SRX

My question is this, the show security utm web-filtering statistics gives an aggregate view of the web filter hits. Is it possible to see the source address that hit the black list and track where an internal user is going and for how long?

This should show in your logs assuming your messages log is set to low enough level. I believe you need to set to info level or lower to see utm logs. Duration should not matter since it is assumed that the HTTP GET was blocked by WF.

-Richard

This is how my srx is setup to log blocked http traffic.

 

set system syslog file web-filter-deny any any
set system syslog file web-filter-deny match webfilter_url_blocked

 

set security policies from-zone trust to-zone untrust policy web-filter match source-address lan

set security policies from-zone trust to-zone untrust policy web-filter match destination-address any
set security policies from-zone trust to-zone untrust policy web-filter match application junos-http
set security policies from-zone trust to-zone untrust policy web-filter match application junos-https
set security policies from-zone trust to-zone untrust policy web-filter then permit application-services utm-policy web-filter
set security policies from-zone trust to-zone untrust policy web-filter then log session-init
set security policies from-zone trust to-zone untrust policy web-filter then log session-close

 

Once you have your policy set and messages set use the following command to view

run show log web-filter-deny     also use pipe commands | last 50 or whatever to narrow the search.

 

That works thanks a ton

Are you using the Enterprise Software license for webfiltering, AV, AS etc?

The web filter logging should work without logging the session-init and session-close, it does on mine at least.

What output are you getting, my customer wants source and destination IP plus url and duration

Here is a sample of the log entry:

Jun 23 14:02:19  firewall utmd[1038]: WEBFILTER_URL_BLOCKED: WebFilter: ACTION="URL Blocked" XX.XX.XX.XX(51916)->194.71.107.15(80) CATEGORY="Remote_Proxies" REASON="by predefined category" PROFILE="surf-control" URL=thepiratebay.com OBJ=/favicon.ico

It doesn't have the duration, but it does have everything else. Here is my configuration:

 

set system syslog file web-filter-deny any any
set system syslog file web-filter-deny match WEBFILTER_URL_BLOCKED
set system syslog file web-filter-deny archive size 1m
set system syslog file web-filter-deny archive files 1

 

 

Thanks a bunch, this is essentially what I was looking for

Sorry, if the question I am about to ask is off topic.

 

Forgive me, but I am new to the Juniper SRX series.

I just need a SRX, SRX650 version 9.5 JUNOS, to log URL traffic.

Do I still need to have a subscription to surf control or websense for that?

After looking through KB15694 and following obvious troubleshooting paths, I am unsure if it is possible.

Based on what BenR provided, what would I change to just log the traffic so that I can get the URL and obj info

 

---

@BenR wrote:

Here is a sample of the log entry:

Jun 23 14:02:19  firewall utmd[1038]: WEBFILTER_URL_BLOCKED: WebFilter: ACTION="URL Blocked" XX.XX.XX.XX(51916)->194.71.107.15(80) CATEGORY="Remote_Proxies" REASON="by predefined category" PROFILE="surf-control" URL=thepiratebay.com OBJ=/favicon.ico

set system syslog file web-filter-deny any any
set system syslog file web-filter-deny match WEBFILTER_URL_BLOCKED
set system syslog file web-filter-deny archive size 1m
set system syslog file web-filter-deny archive files 1

 

 

---

 

I would assume that I would just change WEBFILTER_URL_BLOCKED to WEBFILTER_URL_LOGGED and web-filter-deny to web-filter-log or something like that.

 

Any good resources in general for JUNOS would be greatly appreciated.

 

Thanks in advance.

Two critical recommendations:

 

1. You should be running 10.0r3 the current recommended release and have repartitioned to the new 10.x DUAL ROUTE partition configuration, this significantly increases the partition size for the local logging..

 

2. NEVER use any any for normal day to day logging locally, use any info... Any any should be reserved for debugging only...

 

You need to know that the file size limit on local logging is only enforced every 15min.. Local logging is a high risk for any environment with high amounts of traffic that will have lots of log generation... The only SAFE logging option on an SRX right now for an environment with lots of traffic logging is to use the syslog streaming options to directly log to an external syslog server.

 

Thanks for the quick reply.

I will look into whether not the client wants to upgrade to the 10R3 release after looking at the errata.

I notice a couple threads complaining about lockups on the SRX650 series due to broadcast.

 

I assume all I have to do for the 10.x releases  to setup a default profile for local web filtering with the default rule of LOG and PERMIT.

 

Once again thanks for you help.

Does anyone know what facility needs to be logged in order to receive logs from the web filter?  According to the Syslog reference guide I would need to log the LOG_FIREWALL facility which is currently at "firewall info" on my box.  Yet nothing shows up for allowed or blocked sites.

 

Thanks,

 

mawr

I discovered today that STRM appliance can use the srx log to make a friendly report, including top blocked url for example. I discovered today that STRM appliance can use the srx log to make a friendly report, including top blocked url for example.

 

By parsing the raw event logs via "custom event properties", reaching most of the stats that you could expect to get from web filter logging is so simple with STRM+SRX. The attachments demonstrate the web activity logging from the point of both blocking and permitting modes.

Hi Guy,

 

Do you know how to do the same thing on NSM 2011.1? No we have four SRX boxes for AP,EU,LA and NA region. But now we can only see the blocked sites log on NSM under my report... Can we also see the permitted url on a permitted URL report?

 

Thanks for any idea about it~~~