SRX

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  i set syslog only on ge-0/0/6.3 but in logs i see FW: ge-0/0/1.3

    Posted 10-31-2014 12:04

    Hi,

     

    On srx 240h ( 11.4R7.5 ) i set packet capture to syslog from output of ge-0/0/6.3  but in syslog  looks like packets from ge-0/0/1.3.

    Normally packets enter ge-0/0/1.3 and exit ge-0/0/6.3. I'm looking proof that packets leaving ge-0/0/6.3 because on opposite site Palo Alto claims that i don't send anything.. 

     

     

    show interfaces ge-0/0/6.3
description link-mpls;
vlan-id 53;
family inet {
    filter {
        output ge6_3;
    }
    address x/y;
}

     

    show firewall filter ge6_3

term log2 {
    from {
        source-address {
            10.10.2.192/32;
                    }
        destination-address {
            10.196.0.50/32;
           }
    }
    then {
        syslog;
        accept;
    }
}
term default {
    then accept;
}

     

    and in my syslog i see "FW: ge-0/0/1.3"

     

    PFE_FW_SYSLOG_IP: FW: ge-0/0/1.3   A  tcp 10.10.2.192 10.196.0.50  8403 63944 (4 packets)
PFE_FW_SYSLOG_IP: FW: ge-0/0/1.3   A  tcp 10.10.2.192 10.196.0.50  PFE_FW_SYSLOG_IP: FW: ge-0/0/1.3   A  tcp 10.10.2.192 10.196.0.50  8403 63944 (4 packets)
PFE_FW_SYSLOG_IP: FW: ge-0/0/1.3   A  tcp 10.10.2.192 10.196.0.50  8403 63944 (10 packets)

     



  • 2.  RE: i set syslog only on ge-0/0/6.3 but in logs i see FW: ge-0/0/1.3

    Posted 10-31-2014 12:16

    Hello,

     

    @Tedy wrote:

    Hi,

     

     

    PFE_FW_SYSLOG_IP: FW: ge-0/0/1.3   A  tcp 10.10.2.192 10.196.0.50  8403 63944 (4 packets)
PFE_FW_SYSLOG_IP: FW: ge-0/0/1.3   A  tcp 10.10.2.192 10.196.0.50  PFE_FW_SYSLOG_IP: FW: ge-0/0/1.3   A  tcp 10.10.2.192 10.196.0.50  8403 63944 (4 packets)
PFE_FW_SYSLOG_IP: FW: ge-0/0/1.3   A  tcp 10.10.2.192 10.196.0.50  8403 63944 (10 packets)

     

    FW syslog logs the INPUT interface. So what You are see in the syslogs are the packets entering ge-0/0/1.3 and exiting ge-0/0/6.3. Capital A means "packet is accepted" (by Your filter)

    http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/syslog-messages/index.html?jd0e42830.html#PFE_FW_SYSLOG_IP

    How one can tell they are really exiting? Because You have this filter assigned to ge-0/0/6.3 in OUTPUT direction.

    There is small chance that the packet can be still dropped because of queue full/RED drops and not recorded (CoS takes place after output filter) but this would be be a rare occurence in underloaded and correctly configured SRX.

    HTH

    Thanks
    Alex



  • 3.  RE: i set syslog only on ge-0/0/6.3 but in logs i see FW: ge-0/0/1.3
    Best Answer

    Posted 10-31-2014 19:50

    Hi Tedy,

     

    I would suggest packet capture feature to capture the packets to confirm whether they are going out.

     

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB11709

     


    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 4.  RE: i set syslog only on ge-0/0/6.3 but in logs i see FW: ge-0/0/1.3

    Posted 11-03-2014 02:10

    I did packet capture and i saw/see valid session but i thought that syslog from output on egress interface will be farther in packet order operation.

     

    Thanks for help