[j-nsp] SRX Remote log denied traffic

Mike Devlin juniper at meeksnet.ca
Mon Feb 25 16:10:49 EST 2013


nope, that didnt work either :(

meeks at MeeksNet-SRX210# run show log TEST-DENY

[edit]

meeks at MeeksNet-SRX210# show system syslog file TEST-DENY
any any;
match RT_FLOW;

[edit]

On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon <farrukhharoon at gmail.com>wrote:

> Hello Mike
>
> Was wondering if you can get the deny logs  while doing local logging?
>
> set system syslog file TEST-DENY any any
> set system syslog file TEST-DENY match RT_FLOW
>
> Regards
> Farrukh
>
>
> On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin <juniper at meeksnet.ca> wrote:
>
>> So fingers crossed that this is an easy one for you guys,
>>
>> Device is an SRX210BE running 11.4R5.5 code.
>>
>> ive added the syslog host to the config
>>
>> meeks at MeeksNet-SRX210> show configuration system syslog
>> archive size 100k files 3;
>> user * {
>>     any emergency;
>> }
>> host 192.168.1.12 {
>>     any any;
>> }
>> file messages {
>>     any critical;
>>     authorization info;
>> }
>> file interactive-commands {
>>     interactive-commands error;
>> }
>> file security {
>>     security any;
>> }
>> file default-log-messages {
>>     any any;
>>     match "(requested 'commit' operation)|(copying configuration to
>> juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
>> removal)|(FRU insertion)|(link UP)|(vc add)|(vc
>>
>> delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license
>> add)|(license delete)|(package -X update)|(package -X
>> delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD";
>>     structured-data;
>> }
>>
>>
>>
>> and implemented the default deny template i found here:
>>
>> http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS
>>
>>
>> meeks at MeeksNet-SRX210> show configuration groups
>> default-deny-template {
>>     security {
>>         policies {
>>             from-zone untrust to-zone trust {
>>                 policy default-deny {
>>                     match {
>>                         source-address any;
>>                         destination-address any;
>>                         application any;
>>                     }
>>                     then {
>>                         deny;
>>                         log {
>>                             session-init;
>>                         }
>>                     }
>>                 }
>>             }
>>         }
>>     }
>> }
>>
>> meeks at MeeksNet-SRX210> show configuration apply-groups
>> ## Last commit: 2013-02-21 16:05:36 EST by meeks
>> apply-groups default-deny-template;
>>
>> however, when i log on to the syslog host, and tail the syslog file i do
>> not see denies being logged remotely.
>>
>> if i apply the session-init and session-close options to permitted
>> traffic,
>> it does get logged remotely.
>>
>> Alternatively,
>>
>> creating a new policy has the same result, regardless if i use reject or
>> deny
>>
>> meeks at MeeksNet-SRX210# show security policies from-zone untrust to-zone
>> trust policy deny-all
>> match {
>>     source-address any;
>>     destination-address any;
>>     application any;
>> }
>> then {
>>     deny;
>>     log {
>>         session-init;
>>     }
>> }
>>
>> my google-foo is failing, so i hope you guys can help.
>>
>> Looking forward to hearing back from you,
>>
>> Mike
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>


More information about the juniper-nsp mailing list