I have an SRX240 running Junos 9.6R2.11. I'm not sure if I'm missing something or just plain stupid.
I have a firewall filter configured like so:
bdfleming@site# show firewall filter lan_inbound
<<<snip>>>
term leaked_private_traffic {
from {
source-address {
10.0.0.0/8;
192.168.0.0/16;
172.16.0.0/12;
}
}
then {
count "Leaked Private Traffic (Dropped)";
discard;
}
}
<<<snip>>>
I see traffic matching this term at the rate of ~2 packets per second (roughtly). I'd like to capture some of these packets to help the users find their misbehaving device but I'm having problems getting the term to sample correclty.
If I add a "sample" action to the term, my sample file does not get built and the device does not capture the trafic before discarding it. If I change the action from "discard" to "accept", I see packets match and arrive in my sample file. The obvious side effect is allowing traffic through the filter that I'd rather drop in typical operation.
So my question is: Can you sample discarded packets using a firewall filter that is applied ingress? If so, would anyone care to share a working configuration?
Much appreciated for any coments, suggestions, or insights.