SRX Services Gateway
Reply
Contributor
joshuasanders
Posts: 71
Registered: ‎05-03-2010
0

traffic flow visibility

I walked in this morning and discovered my Internet connection was peaked via SMTP monitoring on my border router. We have a Packeteer device monitoring all traffic behind my SRX240 and nothing was generating this amount of traffic. The only thing that could have was my SRX240 and my Cisco 2800 border router. How can I gain some visibility over the traffic exiting my SRX240 to verify if it was causing the large amount of traffic? The traffic has stopped at this point but was going on for appr. 10 minutes.

-J

 

Distinguished Expert
MMcD
Posts: 623
Registered: ‎07-20-2010
0

Re: traffic flow visibility

Probably just set up some logging on your policies.  For instance if you think the traffic is coming from trust to untrust then log on this policy etc.

 

Have a read here:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10112&smlogin=true

 

MMcD [JNCIP-SEC, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
joshuasanders
Posts: 71
Registered: ‎05-03-2010
0

Re: traffic flow visibility

That's just it. It wouldn't be coming from the Trust to Untrust. Everything on the trust zone passes through a packet shaper that gives me total visibility over the traffic. Nothing from the trust side was generating that traffic. It was either coming from the SRX or my border router. I just need to eliminate the SRX from the mystery.

-J

Distinguished Expert
MMcD
Posts: 623
Registered: ‎07-20-2010
0

Re: traffic flow visibility

Hi there,  So you could use an output traffic filter on the Loopback interface with the log option.  Output filters applied to the loopback interface, lo0, affect only outbound traffic sent from the Routing Engine.

 

http://www.juniper.net/techpubs/software/junos/junos94/swconfig-policy/example-configuring-a-simple-...

 

http://www.juniper.net/techpubs/software/junos/junos94/swconfig-policy/applying-firewall-filters-to-...

MMcD [JNCIP-SEC, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Distinguished Expert
dfex
Posts: 642
Registered: ‎04-17-2008
0

Re: traffic flow visibility

Are you using any UTM email features (anti-spam etc.)?  

 

I ran across a problem a while back (Junos 9.6 rom memory) where the SRX URL black-listing was causing a big spike in traffic because it wasn't closing connections properly between the client, the UTM proxy process, and the destination server, which caused a long stream of FIN/ACK and ACKs between the client and the far-end server.

Ben Dale
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.