SRX Services Gateway
Reply
Visitor
Annemiek
Posts: 1
Registered: ‎08-12-2010
0

SRX firewall logging default-deny rule

Hi Guys,

 

I am wondering how to log all the traffic matching the default-deny rule on the SRX Firewall? I can make this rule myself, but i have to do it  between every security zone. Is there an easier way to achieve this?

 

Off course i red some KB articles from Juniper. But no answer to my question yet. Any help would be appreciated!

 

tnx,

Annemiek

 

.

Trusted Contributor
SomeITGuy
Posts: 330
Registered: ‎01-08-2010
0

Re: SRX firewall logging default-deny rule

You have to add your own drop rule with logging at the bottom of your rule list.

 

FYI, unless you are streaming your logs to an external Syslog server logging all of the drops will likely fill local storage and kill your box.

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: SRX firewall logging default-deny rule

I agree with SomeITGuy. You cannot log default policy. You would need to configure a policy specifically to log deny traffic. External syslog for such logging is wise especially if you expect lots of traffic hitting the deny policies. The system can handle only so many logs as flash space is finite.

 

-Richard

Contributor
bfranklin
Posts: 15
Registered: ‎05-17-2012
0

Re: SRX firewall logging default-deny rule

You need to create a new global policy and log it. Setup a syslog local file to match the policy name.

 

You could try a template for each zone/zone pair but I found an issue with this - namely it would mean any new policies added would be ignored due to the deny-all rule as the last sequence number. The global deny-all would solve this.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&act=RATE&newguid=02480225f6526c101407...

 

 

Trusted Contributor
scottdware
Posts: 439
Registered: ‎11-16-2010
0

Re: SRX firewall logging default-deny rule

This is what we do for our "deny-all" at the end of every policy:

set groups deny-all security policies from-zone <*> to-zone <*> policy 666 match source-address any
set groups deny-all security policies from-zone <*> to-zone <*> policy 666 match destination-address any
set groups deny-all security policies from-zone <*> to-zone <*> policy 666 match application any
set groups deny-all security policies from-zone <*> to-zone <*> policy 666 then deny
set groups deny-all security policies from-zone <*> to-zone <*> policy 666 then log session-init
set groups deny-all security policies from-zone <*> to-zone <*> policy 666 then log session-close
set apply-groups deny-all

This will dynamically add a deny-all rule to the end of each policy and then log it. No need to manually place a rule at the end of each one anymore :smileyhappy:
Scott Ware
Network Security Engineer
Juniper Ambassador
JNCIA-Junos
Twitter: @scottdware
Skype: scottdware
scottdware@gmail.com

"Do or do not. There is no try." - Yoda
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.