Re: [j-nsp] SRX Remote log denied traffic
that got it working it seems :)
Thanks guys!!!
On Tue, Feb 26, 2013 at 12:06 AM, Gordon Smith gor...@gswsystems.comwrote:
This (remote syslog) works for me on SRX550's running 12.1R1.9
This will apply a default deny log to the end of your security policies,
so you don't need to reorder policies after adding a new one.
I have had issues logging locally where the box will stop logging after a
while. Not a big issue, since it all gets piped off to a syslog server, but
still annoying.
Syntax for that was:
file traffic-log {
any any;
match RT_FLOW_SESSION;
structured-data;
}
groups {
global-policy {
security {
policies {
from-zone * to-zone * {
policy default-logdrop {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
}
}
}
}
system {
syslog {
host x.x.x.x {
any any;
}
}
}
security {
apply-groups global-policy;
}
On Mon, 25 Feb 2013 16:10:49 -0500, Mike Devlin wrote:
nope, that didnt work either :(
meeks@MeeksNet-SRX210# run show log TEST-DENY
[edit]
meeks@MeeksNet-SRX210# show system syslog file TEST-DENY
any any;
match RT_FLOW;
[edit]
On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon
farrukhhar...@gmail.com**wrote:
Hello Mike
Was wondering if you can get the deny logs while doing local logging?
set system syslog file TEST-DENY any any
set system syslog file TEST-DENY match RT_FLOW
Regards
Farrukh
On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin juni...@meeksnet.ca
wrote:
So fingers crossed that this is an easy one for you guys,
Device is an SRX210BE running 11.4R5.5 code.
ive added the syslog host to the config
meeks@MeeksNet-SRX210 show configuration system syslog
archive size 100k files 3;
user * {
any emergency;
}
host 192.168.1.12 {
any any;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file security {
security any;
}
file default-log-messages {
any any;
match (requested 'commit' operation)|(copying configuration to
juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
removal)|(FRU insertion)|(link UP)|(vc add)|(vc
delete)|transitioned|**Transferred|transfer-file|**
QFABRIC_NETWORK_NODE_GROUP|**QFABRIC_SERVER_NODE_GROUP|**
QFABRIC_NODE|(license
add)|(license delete)|(package -X update)|(package -X
delete)|GRES|CFMD_CCM_DEFECT|**LFMD_3AH|MEDIA_FLOW_ERROR|RPD_**
MPLS_PATH_BFD;
structured-data;
}
and implemented the default deny template i found here:
http://kb.juniper.net/**InfoCenter/index?page=content**
id=KB20778actp=RSShttp://kb.juniper.net/InfoCenter/index?page=contentid=KB20778actp=RSS
meeks@MeeksNet-SRX210 show configuration groups
default-deny-template {
security {
policies {
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
}
}
}
meeks@MeeksNet-SRX210 show configuration apply-groups
## Last commit: 2013-02-21 16:05:36 EST by meeks
apply-groups default-deny-template;
however, when i log on to the syslog host, and tail the syslog file i do
not see denies being logged remotely.
if i apply the session-init and session-close options to permitted
traffic,
it does get logged remotely.
Alternatively,
creating a new policy has the same result, regardless if i use reject or
deny
meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone
trust policy deny-all
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
my google-foo is failing, so i hope you guys can help.
Looking forward to hearing back from you,
Mike
__**_
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Remote log denied traffic
actually, i retract that statement.
i saw a deny come through, and it was logged, but under testing and further
review, it seems that the only thing this is logging is UDP to port 44082.
Any telnet testing to random ports do not generate logs, neither does using
internet sites to test port connectivity.
And now im reading from Andrew and this really doesnt make any sense at all.
- If the traffic you are testing is direct to the firewall, it won't be
logged because it never hits a policy. It only works for transit traffic
what you are saying is that, from untrust to trust, i open up 5 ports, and
have some destination NAT in place, and everything is fine. Now i want to
log the remaining 65530 TCP ports, to see if im being hit on any port for
any reason, and because i dont have a policy, and i dont have a destination
nat, that this traffic is destine for the firewall, and can not be logged?
Please tell me im misunderstanding this statement
On Tue, Feb 26, 2013 at 9:15 AM, Mike Devlin juni...@meeksnet.ca wrote:
that got it working it seems :)
Thanks guys!!!
On Tue, Feb 26, 2013 at 12:06 AM, Gordon Smith gor...@gswsystems.comwrote:
This (remote syslog) works for me on SRX550's running 12.1R1.9
This will apply a default deny log to the end of your security
policies, so you don't need to reorder policies after adding a new one.
I have had issues logging locally where the box will stop logging after a
while. Not a big issue, since it all gets piped off to a syslog server, but
still annoying.
Syntax for that was:
file traffic-log {
any any;
match RT_FLOW_SESSION;
structured-data;
}
groups {
global-policy {
security {
policies {
from-zone * to-zone * {
policy default-logdrop {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
}
}
}
}
system {
syslog {
host x.x.x.x {
any any;
}
}
}
security {
apply-groups global-policy;
}
On Mon, 25 Feb 2013 16:10:49 -0500, Mike Devlin wrote:
nope, that didnt work either :(
meeks@MeeksNet-SRX210# run show log TEST-DENY
[edit]
meeks@MeeksNet-SRX210# show system syslog file TEST-DENY
any any;
match RT_FLOW;
[edit]
On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon
farrukhhar...@gmail.com**wrote:
Hello Mike
Was wondering if you can get the deny logs while doing local logging?
set system syslog file TEST-DENY any any
set system syslog file TEST-DENY match RT_FLOW
Regards
Farrukh
On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin juni...@meeksnet.ca
wrote:
So fingers crossed that this is an easy one for you guys,
Device is an SRX210BE running 11.4R5.5 code.
ive added the syslog host to the config
meeks@MeeksNet-SRX210 show configuration system syslog
archive size 100k files 3;
user * {
any emergency;
}
host 192.168.1.12 {
any any;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file security {
security any;
}
file default-log-messages {
any any;
match (requested 'commit' operation)|(copying configuration to
juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
removal)|(FRU insertion)|(link UP)|(vc add)|(vc
delete)|transitioned|**Transferred|transfer-file|**
QFABRIC_NETWORK_NODE_GROUP|**QFABRIC_SERVER_NODE_GROUP|**
QFABRIC_NODE|(license
add)|(license delete)|(package -X update)|(package -X
delete)|GRES|CFMD_CCM_DEFECT|**LFMD_3AH|MEDIA_FLOW_ERROR|RPD_**
MPLS_PATH_BFD;
structured-data;
}
and implemented the default deny template i found here:
http://kb.juniper.net/**InfoCenter/index?page=content**
id=KB20778actp=RSShttp://kb.juniper.net/InfoCenter/index?page=contentid=KB20778actp=RSS
meeks@MeeksNet-SRX210 show configuration groups
default-deny-template {
security {
policies {
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
}
}
}
meeks@MeeksNet-SRX210 show configuration
Re: [j-nsp] SRX Remote log denied traffic
It looks like since the connection is being denied there is
never as session initialized or closed to be logged?
Would you be able to get the logging you need by doing it on an
input filter in the interface(s)? It seems like it's having to
examing the traffic twice, but maybe it's more efficient in the
internals?
On Mon, Feb 25, 2013 at 04:10:49PM -0500, Mike Devlin wrote:
nope, that didnt work either :(
meeks@MeeksNet-SRX210# run show log TEST-DENY
[edit]
meeks@MeeksNet-SRX210# show system syslog file TEST-DENY
any any;
match RT_FLOW;
[edit]
On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon
farrukhhar...@gmail.comwrote:
Hello Mike
Was wondering if you can get the deny logs while doing local logging?
set system syslog file TEST-DENY any any
set system syslog file TEST-DENY match RT_FLOW
Regards
Farrukh
On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin juni...@meeksnet.ca wrote:
So fingers crossed that this is an easy one for you guys,
Device is an SRX210BE running 11.4R5.5 code.
ive added the syslog host to the config
meeks@MeeksNet-SRX210 show configuration system syslog
archive size 100k files 3;
user * {
any emergency;
}
host 192.168.1.12 {
any any;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file security {
security any;
}
file default-log-messages {
any any;
match (requested 'commit' operation)|(copying configuration to
juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
removal)|(FRU insertion)|(link UP)|(vc add)|(vc
delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license
add)|(license delete)|(package -X update)|(package -X
delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD;
structured-data;
}
and implemented the default deny template i found here:
http://kb.juniper.net/InfoCenter/index?page=contentid=KB20778actp=RSS
meeks@MeeksNet-SRX210 show configuration groups
default-deny-template {
security {
policies {
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
}
}
}
meeks@MeeksNet-SRX210 show configuration apply-groups
## Last commit: 2013-02-21 16:05:36 EST by meeks
apply-groups default-deny-template;
however, when i log on to the syslog host, and tail the syslog file i do
not see denies being logged remotely.
if i apply the session-init and session-close options to permitted
traffic,
it does get logged remotely.
Alternatively,
creating a new policy has the same result, regardless if i use reject or
deny
meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone
trust policy deny-all
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
my google-foo is failing, so i hope you guys can help.
Looking forward to hearing back from you,
Mike
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Hans K. Fiedler
h...@hermes.louisville.edu
502-852-7427
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Remote log denied traffic
There could be a few reasons you're not seeing logs:
- With the groups configuration, you need to still have a policy configured
in the configuration before the group applies (even if it is just a blank
set security policies from-zone a to-zone b. You can confirm this with a
| display inheritence or simply a show security policies from-zone a
to-zone b
- A better way to do this in JunOS 11.2 onwards is with a Global policy now
that it is supported rather than using groups
- If the traffic you are testing is direct to the firewall, it won't be
logged because it never hits a policy. It only works for transit traffic
- On this note as well, if it is dropped for a non policy reason (No
TCP SYN, no route, etc.) it won't show up in this file either
Hope this helps
On Fri, Feb 22, 2013 at 12:39 PM, Mike Devlin juni...@meeksnet.ca wrote:
So fingers crossed that this is an easy one for you guys,
Device is an SRX210BE running 11.4R5.5 code.
ive added the syslog host to the config
meeks@MeeksNet-SRX210 show configuration system syslog
archive size 100k files 3;
user * {
any emergency;
}
host 192.168.1.12 {
any any;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file security {
security any;
}
file default-log-messages {
any any;
match (requested 'commit' operation)|(copying configuration to
juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
removal)|(FRU insertion)|(link UP)|(vc add)|(vc
delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license
add)|(license delete)|(package -X update)|(package -X
delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD;
structured-data;
}
and implemented the default deny template i found here:
http://kb.juniper.net/InfoCenter/index?page=contentid=KB20778actp=RSS
meeks@MeeksNet-SRX210 show configuration groups
default-deny-template {
security {
policies {
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
}
}
}
meeks@MeeksNet-SRX210 show configuration apply-groups
## Last commit: 2013-02-21 16:05:36 EST by meeks
apply-groups default-deny-template;
however, when i log on to the syslog host, and tail the syslog file i do
not see denies being logged remotely.
if i apply the session-init and session-close options to permitted traffic,
it does get logged remotely.
Alternatively,
creating a new policy has the same result, regardless if i use reject or
deny
meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone
trust policy deny-all
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
my google-foo is failing, so i hope you guys can help.
Looking forward to hearing back from you,
Mike
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Remote log denied traffic
This (remote syslog) works for me on SRX550's running 12.1R1.9
This will apply a default deny log to the end of your security
policies, so you don't need to reorder policies after adding a new one.
I have had issues logging locally where the box will stop logging after
a while. Not a big issue, since it all gets piped off to a syslog
server, but still annoying.
Syntax for that was:
file traffic-log {
any any;
match RT_FLOW_SESSION;
structured-data;
}
groups {
global-policy {
security {
policies {
from-zone * to-zone * {
policy default-logdrop {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
}
}
}
}
system {
syslog {
host x.x.x.x {
any any;
}
}
}
security {
apply-groups global-policy;
}
On Mon, 25 Feb 2013 16:10:49 -0500, Mike Devlin wrote:
nope, that didnt work either :(
meeks@MeeksNet-SRX210# run show log TEST-DENY
[edit]
meeks@MeeksNet-SRX210# show system syslog file TEST-DENY
any any;
match RT_FLOW;
[edit]
On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon
farrukhhar...@gmail.comwrote:
Hello Mike
Was wondering if you can get the deny logs while doing local
logging?
set system syslog file TEST-DENY any any
set system syslog file TEST-DENY match RT_FLOW
Regards
Farrukh
On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin juni...@meeksnet.ca
wrote:
So fingers crossed that this is an easy one for you guys,
Device is an SRX210BE running 11.4R5.5 code.
ive added the syslog host to the config
meeks@MeeksNet-SRX210 show configuration system syslog
archive size 100k files 3;
user * {
any emergency;
}
host 192.168.1.12 {
any any;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file security {
security any;
}
file default-log-messages {
any any;
match (requested 'commit' operation)|(copying configuration to
juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
removal)|(FRU insertion)|(link UP)|(vc add)|(vc
delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license
add)|(license delete)|(package -X update)|(package -X
delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD;
structured-data;
}
and implemented the default deny template i found here:
http://kb.juniper.net/InfoCenter/index?page=contentid=KB20778actp=RSS
meeks@MeeksNet-SRX210 show configuration groups
default-deny-template {
security {
policies {
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
}
}
}
meeks@MeeksNet-SRX210 show configuration apply-groups
## Last commit: 2013-02-21 16:05:36 EST by meeks
apply-groups default-deny-template;
however, when i log on to the syslog host, and tail the syslog file
i do
not see denies being logged remotely.
if i apply the session-init and session-close options to permitted
traffic,
it does get logged remotely.
Alternatively,
creating a new policy has the same result, regardless if i use
reject or
deny
meeks@MeeksNet-SRX210# show security policies from-zone untrust
to-zone
trust policy deny-all
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
my google-foo is failing, so i hope you guys can help.
Looking forward to hearing back from you,
Mike
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Remote log denied traffic
Hello Mike
Was wondering if you can get the deny logs while doing local logging?
set system syslog file TEST-DENY any any
set system syslog file TEST-DENY match RT_FLOW
Regards
Farrukh
On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin juni...@meeksnet.ca wrote:
So fingers crossed that this is an easy one for you guys,
Device is an SRX210BE running 11.4R5.5 code.
ive added the syslog host to the config
meeks@MeeksNet-SRX210 show configuration system syslog
archive size 100k files 3;
user * {
any emergency;
}
host 192.168.1.12 {
any any;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file security {
security any;
}
file default-log-messages {
any any;
match (requested 'commit' operation)|(copying configuration to
juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
removal)|(FRU insertion)|(link UP)|(vc add)|(vc
delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license
add)|(license delete)|(package -X update)|(package -X
delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD;
structured-data;
}
and implemented the default deny template i found here:
http://kb.juniper.net/InfoCenter/index?page=contentid=KB20778actp=RSS
meeks@MeeksNet-SRX210 show configuration groups
default-deny-template {
security {
policies {
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
}
}
}
meeks@MeeksNet-SRX210 show configuration apply-groups
## Last commit: 2013-02-21 16:05:36 EST by meeks
apply-groups default-deny-template;
however, when i log on to the syslog host, and tail the syslog file i do
not see denies being logged remotely.
if i apply the session-init and session-close options to permitted traffic,
it does get logged remotely.
Alternatively,
creating a new policy has the same result, regardless if i use reject or
deny
meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone
trust policy deny-all
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
my google-foo is failing, so i hope you guys can help.
Looking forward to hearing back from you,
Mike
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX Remote log denied traffic
So fingers crossed that this is an easy one for you guys,
Device is an SRX210BE running 11.4R5.5 code.
ive added the syslog host to the config
meeks@MeeksNet-SRX210 show configuration system syslog
archive size 100k files 3;
user * {
any emergency;
}
host 192.168.1.12 {
any any;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file security {
security any;
}
file default-log-messages {
any any;
match (requested 'commit' operation)|(copying configuration to
juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
removal)|(FRU insertion)|(link UP)|(vc add)|(vc
delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license
add)|(license delete)|(package -X update)|(package -X
delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD;
structured-data;
}
and implemented the default deny template i found here:
http://kb.juniper.net/InfoCenter/index?page=contentid=KB20778actp=RSS
meeks@MeeksNet-SRX210 show configuration groups
default-deny-template {
security {
policies {
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
}
}
}
meeks@MeeksNet-SRX210 show configuration apply-groups
## Last commit: 2013-02-21 16:05:36 EST by meeks
apply-groups default-deny-template;
however, when i log on to the syslog host, and tail the syslog file i do
not see denies being logged remotely.
if i apply the session-init and session-close options to permitted traffic,
it does get logged remotely.
Alternatively,
creating a new policy has the same result, regardless if i use reject or
deny
meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone
trust policy deny-all
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
my google-foo is failing, so i hope you guys can help.
Looking forward to hearing back from you,
Mike
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
