Screen OS

I am pretty new with the SSG series and Juniper and general, but I have setup a SSG% and it works now with NAT and firewall rules. But I am looking for some best practise setup, shich I have not found yet.

More spesific, I wonder about the logging part. As I understand, the SSG itself don't have much memory, so I need a syslog server if I am right? But in my mind, I should be able to see at least the last traffic log, but I am not sure how to put it up.

For example: in the policy From Untrus to Trust, I have created rules to allow incoming HTTP/SMTP etc. And then the last rule I have created, is set to block everything. But I don't see anything of the traffic that is beeing blocked, I only see the traffic that is allowed. I guess I should be seeing at least some incoming junk traffic, like port scan etc.

And for system related logs (like login attempts to the SSG from the outside, alerts and so on), I guess I need a syslog server, only having the latest entries on the SSG it self.

Local logging is limited in size and will automatically make sure you don't fill the available space.  You can increase local logging by adding a USB drive or memory stick to the SSG USB port.  I have a configuration posted for this process in the Configuration Library forum.

http://forums.juniper.net/t5/Configuration-Library/ScreenOS-Configure-Logging-to-USB-Device/m-p/64641#M164

For example: in the policy From Untrus to Trust, I have created rules to allow incoming HTTP/SMTP etc. And then the last rule I have created, is set to block everything. But I don't see anything of the traffic that is beeing blocked, I only see the traffic that is allowed. I guess I should be seeing at least some incoming junk traffic, like port scan etc.

The policy log will only show traffic that MATCHES the policy in question.  So when you create a PERMIT policy what will be logged is traffice permitted.  In this case the denied traffic you are looking for is hitting none of your configured policies but the global implicit deny policy.  That is why they do not show in your policy logs.

And for system related logs (like login attempts to the SSG from the outside, alerts and so on), I guess I need a syslog server, only having the latest entries on the SSG it self.

System logging is under "Reports--System Logs--Events" in the web UI.  On the CLI use

get log event ?

and you will see all the options of what to look for there.

You don't require a syslog server for any of this.  But the syslog server offers several advantages.  The logs get saved for as long as you want them instead of till space runs out or a reboot occurs.  And good syslog software allows nice reporting and search functions.

Hi and thanks you for your reply.

About the traffic log, I still not get it.

I have created aobut 20 rules, From Untrust to Trust, which all allow some traffic.

And then, the last rule, I have created a rule that denies all traffic from Untrust to Trust.
Now, the rules are read by the SSG from top to bottom, so traffic which is not allowed, should show up on the last rule that blocks all traffic should it not?

Yes, the untrust to trust requests that do not match a policy will end up there.

But most of what you mention above will fall under event logging because they are part the the screen attach prevention.  And the attacks that go after your untrust configured interface will be untrust to untrust traffic if they are not a screen event.

Ah, now i see, thanks for explaining this 🙂