical;
    authorization info;
}
file interactive-commands {
    interactive-commands error;
}
file security {
    security any;
}
file default-log-messages {
    any any;
    match "(requested 'commit' operation)|(copying configuration to
juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
removal)|(FRU insertion)|(link UP)|(vc add)|(vc
delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license
add)|(license delete)|(package -X update)|(package -X
delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD";
    structured-data;
}



and implemented the default deny template i found here:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS


meeks at MeeksNet-SRX210> show configuration groups
default-deny-template {
    security {
        policies {
            from-zone untrust to-zone trust {
                policy default-deny {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        deny;
                        log {
                            session-init;
                        }
                    }
                }
            }
        }
    }
}

meeks at MeeksNet-SRX210> show configuration apply-groups
## Last commit: 2013-02-21 16:05:36 EST by meeks
apply-groups default-deny-template;

however, when i log on to the syslog host, and tail the syslog file i do
not see denies being logged remotely.

if i apply the session-init and session-close options to permitted traffic,
it does get logged remotely.

Alternatively,

creating a new policy has the same result, regardless if i use reject or
deny

meeks at MeeksNet-SRX210# show security policies from-zone untrust to-zone
trust policy deny-all
match {
    source-address any;
    destination-address any;
    application any;
}
then {
    deny;
    log {
        session-init;
    }
}

my google-foo is failing, so i hope you guys can help.

Looking forward to hearing back from you,

Mike

More information about the juniper-nsp mailing list