A possible easy question, but i am not able to figure it out.
I want to monitor traffic from the internet to a web server though a couple of **bleep** 340 set up in a cluster
run monitor traffic interface ge-0/0/0 matching "host 10.130.38.94" no-resolve
But i do not have a ge interface any more.
So i tried:
run monitor traffic interface reth1.0 matching "host 10.130.38.94" no-resolve
But i only get arp messeges... ?
I would be grate if someone had the anserv.. :O)
Kind regards Gert
The 'monitor traffic' command only shows traffic to or from the routing engine. If you want to watch transit traffic, and can't perform a packet capture, then the simplest option is to create a very specific security policy to match and log your interesting traffic.
ok, i did not think of that.
but what if i want to monitor flow (connection/denied/allowed) from a ip.
do you have an excmple.. ? :O)
A quick way to monitor the traffic passing through the SRX is to check at the current session:
> show security flow sessions destination-prefix [INTERNAL_SERVER_ADDRESS]
Now I believe you are looking for logs like these ones (when the traffic is permitted/denied by your security-policies):
Jan 21 18:20:12 240-3 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 172.27.199.166/12288->172.27.201.39/1024 icmp 172.27.199.166/12288->172.27.201.39/1024 None None 1 p1 trust junos-host 8224 N/A(N/A) ge-0/0/0.0
Jan 21 18:20:13 240-3 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 172.27.199.166/11520->172.27.201.39/1024 icmp 172.27.199.166/11520->172.27.201.39/1024 None None 1 p1 trust junos-host 8218 1(60) 1(60) 4 N/A(N/A) ge-0/0/0.0
Here I provide a couple of articles with configuration examples to achieve that:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB26771 (this one is for traffic destined to the SRX but the config exmaple works)
I hope it helps.