[j-nsp] SRX Remote log denied traffic

Mike Devlin juniper at meeksnet.ca
Tue Feb 26 09:15:54 EST 2013 

that got it working it seems :)

Thanks guys!!!


On Tue, Feb 26, 2013 at 12:06 AM, Gordon Smith <gordon at gswsystems.com>wrote:

> This (remote syslog) works for me on SRX550's running 12.1R1.9
> This will apply a default deny & log to the end of your security policies,
> so you don't need to reorder policies after adding a new one.
>
> I have had issues logging locally where the box will stop logging after a
> while. Not a big issue, since it all gets piped off to a syslog server, but
> still annoying.
> Syntax for that was:
>         file traffic-log {
>             any any;
>             match RT_FLOW_SESSION;
>             structured-data;
>         }
>
>
>
> groups {
>     global-policy {
>         security {
>             policies {
>                 from-zone <*> to-zone <*> {
>                     policy default-logdrop {
>
>                         match {
>                             source-address any;
>                             destination-address any;
>                             application any;
>                         }
>                         then {
>                             deny;
>                             log {
>                                 session-init;
>                             }
>                         }
>                     }
>                 }
>             }
>         }
>     }
> }
> system {
>         syslog {
>                 host x.x.x.x {
>                         any any;
>                 }
>         }
> }
> security {
>         apply-groups global-policy;
>
> }
>
>
>
> On Mon, 25 Feb 2013 16:10:49 -0500, Mike Devlin wrote:
>
>> nope, that didnt work either :(
>>
>> meeks at MeeksNet-SRX210# run show log TEST-DENY
>>
>> [edit]
>>
>> meeks at MeeksNet-SRX210# show system syslog file TEST-DENY
>> any any;
>> match RT_FLOW;
>>
>> [edit]
>>
>> On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon
>> <farrukhharoon at gmail.com>**wrote:
>>
>>  Hello Mike
>>>
>>> Was wondering if you can get the deny logs  while doing local logging?
>>>
>>> set system syslog file TEST-DENY any any
>>> set system syslog file TEST-DENY match RT_FLOW
>>>
>>> Regards
>>> Farrukh
>>>
>>>
>>> On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin <juniper at meeksnet.ca>
>>> wrote:
>>>
>>>  So fingers crossed that this is an easy one for you guys,
>>>>
>>>> Device is an SRX210BE running 11.4R5.5 code.
>>>>
>>>> ive added the syslog host to the config
>>>>
>>>> meeks at MeeksNet-SRX210> show configuration system syslog
>>>> archive size 100k files 3;
>>>> user * {
>>>>     any emergency;
>>>> }
>>>> host 192.168.1.12 {
>>>>     any any;
>>>> }
>>>> file messages {
>>>>     any critical;
>>>>     authorization info;
>>>> }
>>>> file interactive-commands {
>>>>     interactive-commands error;
>>>> }
>>>> file security {
>>>>     security any;
>>>> }
>>>> file default-log-messages {
>>>>     any any;
>>>>     match "(requested 'commit' operation)|(copying configuration to
>>>> juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
>>>> removal)|(FRU insertion)|(link UP)|(vc add)|(vc
>>>>
>>>>
>>>> delete)|transitioned|**Transferred|transfer-file|**
>>>> QFABRIC_NETWORK_NODE_GROUP|**QFABRIC_SERVER_NODE_GROUP|**
>>>> QFABRIC_NODE|(license
>>>> add)|(license delete)|(package -X update)|(package -X
>>>>
>>>> delete)|GRES|CFMD_CCM_DEFECT|**LFMD_3AH|MEDIA_FLOW_ERROR|RPD_**
>>>> MPLS_PATH_BFD";
>>>>     structured-data;
>>>> }
>>>>
>>>>
>>>>
>>>> and implemented the default deny template i found here:
>>>>
>>>>
>>>> http://kb.juniper.net/**InfoCenter/index?page=content&**
>>>> id=KB20778&actp=RSS<http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS>
>>>>
>>>>
>>>> meeks at MeeksNet-SRX210> show configuration groups
>>>> default-deny-template {
>>>>     security {
>>>>         policies {
>>>>             from-zone untrust to-zone trust {
>>>>                 policy default-deny {
>>>>                     match {
>>>>                         source-address any;
>>>>                         destination-address any;
>>>>                         application any;
>>>>                     }
>>>>                     then {
>>>>                         deny;
>>>>                         log {
>>>>                             session-init;
>>>>                         }
>>>>                     }
>>>>                 }
>>>>             }
>>>>         }
>>>>     }
>>>> }
>>>>
>>>> meeks at MeeksNet-SRX210> show configuration apply-groups
>>>> ## Last commit: 2013-02-21 16:05:36 EST by meeks
>>>> apply-groups default-deny-template;
>>>>
>>>> however, when i log on to the syslog host, and tail the syslog file i do
>>>> not see denies being logged remotely.
>>>>
>>>> if i apply the session-init and session-close options to permitted
>>>> traffic,
>>>> it does get logged remotely.
>>>>
>>>> Alternatively,
>>>>
>>>> creating a new policy has the same result, regardless if i use reject or
>>>> deny
>>>>
>>>> meeks at MeeksNet-SRX210# show security policies from-zone untrust to-zone
>>>> trust policy deny-all
>>>> match {
>>>>     source-address any;
>>>>     destination-address any;
>>>>     application any;
>>>> }
>>>> then {
>>>>     deny;
>>>>     log {
>>>>         session-init;
>>>>     }
>>>> }
>>>>
>>>> my google-foo is failing, so i hope you guys can help.
>>>>
>>>> Looking forward to hearing back from you,
>>>>
>>>> Mike
>>>> ______________________________**_________________
>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>> https://puck.nether.net/**mailman/listinfo/juniper-nsp<https://puck.nether.net/mailman/listinfo/juniper-nsp>
>>>>
>>>>
>>>
>>>  ______________________________**_________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/**mailman/listinfo/juniper-nsp<https://puck.nether.net/mailman/listinfo/juniper-nsp>
>>
>
>

More information about the juniper-nsp mailing list