[j-nsp] SRX Remote log denied traffic
Andrew Jones
andrew at commitconfirmed.com
Tue Feb 26 00:03:30 EST 2013
There could be a few reasons you're not seeing logs:
- With the groups configuration, you need to still have a policy configured
in the configuration before the group applies (even if it is just a blank
"set security policies from-zone a to-zone b". You can confirm this with a
"| display inheritence" or simply a "show security policies from-zone a
to-zone b"
- A better way to do this in JunOS 11.2 onwards is with a Global policy now
that it is supported rather than using groups
- If the traffic you are testing is direct to the firewall, it won't be
logged because it never hits a policy. It only works for transit traffic
- On this note as well, if it is dropped for a non policy reason (No
TCP SYN, no route, etc.) it won't show up in this file either
Hope this helps
On Fri, Feb 22, 2013 at 12:39 PM, Mike Devlin <juniper at meeksnet.ca> wrote:
> So fingers crossed that this is an easy one for you guys,
>
> Device is an SRX210BE running 11.4R5.5 code.
>
> ive added the syslog host to the config
>
> meeks at MeeksNet-SRX210> show configuration system syslog
> archive size 100k files 3;
> user * {
> any emergency;
> }
> host 192.168.1.12 {
> any any;
> }
> file messages {
> any critical;
> authorization info;
> }
> file interactive-commands {
> interactive-commands error;
> }
> file security {
> security any;
> }
> file default-log-messages {
> any any;
> match "(requested 'commit' operation)|(copying configuration to
> juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
> removal)|(FRU insertion)|(link UP)|(vc add)|(vc
>
> delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license
> add)|(license delete)|(package -X update)|(package -X
> delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD";
> structured-data;
> }
>
>
>
> and implemented the default deny template i found here:
>
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS
>
>
> meeks at MeeksNet-SRX210> show configuration groups
> default-deny-template {
> security {
> policies {
> from-zone untrust to-zone trust {
> policy default-deny {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> deny;
> log {
> session-init;
> }
> }
> }
> }
> }
> }
> }
>
> meeks at MeeksNet-SRX210> show configuration apply-groups
> ## Last commit: 2013-02-21 16:05:36 EST by meeks
> apply-groups default-deny-template;
>
> however, when i log on to the syslog host, and tail the syslog file i do
> not see denies being logged remotely.
>
> if i apply the session-init and session-close options to permitted traffic,
> it does get logged remotely.
>
> Alternatively,
>
> creating a new policy has the same result, regardless if i use reject or
> deny
>
> meeks at MeeksNet-SRX210# show security policies from-zone untrust to-zone
> trust policy deny-all
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> deny;
> log {
> session-init;
> }
> }
>
> my google-foo is failing, so i hope you guys can help.
>
> Looking forward to hearing back from you,
>
> Mike
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list