SRX

Expand all | Collapse all

SRX Traffic Log

Jump to Best Answer
  • 1.  SRX Traffic Log

    Posted 02-13-2018 13:45

    Hello Experts,

    I have done the below config to enable logs in a SRX Firewall.

    file traffic-log {
        any any;
        match RT_FLOW_SESSION;
    }
    file accepted-traffic {
        any any;
        match RT_FLOW_SESSION_CREATE;
    }
    file blocked-traffic {
        any any;
        match RT_FLOW_SESSION_DENY;
    }

    But for some reason the logs are not showing in any of the file. This FW is actively passing traffic between two zones. Any help to identify the problem will appreciated.

     

    user@FW> show log accepted-traffic 
    
    user@FW> show log blocked-traffic 
    
    user@FW> show log traffic-log 
    Feb  6 13:03:46  FW mgd[71518]: UI_CFG_AUDIT_SET: User 'user' set: [system syslog file accepted-traffic match] <unconfigured> -> "RT_FLOW_SESSION_CREATE"
    Feb  6 13:03:46  FW mgd[71518]: UI_CMDLINE_READ_LINE: User 'user', command 'set file accepted-traffic match RT_FLOW_SESSION_CREATE '
    Feb  6 13:04:19  FW mgd[71518]: UI_CFG_AUDIT_SET: User 'user' set: [system syslog file blocked-traffic match] <unconfigured> -> "RT_FLOW_SESSION_DENY"
    Feb  6 13:04:19  FW mgd[71518]: UI_CMDLINE_READ_LINE: User 'user', command 'set file blocked-traffic match RT_FLOW_SESSION_DENY '
    
    user@FW> 


  • 2.  RE: SRX Traffic Log

    Posted 02-13-2018 15:44

    You will also need to configure specific security policies for logging, using either 'then log session-init' or 'then log session-close' (or both) in the policy action.  A quick example can be found in https://kb.juniper.net/InfoCenter/index?page=content&id=KB16509 - step 2 would be the part you need.

    Be careful when configuring policy logging.  Depending on the number of policies you are logging, and the amount of traffic you have, you can easily overwhelm the firewall CPU.

    Hope this helps.

     

    Louis



  • 3.  RE: SRX Traffic Log

    Posted 02-13-2018 15:53

    Thanks Louis!

    How to log traffic that has been blocked by the implicit deny rule?



  • 4.  RE: SRX Traffic Log

    Posted 02-13-2018 18:12

    You can't technically log against the implicit deny, but use can use apply-groups to do the same thing.  One KB that shows it is https://kb.juniper.net/InfoCenter/index?page=content&id=KB21317.

    You could also configure a deny-and-log policy for each of the zone pairs you want to log, but that can be cumbersome.  Plus if you later configure other policies for that zone pair, you'll have to move the deny-and-log policy to make sure policies are checked in the proper order.  The advantage of the group policy is that the inherited policy is always inserted after any manually configured policies, but before the implicit deny.



  • 5.  RE: SRX Traffic Log

    Posted 02-15-2018 15:10

    To test this I have added this extra LOG_DROP policy config at the end, but the logging still not working.

    user@FW> show configuration security policies from-zone untrust to-zone trust policy LOG_DROP 
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        deny;
        log {
            session-init;
        }
    }
    
    user@FW> show configuration system syslog                                                        
    archive size 100k files 3;
    user * {
        any emergency;
    }
    host 10.10.10.10 {
        any notice;
    }
    file messages {
        any notice;
        authorization info;
    }
    file interactive-commands {
        interactive-commands any;
    }
    file accepted-traffic {
        any any;
        match RT_FLOW_SESSION_CREATE;
    }
    file blocked-traffic {
        any any;
        match RT_FLOW_SESSION_DENY;
    }
    
    user@FW> 
    

    The logs are still empty even though there is denied traffic at the FW.

     

    user@FW> show log blocked-traffic                                                                
    
    user@FW> 

    Any help would be appreiciated.



  • 6.  RE: SRX Traffic Log

    Posted 02-15-2018 15:55

    To confirm, there are hits against your LOG_DROP policy in 'show security policies hit-count'?  Do you see the log messages on your syslog server?  (The facility might need to be changed 'any info' or 'any any'.)

    What model of SRX are you working with?



  • 7.  RE: SRX Traffic Log

    Posted 02-15-2018 16:04

    Yes, there is hits against that policy.

    user@FW> show security policies hit-count | match LOG 
    Logical system: root-logical-system
     8       untrust          trust             LOG_DROP       39           
    
    The log count is increasing as well.
    
    user@FW> show security policies hit-count | match LOG    
    Logical system: root-logical-system
     8       untrust          trust             LOG_DROP       42           
    
    user@FW> 
    
    -------------------------------------
    
    user@FW> show version 
    Hostname: xxxxx
    Model: srx345-dual-ac
    Junos: 15.1X49-D110.4
    JUNOS Software Release [15.1X49-D110.4]

    The syslog server gets logs from the device, but its not traffic related logs.



  • 8.  RE: SRX Traffic Log

    Posted 02-15-2018 16:39

    Interesting, seems like maybe things changed with the SRX300 series and/or 15.1 software.  See if you get anything from the commands 'show security log', 'show security log file', and 'show log bin_messages'.  If nothing shows in those, you may need to configure 'set security log mode event' and 'set security log format binary'.  Another possibility would be to configure log streaming to your syslog server, but the security logs won't be kept on-box in that case.

    The security device section of the system log configuration guide at https://www.juniper.net/documentation/en_US/junos/topics/concept/security-system-log-message-overview.html should help.  I've been referring to the sections discussing security logs and on-box logging.

     



  • 9.  RE: SRX Traffic Log

     
    Posted 02-16-2018 03:14

    I believe on some of the newer versions no security logging occurs until turned on under this hierarchy similar to the high end SRX models.

     

    security > logs

     



  • 10.  RE: SRX Traffic Log

    Posted 02-16-2018 09:08

    I have added these config, but still no luck.

    user@FW> show configuration security log     
    cache;
    mode stream;
    report;
    
    user@FW> 

    I surprised to learn that just turning on logging on the box is this much of a hassle in Juniper. Smiley LOL



  • 11.  RE: SRX Traffic Log
    Best Answer

    Posted 02-16-2018 09:31

    Try 'set security log mode event' for on-box logging.  Stream logs must be sent to an external destination, and can only be sent through a revenue port and not the management port.



  • 12.  RE: SRX Traffic Log

    Posted 02-16-2018 09:44

    Awesome! That did the trick. Thanks Louis!!!

     

    user@FW> show log blocked-traffic 
    Feb 16 09:38:36  FW RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.10.10.12/44694->10.10.22.50/2233 0x0 None 6(0) LOG_DROP untrust trust UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
    Feb 16 09:38:39  FW last message repeated 2 times
    
    
    user@FW> 
    
    user@FW> show log accepted-traffic 
    Feb 16 09:41:07  FW RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.10.10.12/47570->10.10.22.50/22 0x0 junos-ssh 10.10.79.12/47570->10.10.200.50/22 0x0 N/A N/A static rule 17 6 SH untrust trust 137665 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN
    
    user@FW>