SRX Services Gateway
Reply
Contributor
Brad_Fleming
Posts: 12
Registered: ‎04-08-2009
0
Accepted Solution

Firewall Filter Packet Capture Problem

I have an SRX240 running Junos 9.6R2.11. I'm not sure if I'm missing something or just plain stupid.

 

I have a firewall filter configured like so:

bdfleming@site# show firewall filter lan_inbound
<<<snip>>>
term leaked_private_traffic {
    from {
        source-address {
            10.0.0.0/8;
            192.168.0.0/16;
            172.16.0.0/12;
        }
    }
    then {
        count "Leaked Private Traffic (Dropped)";
        discard;
    }
}
<<<snip>>>

 

I see traffic matching this term at the rate of ~2 packets per second (roughtly). I'd like to capture some of these packets to help the users find their misbehaving device but I'm having problems getting the term to sample correclty.

 

If I add a "sample" action to the term, my sample file does not get built and the device does not capture the trafic before discarding it. If I change the action from "discard" to "accept", I see packets match and arrive in my sample file. The obvious side effect is allowing traffic through the filter that I'd rather drop in typical operation.

 

So my question is: Can you sample discarded packets using a firewall filter that is applied ingress? If so, would anyone care to share a working configuration?

 

Much appreciated for any coments, suggestions, or insights.

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007

Re: Firewall Filter Packet Capture Problem

Sample has default action of accept. Refer to this link to firewall filter configuration in JUNOS.

 

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-...

 

-Richard

Contributor
Brad_Fleming
Posts: 12
Registered: ‎04-08-2009
0

Re: Firewall Filter Packet Capture Problem

Thanks for the reply and link, Richard.

 

If anyone from Juniper is watching, it would be nice to sample discarded packets as well in some cases. I understand that the flow of traffic through the box might make that impossible, just offering up a feature suggestion.

Distinguished Expert
aarseniev
Posts: 1,622
Registered: ‎08-21-2009

Re: Firewall Filter Packet Capture Problem

Hello Brad,

Sampling of discarded pkts is possible with "next term" filter action. Your filter should look like:

 

 

term leaked_private_traffic_sample {
    from {
        source-address {
            10.0.0.0/8;
            192.168.0.0/16;
            172.16.0.0/12;
        }
    }
    then {
        count "Leaked Private Traffic (Dropped in next term)";
        next term;
    }
term leaked_private_traffic_drop {
    from {
        source-address {
            10.0.0.0/8;
            192.168.0.0/16;
            172.16.0.0/12;
        }
    }
    then {
        discard;
    }

 

 

I tested it and it works for me on 10.R1. Please post your results here if possible.

Rgds

Alex

 

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.