SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Traffic monitoring in SRX

    Posted 08-14-2015 09:00

    Hi,

     

    I am trying to monitor the traffic on our SRX firewall however I am needing to  figure out the best way to do this. A lot of our traffic is going through out default "Allow" rule and I am needing to filter it to just see this traffic so I can slowly move everything from using this rule.

     

    Thanks



  • 2.  RE: Traffic monitoring in SRX

     
    Posted 08-14-2015 17:56

    Hi,

     

    Try this tool; http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Session-Analyzer/td-p/113798

     

    Should give you the information that you need to start defining specific rules for traffic hitting the default allow.

     

    Tim



  • 3.  RE: Traffic monitoring in SRX

     
    Posted 08-14-2015 18:34

    Hello Rakesh ,

     

    For transit traffic through the SRX , Monitoring traffic will not help since its for host inbound traffic . If you need to check a particular traffic , then you need to go for flow traceoptions or policy-match  for checking the policy hit .

    Or  as thynard mentioned , use the session analyser to check the policy hit for major traffic and move them to specific policy than default permit policy  .

     

    If you can give more light on whats the exact requirment on moving this setup from default permit policy , we can help .



  • 4.  RE: Traffic monitoring in SRX

    Posted 08-17-2015 10:01

    Hello ,

     

    I would like to monitor the sessions under specific policy .. so is there any specific command to check this ?

     

    Thanks



  • 5.  RE: Traffic monitoring in SRX

     
    Posted 08-17-2015 12:34

    Hi,

     

    There is no command to output the sessions related to a given policy. However you could do this with a custom slax script or use the srx traffic monitor as mentioned.

     

    Tim



  • 6.  RE: Traffic monitoring in SRX
    Best Answer

     
    Posted 08-17-2015 12:52

    Seems to be a new feature introduced in 12.3X48:

     

    "Enhanced security flow session command for SRX Series devices—Starting with Junos OS Release 12.3X48-D10, the following updates have been made to the show security flow session command:

     

    • A new option, policy-id, allows you to query the flow session table by policy ID."

     

     

    In the meantime, one workaround is to run the command from shell.

     

    i.e. if policy name is "728"

     

    % cli show security flow session | grep -A2 "Policy.*728"

     

    http://forums.juniper.net/t5/SRX-Services-Gateway/how-to-monitor-flows-from-policy-name/m-p/250574/highlight/true#M30902

     

     

     

     

     

    Regards,

    Sam

     

     



  • 7.  RE: Traffic monitoring in SRX

    Posted 08-17-2015 13:56

    In the past I've added the log session-init the the allow any policy.  Send that out a syslog server so you can sift through the entires easier.

     

    Create the policies you need and place them above your allow any policy.  Use the 'show security policies hit count from zone x to zone y

     

    That will show the newly created policies in action.  As you sift through more traffic logs and create more policies the amount of sessions logged on the original allow any policy should be decreasing.

     

    Once you think you've got most of your policies created do a "clear security policies hit count from zone x to zone y.

     

    Let it run for an arbritrary amount of time and you should see all the newly created policies increment and your allow any policy at 0 or very few entries which may be traffic you don't actually want anyways. 

     

    When you feel like you'r all done, change that policy to deny all and make sure it's at the bottom.  Leave the logging enabled so you can see any traffic that was blocked in case you need to create a new rule for it later or troubleshoot your changes.



  • 8.  RE: Traffic monitoring in SRX

     
    Posted 08-17-2015 17:14

    Here is an op script that I tested on 12.1X44 if you do not want to use the shell or upgrade to 12.3.

     

     

    version 1.0;

ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";

import "../import/junos.xsl";

var $arguments = {
    <argument> {
        <name> "policy";
        <description> "Specific policy name";
    }
}

param $policy;

match / {
    <op-script-results> {
        <out> {
            call main;
        }
    }
}

template main
{
    var $flowrpc = <get-flow-session-information>;
    var $conn = jcs:open();
    var $flowout = jcs:execute($conn, $flowrpc);

    for-each ($flowout/flow-session) {
         var $polName = substring-before(policy, "/");
         if ($policy == $polName) {
             var $out = jcs:printf("Session ID: %s, Policy name: %s, Timeout: %s, %s",
                              session-identifier, policy, timeout, sess-state);
             expr jcs:output($out);
             for-each (flow-information) {
                 var $infoout = jcs:printf("   %s: %s/%s --> %s/%s;%s, if: %s, Pkts: %s, Bytes: %s",
                              direction, source-address, source-port, destination-address,
                              destination-port, protocol, interface-name, pkt-cnt, byte-cnt);
                 expr jcs:output($infoout);
             }
             expr jcs:output("\n");
         }
    }

    expr jcs:close($conn);
}

    Output is identical to the standard 'show security flow session' and it will accept an argument with the policy name.

     

    Tim