SRX

Expand all | Collapse all

Session table filter

Jump to Best Answer
  • 1.  Session table filter

    Posted 04-23-2019 17:18

    Hi,

    SRX 5600 has configured with any <--> any rule. Now i want to filter all transit traffic(Firewall, NAT, VPN) and apply the rule with specific source ip, destination ip, service/application and action. (some session will be create once in a week or month need to consider)

    Kindly suggest the best way to achieve the task.

     

    Thank you..


    #SRX


  • 2.  RE: Session table filter
    Best Answer

     
    Posted 04-23-2019 17:33

    I think you are saying you currently have an any/any allow rule that you want to transition to having specific rule base.

     

    In these cases you first need to make sure logging is enabled for your current rule.

     

    You review the logs to see some specific rules you can add.

    You add these rules and move them before the any/any rule.

     

    You return and repeat the log review on the any/any rule.

    Add more rules before this rule.

     

    And continue to repeat the process until nothing logs any more on the any/any rule.

    You will need to do this over a long enough period to catch periodic traffic.

     

    Finally you change the action on the any/any rule to deny instead of allow

    Change the log to session init instead of close.

     

    Now when you see logs here it will be blocked traffic and you can proactively allow if you feel it is legitimate.

    Or just wait for requests to open more traffic.

     



  • 3.  RE: Session table filter

    Posted 04-23-2019 17:39

    Thank you SPulka for your prompt responce.

     

    Can i export/open the log file in MS excel so i can apply the source and destination ip filter and accordingly configure the firewall rule.

     

    Thank you...

     



  • 4.  RE: Session table filter

     
    Posted 04-23-2019 17:43

    The logs are text files on the device.  So you could scp them off and do a text import into excel.

     

    If you have syslog you can send them there and use the native reporting tools as well.