[j-nsp] SRX Remote log denied traffic

Hans Fiedler hans at hermes.louisville.edu
Mon Feb 25 23:18:40 EST 2013 

It looks like since the connection is being denied there is
never as session initialized or closed to be logged?

Would you be able to get the logging you need by doing it on an
input filter in the interface(s)?  It seems like it's having to
examing the traffic twice, but maybe it's more efficient in the
internals?

On Mon, Feb 25, 2013 at 04:10:49PM -0500, Mike Devlin wrote:
> nope, that didnt work either :(
> 
> meeks at MeeksNet-SRX210# run show log TEST-DENY
> 
> [edit]
> 
> meeks at MeeksNet-SRX210# show system syslog file TEST-DENY
> any any;
> match RT_FLOW;
> 
> [edit]
> 
> On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon <farrukhharoon at gmail.com>wrote:
> 
> > Hello Mike
> >
> > Was wondering if you can get the deny logs  while doing local logging?
> >
> > set system syslog file TEST-DENY any any
> > set system syslog file TEST-DENY match RT_FLOW
> >
> > Regards
> > Farrukh
> >
> >
> > On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin <juniper at meeksnet.ca> wrote:
> >
> >> So fingers crossed that this is an easy one for you guys,
> >>
> >> Device is an SRX210BE running 11.4R5.5 code.
> >>
> >> ive added the syslog host to the config
> >>
> >> meeks at MeeksNet-SRX210> show configuration system syslog
> >> archive size 100k files 3;
> >> user * {
> >>     any emergency;
> >> }
> >> host 192.168.1.12 {
> >>     any any;
> >> }
> >> file messages {
> >>     any critical;
> >>     authorization info;
> >> }
> >> file interactive-commands {
> >>     interactive-commands error;
> >> }
> >> file security {
> >>     security any;
> >> }
> >> file default-log-messages {
> >>     any any;
> >>     match "(requested 'commit' operation)|(copying configuration to
> >> juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
> >> removal)|(FRU insertion)|(link UP)|(vc add)|(vc
> >>
> >> delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license
> >> add)|(license delete)|(package -X update)|(package -X
> >> delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD";
> >>     structured-data;
> >> }
> >>
> >>
> >>
> >> and implemented the default deny template i found here:
> >>
> >> http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS
> >>
> >>
> >> meeks at MeeksNet-SRX210> show configuration groups
> >> default-deny-template {
> >>     security {
> >>         policies {
> >>             from-zone untrust to-zone trust {
> >>                 policy default-deny {
> >>                     match {
> >>                         source-address any;
> >>                         destination-address any;
> >>                         application any;
> >>                     }
> >>                     then {
> >>                         deny;
> >>                         log {
> >>                             session-init;
> >>                         }
> >>                     }
> >>                 }
> >>             }
> >>         }
> >>     }
> >> }
> >>
> >> meeks at MeeksNet-SRX210> show configuration apply-groups
> >> ## Last commit: 2013-02-21 16:05:36 EST by meeks
> >> apply-groups default-deny-template;
> >>
> >> however, when i log on to the syslog host, and tail the syslog file i do
> >> not see denies being logged remotely.
> >>
> >> if i apply the session-init and session-close options to permitted
> >> traffic,
> >> it does get logged remotely.
> >>
> >> Alternatively,
> >>
> >> creating a new policy has the same result, regardless if i use reject or
> >> deny
> >>
> >> meeks at MeeksNet-SRX210# show security policies from-zone untrust to-zone
> >> trust policy deny-all
> >> match {
> >>     source-address any;
> >>     destination-address any;
> >>     application any;
> >> }
> >> then {
> >>     deny;
> >>     log {
> >>         session-init;
> >>     }
> >> }
> >>
> >> my google-foo is failing, so i hope you guys can help.
> >>
> >> Looking forward to hearing back from you,
> >>
> >> Mike
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

-- 
Hans K. Fiedler
hans at hermes.louisville.edu
502-852-7427

More information about the juniper-nsp mailing list