SRX

Expand all | Collapse all

SRX300- Can't see the RDP session in logs

Jump to Best Answer
  • 1.  SRX300- Can't see the RDP session in logs

    Posted 02-02-2019 07:00

    Morning guys,

     

    I am trying to initiate RDP session on a server that is behind the SRX. However, I don't see any logs associated with the RDP session when I issue the command "show log messages".

    Is there any other command which would give the logs for RDP? I see a bunch of options when I hit a '?' after show log ? . 

     

    Please let me know.

     

    Thanking you.

    Regards,

    Pavan Katakam



  • 2.  RE: SRX300- Can't see the RDP session in logs

     
    Posted 02-02-2019 07:47


  • 3.  RE: SRX300- Can't see the RDP session in logs
    Best Answer

    Posted 02-02-2019 08:07

    Hello Pavan.

     

    1) The logging on SRX platforms:

    There are two types of logging:

    • control plane (RE) -  what goes to CPU (routing protocols, interfaces, chassis) - handled by eventd process
                                         - configured under [edit system syslog]
    • data plane (PFE)  -  what is processed by hardware data plane  (e.g. security sessions)
                                        - this can be handled in eventd mode (goes to RE)  or stream mode (text or binary format)
                                         - configured under [edit security log]

    The behavior is different between branch and non-branch devices. Behavior can change with Junos versions.

     

    Please see more information on link below:

    https://www.juniper.net/documentation/en_US/junos/topics/concept/security-system-log-message-overview.html

     

    Event mode logging (not intended for non-branch models)

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-system-send-all-log-message-eventd-setting.html

     

    Stream mode logging

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-system-stream-security-log-revenue-port-setting.html 

     

    Does your SRX have configured something under  [edit security log] stanza?

     

    2) Security policy settings

    Does policy matching the RDP traffic having log option enabled (then log session-init /  then log session-close)?  See example below

     

    [edit]
    SRX # show security policies from-zone trust to-zone untrust | display set set security policies from-zone trust to-zone untrust policy RDP-POLICY match source-address RDP-CLIENTS set security policies from-zone trust to-zone untrust policy RDP-POLICY match destination-address RDP-SERVERS set security policies from-zone trust to-zone untrust policy RDP-POLICY match application RDP-APP set security policies from-zone trust to-zone untrust policy RDP-POLICY then permit set security policies from-zone trust to-zone untrust policy RDP-POLICY then log session-init set security policies from-zone trust to-zone untrust policy RDP-POLICY then log session-close

     

    You won't be able to see any log for sessions with "then log" session action missing.  Note for production device I would recommend to use session-close logging for permit policies and session-init for deny policies (if logging of denied traffic is required).

     

     

    Let us know you configuration of logging and security policy (anonymize it).

    Knowing the Junos version could help to assist further.

     

     

     



  • 4.  RE: SRX300- Can't see the RDP session in logs

    Posted 02-02-2019 08:32

    Thank you Smicker and Ludek :). I don't think I have configured logging for the RDP traffic. 

    I will go through the links and then configure the logging. 

     

    Regards,

    Pavan Katakam