[j-nsp] SRX Remote log denied traffic

Farrukh Haroon farrukhharoon at gmail.com
Sat Feb 23 02:35:30 EST 2013 

Hello Mike

Was wondering if you can get the deny logs  while doing local logging?

set system syslog file TEST-DENY any any
set system syslog file TEST-DENY match RT_FLOW

Regards
Farrukh


On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin <juniper at meeksnet.ca> wrote:

> So fingers crossed that this is an easy one for you guys,
>
> Device is an SRX210BE running 11.4R5.5 code.
>
> ive added the syslog host to the config
>
> meeks at MeeksNet-SRX210> show configuration system syslog
> archive size 100k files 3;
> user * {
>     any emergency;
> }
> host 192.168.1.12 {
>     any any;
> }
> file messages {
>     any critical;
>     authorization info;
> }
> file interactive-commands {
>     interactive-commands error;
> }
> file security {
>     security any;
> }
> file default-log-messages {
>     any any;
>     match "(requested 'commit' operation)|(copying configuration to
> juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
> removal)|(FRU insertion)|(link UP)|(vc add)|(vc
>
> delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license
> add)|(license delete)|(package -X update)|(package -X
> delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD";
>     structured-data;
> }
>
>
>
> and implemented the default deny template i found here:
>
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS
>
>
> meeks at MeeksNet-SRX210> show configuration groups
> default-deny-template {
>     security {
>         policies {
>             from-zone untrust to-zone trust {
>                 policy default-deny {
>                     match {
>                         source-address any;
>                         destination-address any;
>                         application any;
>                     }
>                     then {
>                         deny;
>                         log {
>                             session-init;
>                         }
>                     }
>                 }
>             }
>         }
>     }
> }
>
> meeks at MeeksNet-SRX210> show configuration apply-groups
> ## Last commit: 2013-02-21 16:05:36 EST by meeks
> apply-groups default-deny-template;
>
> however, when i log on to the syslog host, and tail the syslog file i do
> not see denies being logged remotely.
>
> if i apply the session-init and session-close options to permitted traffic,
> it does get logged remotely.
>
> Alternatively,
>
> creating a new policy has the same result, regardless if i use reject or
> deny
>
> meeks at MeeksNet-SRX210# show security policies from-zone untrust to-zone
> trust policy deny-all
> match {
>     source-address any;
>     destination-address any;
>     application any;
> }
> then {
>     deny;
>     log {
>         session-init;
>     }
> }
>
> my google-foo is failing, so i hope you guys can help.
>
> Looking forward to hearing back from you,
>
> Mike
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list