Hi Salamander,
This is a 3 step process to configure and verify:
1) You need to configure the log file under system syslog hierarchy and match it for 'RT_FLOW_SESSION':
user@host#
set system syslog file traffic-log any any
user@host# set system syslog file traffic-log match "RT_FLOW_SESSION"
2) To be able to log the traffic denied, you need to update the necessary security policy to log 'session-init' and to be able to log traffic permitted, you need to update necessary security policy to log 'session-init' and 'session-close' or just 'session-close'.
To log traffic that is blocked:
user@host#
set security policies from-zone trust to-zone untrust policy deny then log session-init
To log traffic that is permitted:
user@host#
set security policies from-zone trust to-zone untrust policy allow then log session-init
user@host#
set security policies from-zone trust to-zone untrust policy allow then log session-close
or
user@host#
set security policies from-zone trust to-zone untrust policy allow then log session-close
3) Then you need to run the traffic of interest that would hit these policies configured with logging so that you can then verify the log file.
Note: You can try to name the syslog file with an unique name (other than traffic-log) to rule out any file corruption issues if this same filename was used in the past to capture some other logs.
If you still have issues, please share the syslog and security policies configuration if possible so that we can review and share our thoughts/recommendations.
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Regards,
HS