[j-nsp] SRX Remote log denied traffic

Mike Devlin juniper at meeksnet.ca
Tue Feb 26 10:30:30 EST 2013


actually, i retract that statement.

i saw a deny come through, and it was logged, but under testing and further
review, it seems that the only thing this is logging is UDP to port 44082.
Any telnet testing to random ports do not generate logs, neither does using
internet sites to test port connectivity.


And now im reading from Andrew and this really doesnt make any sense at all.

- If the traffic you are testing is direct to the firewall, it won't be
logged because it never hits a policy. It only works for transit traffic

what you are saying is that, from untrust to trust, i open up 5 ports, and
have some destination NAT in place, and everything is fine.  Now i want to
log the remaining 65530 TCP ports, to see if im being hit on any port for
any reason, and because i dont have a policy, and i dont have a destination
nat, that this traffic is destine for the firewall, and can not be logged?

Please tell me im misunderstanding this statement


On Tue, Feb 26, 2013 at 9:15 AM, Mike Devlin <juniper at meeksnet.ca> wrote:

> that got it working it seems :)
>
> Thanks guys!!!
>
>
> On Tue, Feb 26, 2013 at 12:06 AM, Gordon Smith <gordon at gswsystems.com>wrote:
>
>> This (remote syslog) works for me on SRX550's running 12.1R1.9
>> This will apply a default deny & log to the end of your security
>> policies, so you don't need to reorder policies after adding a new one.
>>
>> I have had issues logging locally where the box will stop logging after a
>> while. Not a big issue, since it all gets piped off to a syslog server, but
>> still annoying.
>> Syntax for that was:
>>         file traffic-log {
>>             any any;
>>             match RT_FLOW_SESSION;
>>             structured-data;
>>         }
>>
>>
>>
>> groups {
>>     global-policy {
>>         security {
>>             policies {
>>                 from-zone <*> to-zone <*> {
>>                     policy default-logdrop {
>>
>>                         match {
>>                             source-address any;
>>                             destination-address any;
>>                             application any;
>>                         }
>>                         then {
>>                             deny;
>>                             log {
>>                                 session-init;
>>                             }
>>                         }
>>                     }
>>                 }
>>             }
>>         }
>>     }
>> }
>> system {
>>         syslog {
>>                 host x.x.x.x {
>>                         any any;
>>                 }
>>         }
>> }
>> security {
>>         apply-groups global-policy;
>>
>> }
>>
>>
>>
>> On Mon, 25 Feb 2013 16:10:49 -0500, Mike Devlin wrote:
>>
>>> nope, that didnt work either :(
>>>
>>> meeks at MeeksNet-SRX210# run show log TEST-DENY
>>>
>>> [edit]
>>>
>>> meeks at MeeksNet-SRX210# show system syslog file TEST-DENY
>>> any any;
>>> match RT_FLOW;
>>>
>>> [edit]
>>>
>>> On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon
>>> <farrukhharoon at gmail.com>**wrote:
>>>
>>>  Hello Mike
>>>>
>>>> Was wondering if you can get the deny logs  while doing local logging?
>>>>
>>>> set system syslog file TEST-DENY any any
>>>> set system syslog file TEST-DENY match RT_FLOW
>>>>
>>>> Regards
>>>> Farrukh
>>>>
>>>>
>>>> On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin <juniper at meeksnet.ca>
>>>> wrote:
>>>>
>>>>  So fingers crossed that this is an easy one for you guys,
>>>>>
>>>>> Device is an SRX210BE running 11.4R5.5 code.
>>>>>
>>>>> ive added the syslog host to the config
>>>>>
>>>>> meeks at MeeksNet-SRX210> show configuration system syslog
>>>>> archive size 100k files 3;
>>>>> user * {
>>>>>     any emergency;
>>>>> }
>>>>> host 192.168.1.12 {
>>>>>     any any;
>>>>> }
>>>>> file messages {
>>>>>     any critical;
>>>>>     authorization info;
>>>>> }
>>>>> file interactive-commands {
>>>>>     interactive-commands error;
>>>>> }
>>>>> file security {
>>>>>     security any;
>>>>> }
>>>>> file default-log-messages {
>>>>>     any any;
>>>>>     match "(requested 'commit' operation)|(copying configuration to
>>>>> juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
>>>>> removal)|(FRU insertion)|(link UP)|(vc add)|(vc
>>>>>
>>>>>
>>>>> delete)|transitioned|**Transferred|transfer-file|**
>>>>> QFABRIC_NETWORK_NODE_GROUP|**QFABRIC_SERVER_NODE_GROUP|**
>>>>> QFABRIC_NODE|(license
>>>>> add)|(license delete)|(package -X update)|(package -X
>>>>>
>>>>> delete)|GRES|CFMD_CCM_DEFECT|**LFMD_3AH|MEDIA_FLOW_ERROR|RPD_**
>>>>> MPLS_PATH_BFD";
>>>>>     structured-data;
>>>>> }
>>>>>
>>>>>
>>>>>
>>>>> and implemented the default deny template i found here:
>>>>>
>>>>>
>>>>> http://kb.juniper.net/**InfoCenter/index?page=content&**
>>>>> id=KB20778&actp=RSS<http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS>
>>>>>
>>>>>
>>>>> meeks at MeeksNet-SRX210> show configuration groups
>>>>> default-deny-template {
>>>>>     security {
>>>>>         policies {
>>>>>             from-zone untrust to-zone trust {
>>>>>                 policy default-deny {
>>>>>                     match {
>>>>>                         source-address any;
>>>>>                         destination-address any;
>>>>>                         application any;
>>>>>                     }
>>>>>                     then {
>>>>>                         deny;
>>>>>                         log {
>>>>>                             session-init;
>>>>>                         }
>>>>>                     }
>>>>>                 }
>>>>>             }
>>>>>         }
>>>>>     }
>>>>> }
>>>>>
>>>>> meeks at MeeksNet-SRX210> show configuration apply-groups
>>>>> ## Last commit: 2013-02-21 16:05:36 EST by meeks
>>>>> apply-groups default-deny-template;
>>>>>
>>>>> however, when i log on to the syslog host, and tail the syslog file i
>>>>> do
>>>>> not see denies being logged remotely.
>>>>>
>>>>> if i apply the session-init and session-close options to permitted
>>>>> traffic,
>>>>> it does get logged remotely.
>>>>>
>>>>> Alternatively,
>>>>>
>>>>> creating a new policy has the same result, regardless if i use reject
>>>>> or
>>>>> deny
>>>>>
>>>>> meeks at MeeksNet-SRX210# show security policies from-zone untrust
>>>>> to-zone
>>>>> trust policy deny-all
>>>>> match {
>>>>>     source-address any;
>>>>>     destination-address any;
>>>>>     application any;
>>>>> }
>>>>> then {
>>>>>     deny;
>>>>>     log {
>>>>>         session-init;
>>>>>     }
>>>>> }
>>>>>
>>>>> my google-foo is failing, so i hope you guys can help.
>>>>>
>>>>> Looking forward to hearing back from you,
>>>>>
>>>>> Mike
>>>>> ______________________________**_________________
>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>> https://puck.nether.net/**mailman/listinfo/juniper-nsp<https://puck.nether.net/mailman/listinfo/juniper-nsp>
>>>>>
>>>>>
>>>>
>>>>  ______________________________**_________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/**mailman/listinfo/juniper-nsp<https://puck.nether.net/mailman/listinfo/juniper-nsp>
>>>
>>
>>
>


More information about the juniper-nsp mailing list