SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Traffic log contains excessive entries for static nat rules

  • 1.  Traffic log contains excessive entries for static nat rules

    Posted 12-11-2024 21:27

    SRX340

    I have only a couple of traffic policies configured to log, using "log session-init" or "log session-close".

    I have traffic-log configured as:

    set system syslog file traffic-log user info
    set system syslog file traffic-log match RT_FLOW_SESSION
    set security log mode event

    Traffic for those policies does get logged.

    However, I also get a huge amount of additional entries all coming from static nat rule entries (that aren't configured to log).

    Example entry (sanitized) that I wouldn't expect to be there:

    Dec 11 20:38:41  <device_hostname> RT_FLOW: RT_FLOW_SESSION_CREATE: session created <source_IP>/25504-><NAT_IP>/34568 0x0 None 0.0.0.0/0-><Internal_host_IP>/34568 0x0 N/A N/A static rule <NAT_rule_name> 6 default-policy-logical-system-00 <source_zone_name> <destination_zone_name> 68719709565 N/A(N/A) <interface_name> UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A Off root N/A N/A N/A N/A

    This is on an SRX340. 

    pre-id-default-policy is NOT set to log (I have some SRX320 devices for which that is enabled by default, but the SRX340 is not configured that way)

    What is curious is this was not occurring on my primary SRX340. It only started after I swapped to a cold/spare device. 

    The only difference I can identify is the JunOS version. The cold/spare had been updated to 23.4R2-S2.1. The prior active SRX was 21.4R3-S3.4

    These are not an HA pair at the moment. I had them split so I could test some other new candidate configurations as well as test the 21.4 to 23.4 updates. So when I moved from one to the other it was literally a device swap. But at that point the configuration was set identically.

    I've read through the release notes for everything from 21.4R3 to 23.4R2, and I can't find anything that describes a difference in the default logging policy that would add "default-policy-logical-system-00" entries.



    ------------------------------
    BRYAN JONES
    ------------------------------