SRX

Hi,

Anyone know how to view the traffic detail for what the SRX210 is actually blocking or dropping?

I configured a security flow to show all dropped packets and the resulting log is fairly useless.

Jun  5 21:06:54 21:06:54.361668:CID-0:RT:  packet dropped, packet dropped: for self but not interested.

Jun  5 21:06:54 21:06:54.650423:CID-0:RT:  packet dropped, packet dropped: for self but not interested.

Jun  5 21:06:57 21:06:56.970087:CID-0:RT:  packet dropped, packet dropped: for self but not interested.

Jun  5 21:06:58 21:06:58.652903:CID-0:RT:  packet dropped, packet dropped: for self but not interested.

Jun  5 21:07:02 21:07:02.655462:CID-0:RT:  packet dropped, packet dropped: for self but not interested.

Jun  5 21:07:06 21:07:06.657940:CID-0:RT:  packet dropped, packet dropped: for self but not interested.

Jun  5 21:07:10 21:07:10.655461:CID-0:RT:  packet dropped, packet dropped: for self but not interested.

Jun  5 21:07:14 21:07:14.650471:CID-0:RT:  packet dropped, packet dropped: for self but not interested.

Jun  5 21:07:17 21:07:16.829009:CID-0:RT:  packet dropped, packet dropped: for self but not interested.

Jun  5 21:07:18 21:07:18.657955:CID-0:RT:  packet dropped, packet dropped: for self but not interested.

Jun  5 21:07:22 21:07:22.657991:CID-0:RT:  packet dropped, packet dropped: for self but not interested.

Is there a way to see source ip and protocol on the SRX210?

I realize I can do this with a sniffer or from the edge router in most cases, but some of our sites will be very small with just a ISP provider managed ethernet handoff.

Thanks.

If you mean traffic destined for IP addresses on the SRX, then you'll need to use firewal-filters.

If you mean traffic transiting the SRX, then you'll need to write security-policies with "deny log session-init" as the action.

Hope this helps

In my opinion, best way is (which i use as well) ...

1. Define a default denying security policy at the bottom (i.e. low precedence in policy list), e.g.

    set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match source-address any

    set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match destination-address any

    set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match application any

    set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match then deny

    set security policy from-zone untrust to-zone trust policy untrust-trusty-denyall match then log session-init

2. Log all denied traffic due to this security policy

    set system syslog file Denied-Traffic any any

    set system syslog file Denied-Traffic match RT_FLOW_SESSION_DENY

3. View log using "run show log Denied-Traffic"

regards

Slightly modified config is what I applied:

    set security policies from-zone untrust to-zone trust policy untrust-trust-denyall match source-address any

    set security policies from-zone untrust to-zone trust policy untrust-trust-denyall match destination-address any

    set security policies from-zone untrust to-zone trust policy untrust-trust-denyall match application any

    set security policies from-zone untrust to-zone trust policy untrust-trust-denyall then deny

    set security policies from-zone untrust to-zone trust policy untrust-trust-denyall then log session-init

    set system syslog file Denied-Traffic any any

    set system syslog file Denied-Traffic match RT_FLOW_SESSION_DENY

perefect !!!