SRX

Expand all | Collapse all

monitor traffic on clustered srx 340

Jump to Best Answer
  • 1.  monitor traffic on clustered srx 340

    Posted 08-11-2018 08:25

    Hello,

     

    A possible easy question, but i am not able to figure it out.

    I want to monitor traffic from the internet to a web server though a couple of **bleep** 340 set up in a cluster

     

    I found:

    run monitor traffic interface ge-0/0/0 matching "host 10.130.38.94" no-resolve

    But i do not have a ge interface any more.

     

    So i tried:

    run monitor traffic interface reth1.0 matching "host 10.130.38.94" no-resolve

    But i only get arp messeges... ?

     

    I would be grate if someone had the anserv.. :O)

     

    Kind regards Gert

     



  • 2.  RE: monitor traffic on clustered srx 340

    Posted 08-11-2018 08:53

    The 'monitor traffic' command only shows traffic to or from the routing engine.  If you want to watch transit traffic, and can't perform a packet capture, then the simplest option is to create a very specific security policy to match and log your interesting traffic.



  • 3.  RE: monitor traffic on clustered srx 340

    Posted 08-11-2018 10:48

    ok, i did not think of that.

     

    but what if i want to monitor flow (connection/denied/allowed) from a ip.

     

    do you have an excmple.. ? :O)

     

     

    Kind regards Gert

     



  • 4.  RE: monitor traffic on clustered srx 340
    Best Answer

    Posted 08-11-2018 13:48

    Hi, Gert

     

    A quick way to monitor the traffic passing through the SRX is to check at the current session:

     

        > show security flow sessions destination-prefix [INTERNAL_SERVER_ADDRESS]

     

    Now I believe you are looking for logs like these ones (when the traffic is permitted/denied by your security-policies):

     

    Jan 21 18:20:12  240-3 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 172.27.199.166/12288->172.27.201.39/1024 icmp 172.27.199.166/12288->172.27.201.39/1024 None None 1 p1 trust junos-host 8224 N/A(N/A) ge-0/0/0.0
    Jan 21 18:20:13 240-3 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 172.27.199.166/11520->172.27.201.39/1024 icmp 172.27.199.166/11520->172.27.201.39/1024 None None 1 p1 trust junos-host 8218 1(60) 1(60) 4 N/A(N/A) ge-0/0/0.0

     

    Here I provide a couple of articles with configuration examples to achieve that:

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16509

    https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Traffic-Log/m-p/319310#M48675

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB26771 (this one is for traffic destined to the SRX but the config exmaple works)

     

    I hope it helps.