Security

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  what is the "pre-id-default-policy-logical-system-00"?

    Posted 06-15-2021 20:41
    from a vSRX I'm collecting some logs, below is an example (I change some information for privacy reasons):

    Jun 15 16:15:00 vSRX-Node1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.88.232.15/55490->34.102.128.190/443 0x0 junos-https 10.88.232.15/55490->34.102.128.190/443 0x0 N/A N/A N/A N/A 6 pre-id-default-policy-logical-system-00 SL-PRIVATE SL-PUBLIC 1084591 N/A(N/A) reth2.1635 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A

    Jun 15 16:15:00 vSRX-Node1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.88.233.11/65351->34.102.128.190/443 0x0 junos-https 10.88.233.11/65351->34.102.128.190/443 0x0 N/A N/A N/A N/A 6 pre-id-default-policy-logical-system-00 SL-PRIVATE SL-PUBLIC 622611 N/A(N/A) reth2.1636 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A


    for each flow I need to check the policy name, but in my case, all the flows have the same policy name "pre-id-default-policy-logical-system-00". what kind of policy is it? I need to see the real name, not a fake one. in my virtual LAB I always saw the real name, but in the real situation is different.

    I think it is because of these two configuration lines:

    set security policies pre-id-default-policy then log session-init
    set security policies pre-id-default-policy then log session-close

    what are they for exactly? I found this page, from the official documentation, but if I have to be honest, I did't understand:
    https://www.juniper.net/documentation/us/en/software/junos/flow-packet-processing/topics/topic-map/security-flow-unified-policies.html

    but at least I understand this:

    CAUTION:Configuring session-init logging for the pre-id-default-policy can generate a large amount of logs. Each session that enters the SRX that initially matches the pre-id-default-policy will generate an event. We recommend only using this option for troubleshooting purposes.

    so what about if I delete these two configuration lines? is it not better? will it allow me to see the real security policy name in the log messages?


  • 2.  RE: what is the "pre-id-default-policy-logical-system-00"?

    Posted 06-16-2021 09:22
    Hello,

    Those logs are indeed from this line of configuration:
    set security policies pre-id-default-policy then log session-init
    
    We generally don't suggest enabling this particular piece of configuration unless you're troubleshooting issues with session setup.

    We do recommend you keep the 'session-close' piece of configuration (which is present by default in current releases) as it will notify you if flows are being closed prior to being identified by JDPI. This can sometimes be indicative of evasive behaviour and should be investigated.
    set security policies pre-id-default-policy then log session-close​


    In case you're not aware, all flows that match unified-policies are assigned to the pre-id-default-policy (after basic 5-tuple matching) while JDPI inspects the flow and classifies the layer-7 application. This will generally take a few packets at minimum to have the first classification event, so it's normal to see flows sitting in pre-id-default-policy that have only passed a few packets through the SRX.

    If you have any other questions, let me know and I'd be happy to help.

    Take care, 



    ------------------------------
    Craig Dods
    ------------------------------