SRX

Morning guys,

I am trying to initiate RDP session on a server that is behind the SRX. However, I don't see any logs associated with the RDP session when I issue the command "show log messages".

Is there any other command which would give the logs for RDP? I see a bunch of options when I hit a '?' after show log ? . 

Please let me know.

Thanking you.

Regards,

Pavan Katakam

It doesn't sound like syslog or your policies are configured to log traffic.

Some helpful links:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16509&actp=METADATA

https://forums.juniper.net/t5/SRX-Services-Gateway/How-to-view-logs-logged-by-Security-Policy-on-SRX/m-p/315510/highlight/true#M47742

Hello Pavan.

1) The logging on SRX platforms:

There are two types of logging:

• control plane (RE) -  what goes to CPU (routing protocols, interfaces, chassis) - handled by eventd process
                                     - configured under [edit system syslog]
• data plane (PFE)  -  what is processed by hardware data plane  (e.g. security sessions)
                                    - this can be handled in eventd mode (goes to RE)  or stream mode (text or binary format)
                                     - configured under [edit security log]

The behavior is different between branch and non-branch devices. Behavior can change with Junos versions.

Please see more information on link below:

https://www.juniper.net/documentation/en_US/junos/topics/concept/security-system-log-message-overview.html

Event mode logging (not intended for non-branch models)

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-system-send-all-log-message-eventd-setting.html

Stream mode logging

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-system-stream-security-log-revenue-port-setting.html 

Does your SRX have configured something under  [edit security log] stanza?

2) Security policy settings

Does policy matching the RDP traffic having log option enabled (then log session-init /  then log session-close)?  See example below

[edit]
SRX # show security policies from-zone trust to-zone untrust | display set
set security policies from-zone trust to-zone untrust policy RDP-POLICY match source-address RDP-CLIENTS
set security policies from-zone trust to-zone untrust policy RDP-POLICY match destination-address RDP-SERVERS
set security policies from-zone trust to-zone untrust policy RDP-POLICY match application RDP-APP
set security policies from-zone trust to-zone untrust policy RDP-POLICY then permit
set security policies from-zone trust to-zone untrust policy RDP-POLICY then log session-init
set security policies from-zone trust to-zone untrust policy RDP-POLICY then log session-close

You won't be able to see any log for sessions with "then log" session action missing.  Note for production device I would recommend to use session-close logging for permit policies and session-init for deny policies (if logging of denied traffic is required).

Let us know you configuration of logging and security policy (anonymize it).

Knowing the Junos version could help to assist further.

Thank you Smicker and Ludek :). I don't think I have configured logging for the RDP traffic. 

I will go through the links and then configure the logging. 

Regards,

Pavan Katakam