Junos
Reply
Visitor
dsulli99
Posts: 9
Registered: ‎10-17-2010
0
Accepted Solution

Question Regarding Logging

Hi everybody,

 

Please forgive me I am new to Juniper but I have kind of a lame question.  I come from the Cisco world Cisco ASA/PIX devices have a default deny policy (if there is an access-list applied to an interface).  If I have normal informational-level logging enabled on a device, a log message is generated for pretty much every packet that matches this default deny.  In the world of Juniper it appears a little bit different.  The only way I've found to have my SRX log a dropped packet is by doing something like:

 

"set security policies from-zone ucpd-backend-switch-management to-zone ucpd-outside policy tacacs then log session-init"

 

So I guess I have two questions;

 

1) Are policies in JunOS/SRX applied in a top-down order?

 

2) Is there a way to log all dropped packets?  Do I have to explicitly create a policy to match all source and all destinations for every zone, then enable logging for that specific policy?

 

I basically want to generate a log message like this for all dropped packets on all zones/interfaces:

 

Oct 17 05:02:51 10.4.224.20 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 128.135.2.178/1->128.135.100.81/21397 icmp 128.135.2.178/1->128.135.100.81/21397 None None 1 icmp_traffic ucpd-outside ucpd-ssl-vpn-outside 63172
Oct 17 05:02:55 10.4.224.20 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 128.135.2.178/1->128.135.100.81/21397 icmp 128.135.2.178/1->128.135.100.81/21397 None None 1 icmp_traffic ucpd-outside ucpd-ssl-vpn-outside 63172 1(76) 1(76) 0

Oct 17 05:02:51 10.4.224.20 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 128.135.2.178/1->128.135.100.81/21397 icmp 128.135.2.178/1->128.135.100.81/21397 None None 1 icmp_traffic ucpd-outside ucpd-ssl-vpn-outside 63172Oct 17 05:02:55 10.4.224.20 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 128.135.2.178/1->128.135.100.81/21397 icmp 128.135.2.178/1->128.135.100.81/21397 None None 1 icmp_traffic ucpd-outside ucpd-ssl-vpn-outside 63172 1(76) 1(76) 0

 

Thank-you,

 

Dan Sullivan

Visitor
dsulli99
Posts: 9
Registered: ‎10-17-2010
0

Re: Question Regarding Logging

I figured out the answer to #1 but I'm still looking for an answer to #2 :-)

 

Thanks,

 

Dan

Trusted Contributor
rfrederick
Posts: 213
Registered: ‎07-14-2008
0

Re: Question Regarding Logging

In order to log all denied traffic, you would put a rule at the end that was a "deny any any any" type of rule with logging enabled.

 

Ron

Visitor
dsulli99
Posts: 9
Registered: ‎10-17-2010
0

Re: Question Regarding Logging

That's what I thought, thanks.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.