[j-nsp] SRX Remote log denied traffic

Gordon Smith gordon at gswsystems.com
Tue Feb 26 00:06:40 EST 2013 

 This (remote syslog) works for me on SRX550's running 12.1R1.9
 This will apply a default deny & log to the end of your security 
 policies, so you don't need to reorder policies after adding a new one.

 I have had issues logging locally where the box will stop logging after 
 a while. Not a big issue, since it all gets piped off to a syslog 
 server, but still annoying.
 Syntax for that was:
         file traffic-log {
             any any;
             match RT_FLOW_SESSION;
             structured-data;
         }



 groups {
     global-policy {
         security {
             policies {
                 from-zone <*> to-zone <*> {
                     policy default-logdrop {
                         match {
                             source-address any;
                             destination-address any;
                             application any;
                         }
                         then {
                             deny;
                             log {
                                 session-init;
                             }
                         }
                     }
                 }
             }
         }
     }
 }
 system {
 	syslog {
 		host x.x.x.x {
 			any any;
 		}
 	}
 }
 security {
 	apply-groups global-policy;
 }



 On Mon, 25 Feb 2013 16:10:49 -0500, Mike Devlin wrote:
> nope, that didnt work either :(
>
> meeks at MeeksNet-SRX210# run show log TEST-DENY
>
> [edit]
>
> meeks at MeeksNet-SRX210# show system syslog file TEST-DENY
> any any;
> match RT_FLOW;
>
> [edit]
>
> On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon
> <farrukhharoon at gmail.com>wrote:
>
>> Hello Mike
>>
>> Was wondering if you can get the deny logs  while doing local 
>> logging?
>>
>> set system syslog file TEST-DENY any any
>> set system syslog file TEST-DENY match RT_FLOW
>>
>> Regards
>> Farrukh
>>
>>
>> On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin <juniper at meeksnet.ca> 
>> wrote:
>>
>>> So fingers crossed that this is an easy one for you guys,
>>>
>>> Device is an SRX210BE running 11.4R5.5 code.
>>>
>>> ive added the syslog host to the config
>>>
>>> meeks at MeeksNet-SRX210> show configuration system syslog
>>> archive size 100k files 3;
>>> user * {
>>>     any emergency;
>>> }
>>> host 192.168.1.12 {
>>>     any any;
>>> }
>>> file messages {
>>>     any critical;
>>>     authorization info;
>>> }
>>> file interactive-commands {
>>>     interactive-commands error;
>>> }
>>> file security {
>>>     security any;
>>> }
>>> file default-log-messages {
>>>     any any;
>>>     match "(requested 'commit' operation)|(copying configuration to
>>> juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
>>> removal)|(FRU insertion)|(link UP)|(vc add)|(vc
>>>
>>> 
>>> delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license
>>> add)|(license delete)|(package -X update)|(package -X
>>> 
>>> delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD";
>>>     structured-data;
>>> }
>>>
>>>
>>>
>>> and implemented the default deny template i found here:
>>>
>>> 
>>> http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS
>>>
>>>
>>> meeks at MeeksNet-SRX210> show configuration groups
>>> default-deny-template {
>>>     security {
>>>         policies {
>>>             from-zone untrust to-zone trust {
>>>                 policy default-deny {
>>>                     match {
>>>                         source-address any;
>>>                         destination-address any;
>>>                         application any;
>>>                     }
>>>                     then {
>>>                         deny;
>>>                         log {
>>>                             session-init;
>>>                         }
>>>                     }
>>>                 }
>>>             }
>>>         }
>>>     }
>>> }
>>>
>>> meeks at MeeksNet-SRX210> show configuration apply-groups
>>> ## Last commit: 2013-02-21 16:05:36 EST by meeks
>>> apply-groups default-deny-template;
>>>
>>> however, when i log on to the syslog host, and tail the syslog file 
>>> i do
>>> not see denies being logged remotely.
>>>
>>> if i apply the session-init and session-close options to permitted
>>> traffic,
>>> it does get logged remotely.
>>>
>>> Alternatively,
>>>
>>> creating a new policy has the same result, regardless if i use 
>>> reject or
>>> deny
>>>
>>> meeks at MeeksNet-SRX210# show security policies from-zone untrust 
>>> to-zone
>>> trust policy deny-all
>>> match {
>>>     source-address any;
>>>     destination-address any;
>>>     application any;
>>> }
>>> then {
>>>     deny;
>>>     log {
>>>         session-init;
>>>     }
>>> }
>>>
>>> my google-foo is failing, so i hope you guys can help.
>>>
>>> Looking forward to hearing back from you,
>>>
>>> Mike
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list