O'Reilly logo

Junos Security by James Quinn, Timothy Eberhard, Patricio Giecco, Brad Woodberg, Rob Cameron

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Policy Logging

We briefly covered policy logging from a configuration standpoint earlier in this chapter. Here we’ll discuss the details of policy logging and how to configure and view the logs.

Note

For legacy NetScreen readers, policy logging is very different on the SRX. The logging system is more of a local syslog server than the traditional traffic log found on NetScreen devices, and nearly everything that could be done with the ScreenOS traffic logs can be done on the SRX’s logfiles.

To log on the SRX you must configure the following two items:

  • Policy logging must be enabled on the policy via the session-init and session-close configuration items.

  • A filter and traffic logfile must be created on the SRX.

First, to enable policy logging, configure log session-close session-init on the specific policy on which logging is desired. The session-close flag tells the SRX to log whenever it tears down a session’s connection (a session could close for many reasons, including a timeout, a FIN packet, or an RST packet). The session-init flag tells the SRX to log traffic for that policy when a session is built.

Here’s an example of a policy with logging enabled (that was actually configured earlier in the chapter). This example policy logs both the creation and the teardown of these connections and works on policies that permit traffic as well as policies that deny traffic:

[edit]
juniper@SRX5800# set security policies from-zone trust to-zone web-dmz
policy webdmz_mgt then log session-close session-init

The next item we need to configure is a location for the traffic logs to go to. You can name the traffic logfile whatever you want, although it’s always best to give the log a descriptive name, such as traffic-log or policy-log, just so other users know where to look for the logs.

Here the traffic logfile is called traffic-log. The second line of the config tells the SRX to send all traffic matching RT_FLOW_SESSION, which is a string that shows up in the policy messages:

[edit]
juniper@SRX5800# set system syslog file traffic-log any any
juniper@SRX5800# set system syslog file traffic-log match "RT_FLOW_SESSION"

Now, to view the traffic logs, use the show log <filename> command to display the entire traffic log:

juniper@SRX5800> show log traffic-log
Jan  7 12:07:24  SRX5800 RT_FLOW: RT_FLOW_SESSION_CREATE: session created
10.1.1.100/53910->172.31.100.60/22 junos-ssh
10.1.1.100/53910->172.31.100.60/22 None None 6 webdmz_mgt trust web-dmz 59
Jan  7 12:07:25  SRX5800 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP RST:
10.1.1.100/53908->172.31.100.60/22 junos-ssh 10.1.1.100/53908->172.31.100.60/22
None None 6 webdmz_mgt trust web-dmz 57 1(64) 1(40) 3

Here is a detailed breakdown of the different types of messages, followed by an example (borrowed from the SRX documentation):

Session creation

<source-address>/<source-port>-><destination-address>/<destination-port>,<protocol-id>: <policy-name>

RT_FLOW_SESSION_CREATE: session created 10.1.1.100/53908->172.31.100.60/22 junos-
ssh 10.1.1.100/53908->172.31.100.60/22 None None 6 webdmz_mgt trust web-dmz 57
Session close

session closed <reason>: <source-address>/<source-port>-><destination-address>/<destination-port>,<protocol-id>:<policy-name>, <inbound-packets>, <inbound-bytes>,<outbound-bytes> <elapsed-time>

RT_FLOW_SESSION_CLOSE: session closed TCP RST: 10.1.1.100/53907->172.31.100.60/22
junos-ssh 10.1.1.100/53907->172.31.100.60/22 None None 6 webdmz_mgt trust web-dmz
56 1(64) 1(40) 2
Session deny

session denied <source-address>/<source-port>-><destination-address>/<destination-port>,<protocol-id>(<icmp-type>):<policy-name>

RT_FLOW_SESSION_DENY: session denied 10.1.1.100/2->10.2.0.254/25931 icmp 1(8)
web_deny trust web-dmz

There are no built-in filters, as there were on the NetScreen platform. Instead, the SRX has some very powerful methods for filtering the displayed data that are built into the Junos operating system. Although a deep dive into all of the different filter options is outside the scope of this chapter, let’s cover a few ways to filter through the traffic log. Just remember, this is only a small sample of what’s possible.

The simplest way to filter the traffic log (or any syslog file, for that matter) is to use the | match <data> command, which filters the output to only that which matches the data that was input:

juniper@SRX5800> show log traffic-log | match 3389
Jan  7 12:06:38  SRX5800 RT_FLOW: RT_FLOW_SESSION_CREATE: session created
10.1.1.100/53904->172.31.100.60/3389 None 10.1.1.100/53904->172.31.100.60/
3389 None None 6 webdmz_mgt trust web-dmz 49

In this example, the match condition was 3389 (in this case, a port for Windows Remote Desktop). The match command is very powerful, and even allows for regular-expression-type searches, such as this match filter matching on the string 3389 OR 22:

juniper@SRX5800> show log traffic-log | match "3389|22"
Jan  7 12:06:38  SRX5800 RT_FLOW: RT_FLOW_SESSION_CREATE: session created
10.1.1.100/53904->172.31.100.60/3389 None 10.1.1.100/53904->172.31.100.60/
3389 None None 6 webdmz_mgt trust web-dmz 49
Jan  7 12:07:22  SRX5800 RT_FLOW: RT_FLOW_SESSION_CREATE: session created
10.1.1.100/53907->172.31.100.60/22 junos-ssh 10.1.1.100/53907->172.31.100.60/22
None None 6 webdmz_mgt trust web-dmz 56
Jan  7 12:07:23  SRX5800 RT_FLOW: RT_FLOW_SESSION_CREATE: session created
10.1.1.100/53908->172.31.100.60/22 junos-ssh 10.1.1.100/53908->172.31.100.60/22
None None 6 webdmz_mgt trust web-dmz 57

Additional methods for viewing the traffic log include the ability to do a Unix-tail-type command. For example, the last command displays the last X number of lines. Here, the last filter is used to display only the last two lines of the traffic log:

juniper@SRX5800> show log traffic-log | last 2
Jan  7 12:07:25  SRX5800 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP RST:
10.1.1.100/53909->172.31.100.60/22 junos-ssh 10.1.1.100/53909->172.31.100.60/22
None None 6 webdmz_mgt trust web-dmz 58 1(64) 1(40) 2
Jan  7 12:07:25  SRX5800 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP RST:
10.1.1.100/53910->172.31.100.60/22 junos-ssh 10.1.1.100/53910->172.31.100.60/22
None None 6 webdmz_mgt trust web-dmz 59 1(64) 1(40) 1

Keep in mind that you can use multiple pipe filters together to form powerful commands. For example, if your goal is to determine how many times a certain IP, or segment, showed up in the traffic log, you could use a combination of match and count:

juniper@SRX5800> show log traffic-log | match 172.31.100.60 | count
Count: 13 lines

In the preceding output, 172.31.100.60 shows up 13 times in the traffic log.

You also can see what the firewall has dropped. Assuming that logging has been enabled on the deny policy, a simple filter on deny shows dropped traffic:

juniper@SRX5800> show log traffic-log | match DENY
Jan  7 12:07:05  SRX5800 RT_FLOW: RT_FLOW_SESSION_DENY: session denied
10.1.1.100/53906->172.31.100.60/21 junos-ftp 6(0) web_deny trust web-dmz
Jan  7 12:07:06  SRX5800 RT_FLOW: RT_FLOW_SESSION_DENY: session denied
10.1.1.100/53906->172.31.100.60/21 junos-ftp 6(0) web_deny trust web-dmz
Jan  7 12:07:11  SRX5800 RT_FLOW: RT_FLOW_SESSION_DENY: session denied
10.1.1.100/0->10.2.0.254/25931 icmp 1(8) web_deny trust web-dmz
Jan  7 12:07:12  SRX5800 RT_FLOW: RT_FLOW_SESSION_DENY: session denied
10.1.1.100/1->10.2.0.254/25931 icmp 1(8) web_deny trust web-dmz
Jan  7 12:07:13  SRX5800 RT_FLOW: RT_FLOW_SESSION_DENY: session denied
10.1.1.100/2->10.2.0.254/25931 icmp 1(8) web_deny trust web-dmz

It is also possible to log the policy denies to their own logfile—for example, if you wish to keep a separate copy of dropped traffic. You can do this by creating a new logfile and adjusting the match condition:

[edit]
juniper@SRX5800# set system syslog file traffic-deny any any
[edit]
juniper@SRX5800# set system syslog file traffic-deny match "RT_FLOW_SESSION_DENY"

A helpful trick to make it easier to troubleshoot traffic when a lot of data is going to the traffic logfile is to filter with more specific matching conditions. For example, if we were troubleshooting connectivity to 172.31.100.60, or wanted to log that specific traffic to a different logfile for later evaluation, we could filter only that traffic to a different file. Here, 172.31.100.60 is filtered to a new logfile called troubleshooting_traffic:

[edit]
juniper@SRX5800# set system syslog file troubleshooting_traffic any any
[edit]
juniper@SRX5800# set system syslog file troubleshooting_traffic match
"172.31.100.60"

Now, it’s possible to view the traffic log for just 172.31.100.60:

juniper@SRX5800> show log troubleshooting_traffic
Jan 7 12:24:42 SRX5800 clear-log[1377]: logfile cleared
Jan  7 12:24:46  SRX5800 RT_FLOW: RT_FLOW_SESSION_CREATE: session created
10.1.1.100/53989->172.31.100.60/22 junos-ssh 10.1.1.100/53989->172.31.100.60/22
None None 6 webdmz_mgt trust web-dmz 91
Jan  7 12:24:47  SRX5800 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP RST:
10.1.1.100/53989->172.31.100.60/22 junos-ssh 10.1.1.100/53989->172.31.100.60/22
None None 6 webdmz_mgt trust web-dmz 91 1(64) 1(40) 2

Once you get the hang of it, you’ll see that there are many ways to filter out and count the data in logfiles using various commands. We’ve just scratched the surface here. Use the CLI question mark (?) to display all the different command possibilities:

juniper@SRX5800> show log troubleshooting_traffic | ?
Possible completions:
  count                Count occurrences
  display              Show additional kinds of information
  except               Show only text that does not match a pattern
  find                 Search for first occurrence of pattern
  hold                 Hold text without exiting the --More-- prompt
  last                 Display end of output only
  match                Show only text that matches a pattern
  no-more              Don't paginate output
  request              Make system-level requests
  resolve              Resolve IP addresses
  save                 Save output text to file
  trim                 Trim specified number of columns from start of line

Oops, I almost forgot to mention another very useful feature, the monitor command. Use the monitor command so that the SRX displays the output of the traffic log in real time to the console. It’s very useful when troubleshooting or evaluating traffic.

juniper@SRX5800> monitor start traffic-log

Then, as data is written to the traffic logfile, it’s displayed to the console. Use the monitor stop command to turn off the monitoring:

juniper@SRX5800>
*** traffic-log ***
Jan  7 12:07:13  SRX5800 RT_FLOW: RT_FLOW_SESSION_DENY: session denied
10.1.1.100/2->10.2.0.254/25931 icmp 1(8) web_deny trust web-dmz

Note

On the high-end lines such as the SRX5800 a limited amount of logging is available to the local logs. There simply isn’t enough disk space or processing to log the high rate of sessions that the high-end SRX devices are capable of handling. Logging to the local disk should be limited on these platforms to only critical policies.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required