SRX

Expand all | Collapse all

How to show blocked traffic? SRX210

Jump to Best Answer
  • 1.  How to show blocked traffic? SRX210

    Posted 06-05-2011 18:12

    Hi,

     

    Anyone know how to view the traffic detail for what the SRX210 is actually blocking or dropping?

     

    I configured a security flow to show all dropped packets and the resulting log is fairly useless.

     

    Jun  5 21:06:54 21:06:54.361668:CID-0:RT:  packet dropped, packet dropped: for self but not interested.
    
    Jun  5 21:06:54 21:06:54.650423:CID-0:RT:  packet dropped, packet dropped: for self but not interested.
    
    Jun  5 21:06:57 21:06:56.970087:CID-0:RT:  packet dropped, packet dropped: for self but not interested.
    
    Jun  5 21:06:58 21:06:58.652903:CID-0:RT:  packet dropped, packet dropped: for self but not interested.
    
    Jun  5 21:07:02 21:07:02.655462:CID-0:RT:  packet dropped, packet dropped: for self but not interested.
    
    Jun  5 21:07:06 21:07:06.657940:CID-0:RT:  packet dropped, packet dropped: for self but not interested.
    
    Jun  5 21:07:10 21:07:10.655461:CID-0:RT:  packet dropped, packet dropped: for self but not interested.
    
    Jun  5 21:07:14 21:07:14.650471:CID-0:RT:  packet dropped, packet dropped: for self but not interested.
    
    Jun  5 21:07:17 21:07:16.829009:CID-0:RT:  packet dropped, packet dropped: for self but not interested.
    
    Jun  5 21:07:18 21:07:18.657955:CID-0:RT:  packet dropped, packet dropped: for self but not interested.
    
    Jun  5 21:07:22 21:07:22.657991:CID-0:RT:  packet dropped, packet dropped: for self but not interested.

     

     

    Is there a way to see source ip and protocol on the SRX210?

     

    I realize I can do this with a sniffer or from the edge router in most cases, but some of our sites will be very small with just a ISP provider managed ethernet handoff.

     

    Thanks.


    #logging


  • 2.  RE: How to show blocked traffic? SRX210

     
    Posted 06-05-2011 21:24

    If you mean traffic destined for IP addresses on the SRX, then you'll need to use firewal-filters.

     

    If you mean traffic transiting the SRX, then you'll need to write security-policies with "deny log session-init" as the action.

     

    Hope this helps



  • 3.  RE: How to show blocked traffic? SRX210
    Best Answer

    Posted 06-06-2011 08:30

    In my opinion, best way is (which i use as well) ...

     

    1. Define a default denying security policy at the bottom (i.e. low precedence in policy list), e.g.

     

        set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match source-address any

        set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match destination-address any

        set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match application any

        set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match then deny

        set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match then log session-init

     

    2. Log all denied traffic due to this security policy

     

        set system syslog file Denied-Traffic any any

        set system syslog file Denied-Traffic match RT_FLOW_SESSION_DENY

     

    3. View log using "run show log Denied-Traffic"

     

    regards



  • 4.  RE: How to show blocked traffic? SRX210

    Posted 06-14-2011 19:44

    Slightly modified config is what I applied:

     

        set security policies from-zone untrust to-zone trust policy untrust-trust-denyall match source-address any
    
        set security policies from-zone untrust to-zone trust policy untrust-trust-denyall match destination-address any
    
        set security policies from-zone untrust to-zone trust policy untrust-trust-denyall match application any
    
        set security policies from-zone untrust to-zone trust policy untrust-trust-denyall then deny
    
        set security policies from-zone untrust to-zone trust policy untrust-trust-denyall then log session-init
    
        set system syslog file Denied-Traffic any any
    
        set system syslog file Denied-Traffic match RT_FLOW_SESSION_DENY

     



  • 5.  RE: How to show blocked traffic? SRX210

    Posted 01-25-2020 04:27

    perefect !!!