SRX

Expand all | Collapse all

security policy traffic logs - seeking advice

Jump to Best Answer
  • 1.  security policy traffic logs - seeking advice

    Posted 07-08-2019 09:55

    Hi everyone,

     

    I have an SRX240H2 running Junos 12.3X48-D45.6

     

    I would like to enable traffic logs that basically allow me to see what connections are being allowed or blocked by my security policies. I've attempted to follow this guide https://kb.juniper.net/InfoCenter/index?page=content&id=KB16509&actp=METADATA

    as well as this: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-on-box-binary-security-log-files-configuring.html

     

    This hasn't given me the log data i'm looking for. At best it's only given me VPN tunnel connections being established as well as system logs, but NOT traffic being permitted or denied.

     

    I'm still unsure how to go about enabling this to get the data that I actually need, hope someone here can help point me in the right direction.

     

    thanks

     



  • 2.  RE: security policy traffic logs - seeking advice

    Posted 07-08-2019 10:01

    Please share your configuration related to logging (at least syslog and policy config) if possible.

     

     



  • 3.  RE: security policy traffic logs - seeking advice

    Posted 07-08-2019 14:06

    Hi Salamander,

     

    This is a 3 step process to configure and verify:

     

    1) You need to configure the log file under system syslog hierarchy and match it for 'RT_FLOW_SESSION':

     

    user@host# set system syslog file traffic-log any any
    user@host# set system syslog file traffic-log match "RT_FLOW_SESSION"

     

    2) To be able to log the traffic denied, you need to update the necessary security policy to log 'session-init' and to be able to log traffic permitted, you need to update necessary security policy to log 'session-init' and 'session-close' or just 'session-close'.

     

    To log traffic that is blocked:

    user@host# set security policies from-zone trust to-zone untrust policy deny then log session-init

     

    To log traffic that is permitted: 

     

    user@host# set security policies from-zone trust to-zone untrust policy allow then log session-init

    user@host# set security policies from-zone trust to-zone untrust policy allow then log session-close

     

    or

     

    user@host# set security policies from-zone trust to-zone untrust policy allow then log session-close

     

    3) Then you need to run the traffic of interest that would hit these policies configured with logging so that you can then verify the log file. 

     

    Note: You can try to name the syslog file with an unique name (other than traffic-log) to rule out any file corruption issues if this same filename was used in the past to capture some other logs. 

     

    If you still have issues, please share the syslog and security policies configuration if possible so that we can review and share our thoughts/recommendations.

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

     

    Regards,

    HS



  • 4.  RE: security policy traffic logs - seeking advice

    Posted 07-09-2019 08:22

    Yes sure, below is the configuration of syslog. As suggested by hsrinivasan I created a new file to collect the logs called "t-log" and attempted to collect logs for all facilities and at all severity levels. Although it is there, I have to confess i'm not entirely sure what RT_FLOW_SESSION actually represents and i couldn't find any documentation about it.

     

     

    root@T-MER-FW0# show system syslog 
    archive size 100k files 3;
    user * {
        any emergency;
    }
    host 172.16.16.36 {
        any any;
    }
    file messages {
        any critical;
        authorization info;
    }
    file interactive-commands {
        interactive-commands error;
    }
    file security {
        security info;
    }
    file policy_session {
        user info;
        match RT_FLOW;
        archive size 1000k world-readable;
        structured-data;
    }
    file traffic-log {
        any any;
    }
    file t-log {
        any any;
        security any;
        match RT_FLOW_SESSION;
    }

     

    As for the policies, most of them do have session-init and session-close enabled on them. Below is an example policy where I would expect to see lots of traffic going out:

     

    root@T-MER-FW0# show security policies from-zone trust to-zone untrust policy TLCMD-Data                      
    match {
        source-address [ TLCMD-Data TLCMD-Peripherals ];
        destination-address any;
        application any;
    }
    then {
        permit;
        log {
            session-init;
            session-close;
        }
    }

     



  • 5.  RE: security policy traffic logs - seeking advice
    Best Answer

    Posted 07-09-2019 09:10

    Hope the log mode is configured as event. Please share the output of following commands:

     

    show configuration security log

    show security policies hit-count (two times)

    show log traffic-log | last 100

     

     



  • 6.  RE: security policy traffic logs - seeking advice

     
    Posted 07-10-2019 19:35

    Hi,

     

    In addition to the above could you also share what you are seeing in the log files?

     

    show log traffic-log | match RT_FLOW

    show log policy_session | last

     

    Regards,

     

    Vikas



  • 7.  RE: security policy traffic logs - seeking advice

    Posted 07-11-2019 09:38

    Thanks Nellikka

    I think I've got it working now. The command "show configuration security log" gave me a clue as to what was wrong as the file name and path were set to something random here. I just changed it to match path/name of the logs i was setting up for syslog and issued the "show log <file name>" command and i started getting more data.

     

    Now is just a case of interpreting the syslog data