SRX

Hi,

 

can the SRX log traffic that does not match a security policy?

 

Some more details:

• I have a SRX with many Zones, eg. Zone-A to Zone-L.
• I allow only traffic between some zones.
  For this I have security policies like: set security policy from-zone Zone-A to-zone Zone-B ...
• Each of these zones have a final policy to deny everything and log it at the end using apply-groups.
  This way traffic will be dropped and logged that matches none of the rules.

My problem is that I do not want to define policies every possible combination of zones with only a deny+log rule.

That would mean 90 policies though I need only 10-15.

(Yes, every combination of zones in and out is possible by IP routing).

 

Is there a way to log traffic that is dropped by the SRX but does not hit any policy (from-zone ... to-zone ...) ?

 

Thanks in advance,

Steffen

 

To log traffic denied by System Default Policy have a read of this kb:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778

MMcD, thanks for your fast reply, but ...

---

@MMcD wrote:

To log traffic denied by System Default Policy have a read of this kb:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778

---

I did exactly that.
I meant this when saying "Each of these zones have a final policy to deny everything and log it at the end using apply-groups", but maybe I was not clear enough.

 

This solution works fine as long as you have a policy for that traffic.

E.g. if you have at least defined one policy in "from-zone Zone-A to-zone Zone-B" and the denied traffic wants to flow from Zone-A to Zone-B.

 

But if I have traffic that wants to traverse from Zone-B to Zone-C and I have no policies defined "from-zone Zone-B to-zone Zone-C", the packets will be dropped but the will be no log of that event.

 

If you have only 3 zones, it is easy to define a policy for each relation (A->B, A->C, B->A, B->C, C->A, C->B) and put a deny in those policies that do not need a permit. But if you have 5 zones you'll need 5*4=20 policies, and with 10 zones 10*90=90 policies. That won't scale well.

 

We usually have 8 to 10 zones per SRX240 and configs will look complex that way.

So I am looking for somthing that logs dropped traffic that is dropped because of the lack of a policy between the involved zone.

 

- Steffen

 

I use the same approach ... but I have enabled icmp from any to any zone and after them I have deny all ... as a group.  I expect all is working ... ?

---

@vencour wrote:

I use the same approach ... but I have enabled icmp from any to any zone and after them I have deny all ... as a group.  I expect all is working ... ?

---

You mean an ICMP permit rule in the apply-group part just before the deny+log any?

That doesn't help for zone-relations that I haven't specified. - As with denly+log only, which is expected since it does not matter if you append one or more rules by apply-goup.

 

- Steffen

 

What about a global policy which is available in 11.2

 

groups {
    log_denied_traffic {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy log_denied {
                        match {
                            source-address any;
                            destination-address any;
                            application any;
                        }
                        then {
                            deny;
                            log {
                                session-init;
                            }
                        }
                    }
                }
            }
        }
    }
}

 

---

@MMcD wrote:

What about a global policy which is available in 11.2

 

groups {
    log_denied_traffic {
        security {
            policies {
                from-zone <*> to-zone <*> {
                [...]

 

---

This is exactly my configuration.

 

But this group applies only to from-zone ... to-zone Policies that contain at leat one policy.

 

As mention in my posts above, I do not have policies for every possible combinations ot zones, but traffic can occure between zones that have no matching policy. The SRX will - an should! - drop that traffic, but it is nowhere logged.

 

An that is what I am asking for: Does anybody know a method to log traffic that is dropped by the SRX because there is no matching from-zone...to-zone policy.

 

- Steffen

 

I am sorry for my mystifying ... I do not see rules if no rules are configured ... as is here explained ... Also if I have some "normal" rules, then apply-groups creates logging for icmp and deny ... and if is no rule then no rules is in this direction from-zone to-zone.

Use the Global Policy!!!  I have a firewall with hundreds of zones and most pairing dont have any policies in them.  Works Great.

 

This policy gets invoked if nothing else matches

 

set security policies global policy default-logdrop match source-address any
set security policies global policy default-logdrop match destination-address any
set security policies global policy default-logdrop match application any
set security policies global policy default-logdrop then deny
set security policies global policy default-logdrop then log session-init

 

 

 

 

Hello Magraw,

THANKS!!!

---

@Magraw wrote:

Use the Global Policy!!!  I have a firewall with hundreds of zones and most pairing dont have any policies in them.  Works Great.

 

This policy gets invoked if nothing else matches

 

set security policies global policy default-logdrop match source-address any
set security policies global policy default-logdrop match destination-address any
set security policies global policy default-logdrop match application any
set security policies global policy default-logdrop then deny
set security policies global policy default-logdrop then log session-init

---

You understand my problem and, yes, it is exactly what I was searching for. It works great and saves me a lot of policy coding.

 

- Steffen