SRX

Upon uploading a configuration to an SRX320 running 15.1X49-D190.2 I received the following error:

Enabling on-box reporting on the built-in eUSB storage may reduce the life of the storage

On 15.1X49-D170.4, I received no such error.

The error relates to the 'report' bit of this config:

security {
        log {
	    mode stream;
	    report;
	}
}

Can anyone comment on this please? Should I be removing the report line? I don't actually stream off logs, so should I just remove the whole log section?

EMTSU,

Some of the SRX3XX devices have encountered disk access failures due overuse and this is why Juniper recommend the following software releases that include an important eUSB driver:

https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17581

Devices at greater risk are those in environments that use increased disk operations including On-Box Logging, consistent trace-options, security logging to on-device files including session-logging. I looks like the message you reported has been integrated in newer Junos versions to raise awareness of this situation.

If you are not using that feature it will be advisable to delete that part of the configuration, it comes by default after 15.1X49-D100 onwards. Alternatively you can send logs to external syslog servers.

"The on-box reporting feature is enabled by default when you load the factory-default configurations on the SRX Series device with Junos OS Release 15.1X49-D100 or later."

Ref: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-on-box-reporting-understanding.html

Hope this helps!

Thank Ipaniagua. Your reply is most helpful, thank you. 

The error I received actually prevented commit, so it would seem Juniper have taken a hard line on preventing the use of on-box reporting with newer firmware, which sends a clear, if worrying, message to users i.e. they are clearly concerned about the quality of the component used in earlier hardware revisions of the SRX300 series of devices.

EMTSU,

Im glad the info was helpful, please mark the post as Resolved if you consider so. Regarding the logging, I will always suggest to to log any data to external servers rather than on-box.

Ipaniagua, one other thing!

I also have the following config. concerning logging on my devices:-

    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;         
        }
        file interactive-commands {
            interactive-commands any;
        }
        file kmd-logs {
            daemon info;
            match KMD;
        }
        file security {
            any any;
            match RT_FLOW_SESSION;
        }
    }

Will this generate files on-box too? Should I be concerned about any of the config. above relating to disk overuse?

I dont think you have to be concerned about them, they wont log as much data as on-box reporting.

The only ones I will suggest to log outside of the SRX will be the "RT_FLOW_SESSION" related logs, but only if you consider that the logging rate is quite high. First check with the following command if any data is getting logged:

> show log security

For data to be logged on that file two conditions have to be present.

1. "mode event" has to be configured under [edit security log] hierarchy

2. "log session-init" or "log session-close" has to be configured on your security-policies

Thank you for your reassurance and clarifications.

Your information relating to RT_FLOW_SESSION was very helpful, thank you. What would you consider to be a high logging rate?