SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 24
Registered: ‎02-22-2017
0 Kudos

SRX Inbound Internet Deny Logging

Hello,

 

I am trying to get inbound internet traffic on a specific port to log and view the source IP as I am troubleshooting.  I have tried junos-host as a destination as well as my internal VLANs as I am at a loss of how to get this logged.  I have other security policy logging enabled on other ports that is working successfuly but this is for a NAT'd port and address.

 

Please let me know if there is anything I can post here to assist in a working config.  Please note that I do not have access via the CLI; just the J-Web CLI interface and the GUI.

 

Can't believe this is so hard to find information on - I did find the junos-host as a destination for logging but for some reason the traffic is not showing up.

 

Thanks

 

Highlighted
Trusted Contributor
Posts: 87
Registered: ‎07-19-2016
0 Kudos

Re: SRX Inbound Internet Deny Logging

Hi,

 

Is this "inbound" traffic to the box or through the box? 

 

Regards,

Anand

Distinguished Expert
Posts: 1,861
Registered: ‎06-06-2011
0 Kudos

Re: SRX Inbound Internet Deny Logging

Try this:

#set forwarding-options packet-capture file filename pcap-pkt-capture

#set forwarding-options packet-capture maximum-capture-size 1400

#set firewall filter pcap-debug term pcap-src from source-address <prefix/length>

#set firewall filter pcap-debug term pcap-src then sample

#set firewall filter pcap-debug term pcap-src then accept

#set firewall filter pcap-debug term pcap-dst from destination-address <prefix/length>

#set firewall filter pcap-debug term pcap-dst then sample

#set firewall filter pcap-debug term pcap-dst then accept

#set firewall filter pcap-debug term accept-all then accept

#set interfaces ge-0/0/X unit 0 family inet filter input pcap-debug <====your interface


Himself wrote:

Hello,

 

I am trying to get inbound internet traffic on a specific port to log and view the source IP as I am troubleshooting.  I have tried junos-host as a destination as well as my internal VLANs as I am at a loss of how to get this logged.  I have other security policy logging enabled on other ports that is working successfuly but this is for a NAT'd port and address.

 

Please let me know if there is anything I can post here to assist in a working config.  Please note that I do not have access via the CLI; just the J-Web CLI interface and the GUI.

 

Can't believe this is so hard to find information on - I did find the junos-host as a destination for logging but for some reason the traffic is not showing up.

 

Thanks

 


#set interfaces ge-0/0/X unit 0 family inet filter output pcap-debug

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Contributor
Posts: 24
Registered: ‎02-22-2017
0 Kudos

Re: SRX Inbound Internet Deny Logging

Is there a way to do this through the GUI?

Contributor
Posts: 24
Registered: ‎02-22-2017
0 Kudos

Re: SRX Inbound Internet Deny Logging

To the box

Distinguished Expert
Posts: 1,861
Registered: ‎06-06-2011
0 Kudos

Re: SRX Inbound Internet Deny Logging

Very likely. But that would mean someone would have to write out the step-by-step GUI process. It be far easier for you to modify the shown config to your like, access the cli and "load merge terminal", paste it in, then CTRL^D, then commit chekck, to verify correct syntax, then commit. You can deactivate it when you are done.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Distinguished Expert
Posts: 4,937
Registered: ‎03-30-2009
0 Kudos

Re: SRX Inbound Internet Deny Logging

For deny rules you need to select log on sesson initiation option to get the log.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home