[j-nsp] SRX 5800 Cluster - Only primary firewall sends security logs

OBrien, Will ObrienH at missouri.edu
Wed Oct 9 11:22:49 EDT 2013


On the 5800 in stream mode (which is the way to go) you must configure a source address on each node.
Because the logs come from the control plane and NOT the routing engines.
So, the solution is to configure your security log under the groups stanza for both nodes.
Within each node, you configure the individual source address for each one.

Also, if you are making use of routing instances - I use a separate instance for my network management network, you may have to configure next-hop routes to the appropriate routing instance.
Since I use a particular host for lots of things including syslog, I ended up adding a secondary ip to that host for my next hop route.


Will


On Oct 9, 2013, at 9:02 AM, Ahmed -Y wrote:

> Hello Guys,
> 
> I have two SRX 5800 firewalls in cluster active-active mode so both
> firewalls carry the session. I configured security logs sent to syslog
> server (precisely STRM), below is config.
> 
> security log
>  mode stream;
>  format sd-syslog;
> source-address <Master-Only IP>;
> stream security-logs {
>    category all;
>    host {
>        <STRM/SYSLog server IP>;
>        port 514;
> 
> i have recently noticed that only primary firewall sends log. If session
> close on primary firewall, the log gives the reason of session closure like
> TCP FIN, RST, Timeout etc but if the session close on secondary firewall,
> the reason in log shows HA so i can't see why the session was closed. Am I
> missing anything in configuration? I will be thankful if you give your
> thoughts on it.
> 
> Regards
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp




More information about the juniper-nsp mailing list