Junos OS

last person joined: yesterday 

Ask questions and share experiences about Junos OS.

  • 1.  J2320 firewall Logging

    Posted 05-03-2013 14:21

    I'm having trouble getting my security policies to log anything.

     

    I have a J2320 running 10.4R11.4.

     

    Here are how my rules are set up:

     

    security {

    policies {
            from-zone untrust to-zone asa {

                    policy inet_to_asa_hosts {
                           match {
                               source-address any;
                               destination-address ASA-Non-Juniper;
                               application any;
                           }
                           then {
                               permit;
                           }
                       }

     

    I have found a lot of docs that discuss logging, I just can't find anything that is related to how our rules are set up.

     

    What I'm trying to do is log when a rule blocks traffic for troubleshooting.

     

    Thanks for any help.



  • 2.  RE: J2320 firewall Logging
    Best Answer

    Posted 05-03-2013 16:40

    KB10112 shows how to add loging to a policy.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB10112

     

    But your issue is that you really want the deny logs.  Adding logging to this policy will show you what the policy processes only which is a "permit" action.  The policy only logs what hits the policy.

     

    The default deny does not log.

     

    So you need to create an explicit deny policy as the last rule for the zone and enable logging as noted in kb10112 on this final deny.  Then you will see the log entries for denied traffic.



  • 3.  RE: J2320 firewall Logging

    Posted 05-08-2013 13:21

    Aha! That makes perfect sense!

     

    Thank you very much for your help.