In that case, there's nothing that stands out to me. You could go back to the configuration that worked and change it little by little, and see at what point everything breaks.
Original Message:
Sent: 09-25-2024 12:24
From: JOHN WILLIAMSON
Subject: Filter created on SRX is not writing file
Nikolav,
I do have a filter name specified I just changed the title for this thread.
set forwarding-options packet-capture file filename File_Name. ( This is a generic name for this thread )
set interfaces ge-0/0/15 unit 0 family inet filter input Filter_Name ( Also generic names for this thread )
set interfaces ge-0/0/15 unit 0 family inet filter output Filter_Name ( Also generic names for this thread )
On this SRX, the folders get forwarded, if that is the correct term to the cf/.... folder. I expected to go to the default location and the SRX told me it was in the cf version.
------------------------------
JOHN WILLIAMSON
Original Message:
Sent: 09-25-2024 12:14
From: Nikolay Semov
Subject: Filter created on SRX is not writing file
Ref: https://www.juniper.net/documentation/us/en/software/junos/network-mgmt/topics/topic-map/analyze-network-traffic-by-using-packet-capture.html#id-example-enabling-packet-capture-on-a-device
Not sure in what way the behavior is affected when you don't have the file name explicitly specified, but you probably should include it:
set forwarding-options packet-capture file filename blablabla
Also, for consistency across different SRX models, you should look for stuff in /var/tmp/ rather than /cf/var/tmp. Yeah, it's just a symlink to /cf/var/tmp but some models don't have /cf/var/tmp/ so if you get used the /cf/ path one day you'll be unpleasantly surprised.
------------------------------
Nikolay Semov
Original Message:
Sent: 09-23-2024 16:42
From: JOHN WILLIAMSON
Subject: Filter created on SRX is not writing file
( I posted this in Security before I found this community. Sorry for the cross posting. )
I checked out videos and docs on the Juniper support site and came up with these settings. ( Hiding the real IPs )
set firewall filter Rims_Filter term 1 from source-address xxx.xxx.xxx.xxx/32
set firewall filter Rims_Filter term 1 from destination-address yyy.yyy.yyy.yyy/32
set firewall filter Rims_Filter term 1 then sample
set firewall filter Rims_Filter term 1 then accept
set firewall filter Rims_Filter term 2 from source-address yyy.yyy.yyy.yyy/32
set firewall filter Rims_Filter term 2 from destination-address xxx.xxx.xxx.xxx/32
set firewall filter Rims_Filter term 2 then sample
set firewall filter Rims_Filter term 2 then accept
set firewall filter Rims_Filter term 3 then accept
As well as these lines in the config:
set interfaces ge-0/0/15 unit 0 family inet filter input Filter_Name
set interfaces ge-0/0/15 unit 0 family inet filter output Filter_Name
My issue is that the saved file is not being created in the /cf/var/tmp folder on the firewall. It was created the first time I tried this with a less elegant filter as shown below.
delete firewall filter Rims_Filter term 1 from source-address xxx.xxx.xxx.xxx/32
delete firewall filter Rims_Filter term 1 from destination-address yyy.yyy.yyy.yyy/32
set firewall filter Rims_Filter term 1 then sample
set firewall filter Rims_Filter term 2 then accept
set firewall filter Rims_Filter term 3 from source-address yyy.yyy.yyy.yyy/32
set firewall filter Rims_Filter term 3 from destination-address xxx.xxx.xxx.xxx/32
set firewall filter Rims_Filter term 3 then sample
set firewall filter Rims_Filter term 4 then accept
set interfaces ge-0/0/15 unit 0 family inet filter input Filter_Name. ( Note I only have the input line here )
Where have I made my mistake? I use the command set forwarding-options packet-capture disable to turn it off and set forwarding-options packet-capture enable to turn it back on.
------------------------------
JOHN WILLIAMSON
------------------------------