Security

 View Only
last person joined: yesterday 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.

SRX global default-deny-log policy generates RT_FLOW_SESSION_CREATE and RT_FLOW_SESSION_DENY messages

  • 1.  SRX global default-deny-log policy generates RT_FLOW_SESSION_CREATE and RT_FLOW_SESSION_DENY messages

    Posted 12-19-2024 11:49

    We recently upgraded an SRX380 from 22.4R3-S3.3 to 23.4R2-S3.9. 

    Prior to the upgrade, traffic that hit our global default-deny-log policy generated one RT_FLOW_SESSION_DENY message per connection attempt.

    After the upgrade to 23.4, we noticed an increase in syslog messages from the firewall to our syslog server.  We are now seeing two messages per denied connection attempt - an RT_FLOW_SESSION_CREATE message and an RT_FLOW_SESSION_DENY message.  We are not interested in the CREATE messages and are currently blocking this message by adding a filter to drop the RT_FLOW_SESSION_CREATE message before it is sent to syslog.

    Upon further investigation, any security policy that is configured to deny and log is now generating two messages, so it's not limited to the global default-deny-log policy in 23.4 code.

    We are only interested in the DENY message, not the CREATE message.  Is there another way to accomplish this without having to filter the messages?  This seems to be a bug in the 23.4 code.

    Here's a config snippet -

    set security policies global policy default-deny-log match source-address any

    set security policies global policy default-deny-log match destination-address any

    set security policies global policy default-deny-log match application any

    set security policies global policy defaut-deny-log then deny

    set security policies global policy default-deny-log then log session-init

    set system syslog host 10.0.0.1 match "!(RT_FLOW_SESSION_CREATE.*default-deny-log)"



    ------------------------------
    JOHN VINER
    ------------------------------