SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Firewall Filter Packet Capture Problem

    Posted 12-28-2009 11:30

    I have an SRX240 running Junos 9.6R2.11. I'm not sure if I'm missing something or just plain stupid.

     

    I have a firewall filter configured like so:

    bdfleming@site# show firewall filter lan_inbound
    <<<snip>>>
    term leaked_private_traffic {
        from {
            source-address {
                10.0.0.0/8;
                192.168.0.0/16;
                172.16.0.0/12;
            }
        }
        then {
            count "Leaked Private Traffic (Dropped)";
            discard;
        }
    }
    <<<snip>>>

     

    I see traffic matching this term at the rate of ~2 packets per second (roughtly). I'd like to capture some of these packets to help the users find their misbehaving device but I'm having problems getting the term to sample correclty.

     

    If I add a "sample" action to the term, my sample file does not get built and the device does not capture the trafic before discarding it. If I change the action from "discard" to "accept", I see packets match and arrive in my sample file. The obvious side effect is allowing traffic through the filter that I'd rather drop in typical operation.

     

    So my question is: Can you sample discarded packets using a firewall filter that is applied ingress? If so, would anyone care to share a working configuration?

     

    Much appreciated for any coments, suggestions, or insights.



  • 2.  RE: Firewall Filter Packet Capture Problem
    Best Answer

    Posted 12-29-2009 20:16

    Sample has default action of accept. Refer to this link to firewall filter configuration in JUNOS.

     

    http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/policy-configuring-actions-in-firewall-filter-terms.html

     

    -Richard



  • 3.  RE: Firewall Filter Packet Capture Problem

    Posted 01-05-2010 08:42

    Thanks for the reply and link, Richard.

     

    If anyone from Juniper is watching, it would be nice to sample discarded packets as well in some cases. I understand that the flow of traffic through the box might make that impossible, just offering up a feature suggestion.



  • 4.  RE: Firewall Filter Packet Capture Problem

    Posted 01-06-2010 04:58

    Hello Brad,

    Sampling of discarded pkts is possible with "next term" filter action. Your filter should look like:

     

     

    term leaked_private_traffic_sample {
    from {
        source-address {
            10.0.0.0/8;
            192.168.0.0/16;
            172.16.0.0/12;
        }
    }
    then {
        count "Leaked Private Traffic (Dropped in next term)";
        next term;
    }
term leaked_private_traffic_drop {
    from {
        source-address {
            10.0.0.0/8;
            192.168.0.0/16;
            172.16.0.0/12;
        }
    }
    then {
        discard;
    }

     

     

    I tested it and it works for me on 10.R1. Please post your results here if possible.

    Rgds

    Alex