SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Traffic Logging: I can see everything but denied traffic

    Posted 12-07-2015 13:12

    After referring to http://kb.juniper.net/InfoCenter/index?page=content&id=KB16509&actp=search

     

    I am still not seeing traffic that is denied. I'm guessing I am missing something in the security policy itself?

     

    here is what I have as an example ...  am I missing something?

     

     from-zone untrust to-zone test {
            policy 33 {
                match {
                    source-address [ test_Users testFixInternal ];
                    destination-address testSecuredNet;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                    }
                }
            }

     

    I have the following (under syslog), but I am only able to see traffic-log but not blocked-traffic

     

    file blocked-traffic {
    any any;
    match RT_FLOW_SESSION_DENY;
}
    
file traffic-log {
    any any;
    match RT_FLOW_SESSION;
}

    show log traffic-log (shows tons)

    show log blocked-traffic (shows nothing)

    show log traffic-log | match DENY (shows nothing)

     



  • 2.  RE: Traffic Logging: I can see everything but denied traffic

    Posted 12-07-2015 18:18

    Try making a global deny policy and add logging to it. Global rules will capture any traffic from all zones, like "from-zone * to-zone *"

     

    set security policies global policy DENY-ALL match source-address any
set security policies global policy DENY-ALL match destination-address any
set security policies global policy DENY-ALL match application any
set security policies global policy DENY-ALL then deny
set security policies global policy DENY-ALL then log session-init

     



  • 3.  RE: Traffic Logging: I can see everything but denied traffic

    Posted 12-08-2015 07:11

    Wow... Ok... that of course explains everything thank you.

     

    Here is my pickle I guess .. all of our security policies are permits, so global may be the way I need to go on this, unless if there is an "else" statement after logging "permits" but I'm guessing no.

     

    So global seems like the way to go, only its a bit scary to the inexperienced (which is me). The security policy you suggest is a bit intimidating, isnt it globally denying everything despite all the other permits? .. or is global sort of a last resort policy ... like an ACL?



  • 4.  RE: Traffic Logging: I can see everything but denied traffic

    Posted 12-08-2015 21:48
    jabbyjim,
     
    SRX first looks at the zone-based policy, If no match is found it looks for global policy with zone-specified if there is no match there then it goes to global policy.
     
    So below is the matching priority:-
    1. zone-based
    2. Global with zone
    3. global without zone
     
    -IE
     


  • 5.  RE: Traffic Logging: I can see everything but denied traffic

    Posted 12-09-2015 06:10

    thats pretty awesome actually... and makes total sense. Thank you so much for the help!



  • 6.  RE: Traffic Logging: I can see everything but denied traffic
    Best Answer

    Posted 12-07-2015 22:03
     
    jabbyjim,
     
    For the DENY logs to get generated the traffic should hit the policy with action deny. Else "RT_FLOW_SESSION_DENY" wont get generated.
    from-zone trust to-zone Internet {
    policy tr-To-Internet-AppBlock-super-1449041678780 {
        description "Rule created by Application block action. Blocked applications [FACEBOOK-ACCESS] for users [any]";
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
            log {
                session-init;
    show log blockedTraffic
    Dec 8 06:02:39 VSRX110 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 11.1.1.2/56552->216.58.220.46/24109 icmp 1(8) tr-To-Internet-AppBlock-super-1449041678780 trust Internet UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWN policy deny