Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
My office network connects as below. I see alot of intermediate network spikes to the internet. I suspect one of the servers is doing this. Is there a way I can pull these traffic from the SRX firewall and find out which server is doing this.
Servers==Core Switch==SRXFirewall==MX Router==Internet
show security flow sessions
will give you the active sessions if you can get on during the event. These include data on the packet flow for the sessions.
you can also restrict this using source-prefix if you want to narrow in on suspected targets.
Except the on box "show security flow session" that Steve mentioned - you might use NetFlow for this.
Seting up a simple netflow analyzer is not a very difficult task. The setup consist of SRX configuration making it send statistical data to the tool (analyzer) runing on one of your hosts (might be even your Windows workstation). The SRX setup is quite simple. Thera are some free NetFlow analyzers out there you can use. (I use Solarwinds).
Regards,
Pawel Mazurkiewicz