Re: [j-nsp] SRX Remote log denied traffic
that got it working it seems :) Thanks guys!!! On Tue, Feb 26, 2013 at 12:06 AM, Gordon Smith gor...@gswsystems.comwrote: This (remote syslog) works for me on SRX550's running 12.1R1.9 This will apply a default deny log to the end of your security policies, so you don't need to reorder policies after adding a new one. I have had issues logging locally where the box will stop logging after a while. Not a big issue, since it all gets piped off to a syslog server, but still annoying. Syntax for that was: file traffic-log { any any; match RT_FLOW_SESSION; structured-data; } groups { global-policy { security { policies { from-zone * to-zone * { policy default-logdrop { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } } } } } system { syslog { host x.x.x.x { any any; } } } security { apply-groups global-policy; } On Mon, 25 Feb 2013 16:10:49 -0500, Mike Devlin wrote: nope, that didnt work either :( meeks@MeeksNet-SRX210# run show log TEST-DENY [edit] meeks@MeeksNet-SRX210# show system syslog file TEST-DENY any any; match RT_FLOW; [edit] On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon farrukhhar...@gmail.com**wrote: Hello Mike Was wondering if you can get the deny logs while doing local logging? set system syslog file TEST-DENY any any set system syslog file TEST-DENY match RT_FLOW Regards Farrukh On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin juni...@meeksnet.ca wrote: So fingers crossed that this is an easy one for you guys, Device is an SRX210BE running 11.4R5.5 code. ive added the syslog host to the config meeks@MeeksNet-SRX210 show configuration system syslog archive size 100k files 3; user * { any emergency; } host 192.168.1.12 { any any; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file security { security any; } file default-log-messages { any any; match (requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|(vc add)|(vc delete)|transitioned|**Transferred|transfer-file|** QFABRIC_NETWORK_NODE_GROUP|**QFABRIC_SERVER_NODE_GROUP|** QFABRIC_NODE|(license add)|(license delete)|(package -X update)|(package -X delete)|GRES|CFMD_CCM_DEFECT|**LFMD_3AH|MEDIA_FLOW_ERROR|RPD_** MPLS_PATH_BFD; structured-data; } and implemented the default deny template i found here: http://kb.juniper.net/**InfoCenter/index?page=content** id=KB20778actp=RSShttp://kb.juniper.net/InfoCenter/index?page=contentid=KB20778actp=RSS meeks@MeeksNet-SRX210 show configuration groups default-deny-template { security { policies { from-zone untrust to-zone trust { policy default-deny { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } } } } meeks@MeeksNet-SRX210 show configuration apply-groups ## Last commit: 2013-02-21 16:05:36 EST by meeks apply-groups default-deny-template; however, when i log on to the syslog host, and tail the syslog file i do not see denies being logged remotely. if i apply the session-init and session-close options to permitted traffic, it does get logged remotely. Alternatively, creating a new policy has the same result, regardless if i use reject or deny meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone trust policy deny-all match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } my google-foo is failing, so i hope you guys can help. Looking forward to hearing back from you, Mike __**_ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/juniper-nsphttps://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Remote log denied traffic
actually, i retract that statement. i saw a deny come through, and it was logged, but under testing and further review, it seems that the only thing this is logging is UDP to port 44082. Any telnet testing to random ports do not generate logs, neither does using internet sites to test port connectivity. And now im reading from Andrew and this really doesnt make any sense at all. - If the traffic you are testing is direct to the firewall, it won't be logged because it never hits a policy. It only works for transit traffic what you are saying is that, from untrust to trust, i open up 5 ports, and have some destination NAT in place, and everything is fine. Now i want to log the remaining 65530 TCP ports, to see if im being hit on any port for any reason, and because i dont have a policy, and i dont have a destination nat, that this traffic is destine for the firewall, and can not be logged? Please tell me im misunderstanding this statement On Tue, Feb 26, 2013 at 9:15 AM, Mike Devlin juni...@meeksnet.ca wrote: that got it working it seems :) Thanks guys!!! On Tue, Feb 26, 2013 at 12:06 AM, Gordon Smith gor...@gswsystems.comwrote: This (remote syslog) works for me on SRX550's running 12.1R1.9 This will apply a default deny log to the end of your security policies, so you don't need to reorder policies after adding a new one. I have had issues logging locally where the box will stop logging after a while. Not a big issue, since it all gets piped off to a syslog server, but still annoying. Syntax for that was: file traffic-log { any any; match RT_FLOW_SESSION; structured-data; } groups { global-policy { security { policies { from-zone * to-zone * { policy default-logdrop { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } } } } } system { syslog { host x.x.x.x { any any; } } } security { apply-groups global-policy; } On Mon, 25 Feb 2013 16:10:49 -0500, Mike Devlin wrote: nope, that didnt work either :( meeks@MeeksNet-SRX210# run show log TEST-DENY [edit] meeks@MeeksNet-SRX210# show system syslog file TEST-DENY any any; match RT_FLOW; [edit] On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon farrukhhar...@gmail.com**wrote: Hello Mike Was wondering if you can get the deny logs while doing local logging? set system syslog file TEST-DENY any any set system syslog file TEST-DENY match RT_FLOW Regards Farrukh On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin juni...@meeksnet.ca wrote: So fingers crossed that this is an easy one for you guys, Device is an SRX210BE running 11.4R5.5 code. ive added the syslog host to the config meeks@MeeksNet-SRX210 show configuration system syslog archive size 100k files 3; user * { any emergency; } host 192.168.1.12 { any any; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file security { security any; } file default-log-messages { any any; match (requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|(vc add)|(vc delete)|transitioned|**Transferred|transfer-file|** QFABRIC_NETWORK_NODE_GROUP|**QFABRIC_SERVER_NODE_GROUP|** QFABRIC_NODE|(license add)|(license delete)|(package -X update)|(package -X delete)|GRES|CFMD_CCM_DEFECT|**LFMD_3AH|MEDIA_FLOW_ERROR|RPD_** MPLS_PATH_BFD; structured-data; } and implemented the default deny template i found here: http://kb.juniper.net/**InfoCenter/index?page=content** id=KB20778actp=RSShttp://kb.juniper.net/InfoCenter/index?page=contentid=KB20778actp=RSS meeks@MeeksNet-SRX210 show configuration groups default-deny-template { security { policies { from-zone untrust to-zone trust { policy default-deny { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } } } } meeks@MeeksNet-SRX210 show configuration
Re: [j-nsp] SRX Remote log denied traffic
It looks like since the connection is being denied there is never as session initialized or closed to be logged? Would you be able to get the logging you need by doing it on an input filter in the interface(s)? It seems like it's having to examing the traffic twice, but maybe it's more efficient in the internals? On Mon, Feb 25, 2013 at 04:10:49PM -0500, Mike Devlin wrote: nope, that didnt work either :( meeks@MeeksNet-SRX210# run show log TEST-DENY [edit] meeks@MeeksNet-SRX210# show system syslog file TEST-DENY any any; match RT_FLOW; [edit] On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon farrukhhar...@gmail.comwrote: Hello Mike Was wondering if you can get the deny logs while doing local logging? set system syslog file TEST-DENY any any set system syslog file TEST-DENY match RT_FLOW Regards Farrukh On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin juni...@meeksnet.ca wrote: So fingers crossed that this is an easy one for you guys, Device is an SRX210BE running 11.4R5.5 code. ive added the syslog host to the config meeks@MeeksNet-SRX210 show configuration system syslog archive size 100k files 3; user * { any emergency; } host 192.168.1.12 { any any; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file security { security any; } file default-log-messages { any any; match (requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|(vc add)|(vc delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license add)|(license delete)|(package -X update)|(package -X delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD; structured-data; } and implemented the default deny template i found here: http://kb.juniper.net/InfoCenter/index?page=contentid=KB20778actp=RSS meeks@MeeksNet-SRX210 show configuration groups default-deny-template { security { policies { from-zone untrust to-zone trust { policy default-deny { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } } } } meeks@MeeksNet-SRX210 show configuration apply-groups ## Last commit: 2013-02-21 16:05:36 EST by meeks apply-groups default-deny-template; however, when i log on to the syslog host, and tail the syslog file i do not see denies being logged remotely. if i apply the session-init and session-close options to permitted traffic, it does get logged remotely. Alternatively, creating a new policy has the same result, regardless if i use reject or deny meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone trust policy deny-all match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } my google-foo is failing, so i hope you guys can help. Looking forward to hearing back from you, Mike ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Hans K. Fiedler h...@hermes.louisville.edu 502-852-7427 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Remote log denied traffic
There could be a few reasons you're not seeing logs: - With the groups configuration, you need to still have a policy configured in the configuration before the group applies (even if it is just a blank set security policies from-zone a to-zone b. You can confirm this with a | display inheritence or simply a show security policies from-zone a to-zone b - A better way to do this in JunOS 11.2 onwards is with a Global policy now that it is supported rather than using groups - If the traffic you are testing is direct to the firewall, it won't be logged because it never hits a policy. It only works for transit traffic - On this note as well, if it is dropped for a non policy reason (No TCP SYN, no route, etc.) it won't show up in this file either Hope this helps On Fri, Feb 22, 2013 at 12:39 PM, Mike Devlin juni...@meeksnet.ca wrote: So fingers crossed that this is an easy one for you guys, Device is an SRX210BE running 11.4R5.5 code. ive added the syslog host to the config meeks@MeeksNet-SRX210 show configuration system syslog archive size 100k files 3; user * { any emergency; } host 192.168.1.12 { any any; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file security { security any; } file default-log-messages { any any; match (requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|(vc add)|(vc delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license add)|(license delete)|(package -X update)|(package -X delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD; structured-data; } and implemented the default deny template i found here: http://kb.juniper.net/InfoCenter/index?page=contentid=KB20778actp=RSS meeks@MeeksNet-SRX210 show configuration groups default-deny-template { security { policies { from-zone untrust to-zone trust { policy default-deny { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } } } } meeks@MeeksNet-SRX210 show configuration apply-groups ## Last commit: 2013-02-21 16:05:36 EST by meeks apply-groups default-deny-template; however, when i log on to the syslog host, and tail the syslog file i do not see denies being logged remotely. if i apply the session-init and session-close options to permitted traffic, it does get logged remotely. Alternatively, creating a new policy has the same result, regardless if i use reject or deny meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone trust policy deny-all match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } my google-foo is failing, so i hope you guys can help. Looking forward to hearing back from you, Mike ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Remote log denied traffic
This (remote syslog) works for me on SRX550's running 12.1R1.9 This will apply a default deny log to the end of your security policies, so you don't need to reorder policies after adding a new one. I have had issues logging locally where the box will stop logging after a while. Not a big issue, since it all gets piped off to a syslog server, but still annoying. Syntax for that was: file traffic-log { any any; match RT_FLOW_SESSION; structured-data; } groups { global-policy { security { policies { from-zone * to-zone * { policy default-logdrop { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } } } } } system { syslog { host x.x.x.x { any any; } } } security { apply-groups global-policy; } On Mon, 25 Feb 2013 16:10:49 -0500, Mike Devlin wrote: nope, that didnt work either :( meeks@MeeksNet-SRX210# run show log TEST-DENY [edit] meeks@MeeksNet-SRX210# show system syslog file TEST-DENY any any; match RT_FLOW; [edit] On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon farrukhhar...@gmail.comwrote: Hello Mike Was wondering if you can get the deny logs while doing local logging? set system syslog file TEST-DENY any any set system syslog file TEST-DENY match RT_FLOW Regards Farrukh On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin juni...@meeksnet.ca wrote: So fingers crossed that this is an easy one for you guys, Device is an SRX210BE running 11.4R5.5 code. ive added the syslog host to the config meeks@MeeksNet-SRX210 show configuration system syslog archive size 100k files 3; user * { any emergency; } host 192.168.1.12 { any any; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file security { security any; } file default-log-messages { any any; match (requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|(vc add)|(vc delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license add)|(license delete)|(package -X update)|(package -X delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD; structured-data; } and implemented the default deny template i found here: http://kb.juniper.net/InfoCenter/index?page=contentid=KB20778actp=RSS meeks@MeeksNet-SRX210 show configuration groups default-deny-template { security { policies { from-zone untrust to-zone trust { policy default-deny { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } } } } meeks@MeeksNet-SRX210 show configuration apply-groups ## Last commit: 2013-02-21 16:05:36 EST by meeks apply-groups default-deny-template; however, when i log on to the syslog host, and tail the syslog file i do not see denies being logged remotely. if i apply the session-init and session-close options to permitted traffic, it does get logged remotely. Alternatively, creating a new policy has the same result, regardless if i use reject or deny meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone trust policy deny-all match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } my google-foo is failing, so i hope you guys can help. Looking forward to hearing back from you, Mike ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Remote log denied traffic
Hello Mike Was wondering if you can get the deny logs while doing local logging? set system syslog file TEST-DENY any any set system syslog file TEST-DENY match RT_FLOW Regards Farrukh On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin juni...@meeksnet.ca wrote: So fingers crossed that this is an easy one for you guys, Device is an SRX210BE running 11.4R5.5 code. ive added the syslog host to the config meeks@MeeksNet-SRX210 show configuration system syslog archive size 100k files 3; user * { any emergency; } host 192.168.1.12 { any any; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file security { security any; } file default-log-messages { any any; match (requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|(vc add)|(vc delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license add)|(license delete)|(package -X update)|(package -X delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD; structured-data; } and implemented the default deny template i found here: http://kb.juniper.net/InfoCenter/index?page=contentid=KB20778actp=RSS meeks@MeeksNet-SRX210 show configuration groups default-deny-template { security { policies { from-zone untrust to-zone trust { policy default-deny { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } } } } meeks@MeeksNet-SRX210 show configuration apply-groups ## Last commit: 2013-02-21 16:05:36 EST by meeks apply-groups default-deny-template; however, when i log on to the syslog host, and tail the syslog file i do not see denies being logged remotely. if i apply the session-init and session-close options to permitted traffic, it does get logged remotely. Alternatively, creating a new policy has the same result, regardless if i use reject or deny meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone trust policy deny-all match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } my google-foo is failing, so i hope you guys can help. Looking forward to hearing back from you, Mike ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX Remote log denied traffic
So fingers crossed that this is an easy one for you guys, Device is an SRX210BE running 11.4R5.5 code. ive added the syslog host to the config meeks@MeeksNet-SRX210 show configuration system syslog archive size 100k files 3; user * { any emergency; } host 192.168.1.12 { any any; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file security { security any; } file default-log-messages { any any; match (requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|(vc add)|(vc delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license add)|(license delete)|(package -X update)|(package -X delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD; structured-data; } and implemented the default deny template i found here: http://kb.juniper.net/InfoCenter/index?page=contentid=KB20778actp=RSS meeks@MeeksNet-SRX210 show configuration groups default-deny-template { security { policies { from-zone untrust to-zone trust { policy default-deny { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } } } } meeks@MeeksNet-SRX210 show configuration apply-groups ## Last commit: 2013-02-21 16:05:36 EST by meeks apply-groups default-deny-template; however, when i log on to the syslog host, and tail the syslog file i do not see denies being logged remotely. if i apply the session-init and session-close options to permitted traffic, it does get logged remotely. Alternatively, creating a new policy has the same result, regardless if i use reject or deny meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone trust policy deny-all match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } my google-foo is failing, so i hope you guys can help. Looking forward to hearing back from you, Mike ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp