SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX IDP Traffic Logging Format Explanation

    Posted 07-22-2019 23:46

    With a Juniper SRX Firewall with traffic event logging configuration to setup to output "RT_IDP|RT_FLOW_SESSION" to a file on the SRX there are pieces of log information which are appended to the end of the log/event entry.

    For example with the 2 below log events the last 3 words in the first log event refers to "HTTP UNKNOWN UNKNOWN" and the second log line the last 3 words refer to "UNKNOWN UNKNOWN UNKNOWN".

     

    Does anyone what the last 3 words in SRX traffic log files refer to?

     RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.25.255.2/33355->10.10.5.5/80 0x0 junos-http 10.25.255.2/33355->192.168.2.5/80 0x0 N/A N/A destination rule ENT 6 ENT Internet ENT 9719 N/A(N/A) ge-0/0/0.0 HTTP UNKNOWN UNKNOWN
    1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.25.255.2/5432->10.18.5.5/80 0x0 junos-http 10.25.255.2/5432->192.168.2.5/80 0x0 N/A N/A destination rule ENT 6 ENT Internet ENT 10378 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN

    Thanks.


    #logging
    #SRX


  • 2.  RE: SRX IDP Traffic Logging Format Explanation
    Best Answer

    Posted 07-22-2019 23:55

    Hello,

     

    Those three fields are application, nested application and encryption respectively. Please see the description added in the log below:

     

    1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.25.255.2/5432->10.18.5.5/80 0x0 junos-http 10.25.255.2/5432->192.168.2.5/80 0x0 N/A N/A destination rule ENT 6 ENT Internet ENT 10378 N/A(N/A) ge-0/0/0.0 UNKNOWN(application) UNKNOWN(nested-application) UNKNOWN(encryption).

     

    Examples for each term:

    Application: HTTP

    Nested-Application: Facebook Messenger(protocols that work over parent application)

    Encryption: If traffic is encrypted (HTTPS).

     

    Regards,

    Prakash






  • 3.  RE: SRX IDP Traffic Logging Format Explanation

    Posted 07-23-2019 00:56

    Hello,

     

    Syslog explorer is THE tool to find out. It is available for free in Juniper public website

    https://apps.juniper.net/syslog-explorer/

     

    And Your message is explained at

    https://apps.juniper.net/syslog-explorer/#msg=RT_FLOW_SESSION_CREATE&sw=Junos%20OS&rel=19.2R1

     

    HTH

    Thx

    Alex