[j-nsp] More detailed log is needed on both SRX1400 & ISG2000

[Eugeniu Patrascu]

On Wed, Dec 19, 2012 at 12:33 PM, ahmad barakat
<barakat-ahmad at hotmail.com> wrote:
>
> Dears,
>
> actually we enabled the logging on our Firewalls, 2-SRX1400 and 2-ISG2000 in stream mode and they send the log to a syslog server.
>
> we are facing a problem with the detailed report. because the log just appeared the session initiation but we need to know what happening after initiation this session.
> for example if a person open google.com then goes to gmail and sends an email, the first destination IP for google.com appeared and nothing else for this user actions.


On SRX you can log "session-end" and see how much traffic that connection.
If the browser somehow reuses the same connection on the same ip for
some other traffic, then the firewall will consider it also the same
connection and not log anything else.

Run a tcpdump for a single user that does one or two actions and sort
it out in Wireshark and then compare it with whatever the logs are
saying.
And ofcourse, put tracefiles on the SRX as fell to see what it thinks
about the flows.

Eugeniu