The easiest is to configure a global policy with a default action of deny and enable logging on it. In that any traffic from any zone to any zone that reaches the default deny policy gets denied (as usual) and logged. Conversely you can do a any any any policy for every pair of zones, action deny and enable logging. Depending on how many zones you have then you will end up configuring a whole bunch of these policies, so the first solution offered is more effective.
If you go with the first approach please be careful with the intra-zone traffic if you have any, as this will be dropped. So you would need to configure explicit intra-zone policies where needed. Thanks, Barny Sanchez | Consulting Engineer - Security Solutions | Juniper Networks | Direct: +1.774.318.9140 | bar...@juniper.net <mailto:bar...@juniper.net> (Message sent via my mobile device, sorry for any typos and shortness of my response) ----- Original Message ----- From: juniper-nsp-boun...@puck.nether.net <juniper-nsp-boun...@puck.nether.net> To: 'juniper-nsp@puck.nether.net' <juniper-nsp@puck.nether.net> Sent: Fri Mar 12 12:13:17 2010 Subject: [j-nsp] Logging default deny traffic on SSG-550? We've got a pair of Juniper SSG-550's in HA mode running Screen OS 6.1.0r4.0. For the life of me I can't figure out how to enable logging for denied/blocked traffic for the implicit default-deny rule. I've followed the instructions found in the Screen OS Cookbook with no results. Anyone have any pointers? Thanks. --Mike _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
