Hi everybody,
Please forgive me I am new to Juniper but I have kind of a lame question. I come from the Cisco world Cisco ASA/PIX devices have a default deny policy (if there is an access-list applied to an interface). If I have normal informational-level logging enabled on a device, a log message is generated for pretty much every packet that matches this default deny. In the world of Juniper it appears a little bit different. The only way I've found to have my SRX log a dropped packet is by doing something like:
"set security policies from-zone ucpd-backend-switch-management to-zone ucpd-outside policy tacacs then log session-init"
So I guess I have two questions;
1) Are policies in JunOS/SRX applied in a top-down order?
2) Is there a way to log all dropped packets? Do I have to explicitly create a policy to match all source and all destinations for every zone, then enable logging for that specific policy?
I basically want to generate a log message like this for all dropped packets on all zones/interfaces:
Oct 17 05:02:51 10.4.224.20 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 128.135.2.178/1->128.135.100.81/21397 icmp 128.135.2.178/1->128.135.100.81/21397 None None 1 icmp_traffic ucpd-outside ucpd-ssl-vpn-outside 63172
Oct 17 05:02:55 10.4.224.20 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 128.135.2.178/1->128.135.100.81/21397 icmp 128.135.2.178/1->128.135.100.81/21397 None None 1 icmp_traffic ucpd-outside ucpd-ssl-vpn-outside 63172 1(76) 1(76) 0
Oct 17 05:02:51 10.4.224.20 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 128.135.2.178/1->128.135.100.81/21397 icmp 128.135.2.178/1->128.135.100.81/21397 None None 1 icmp_traffic ucpd-outside ucpd-ssl-vpn-outside 63172Oct 17 05:02:55 10.4.224.20 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 128.135.2.178/1->128.135.100.81/21397 icmp 128.135.2.178/1->128.135.100.81/21397 None None 1 icmp_traffic ucpd-outside ucpd-ssl-vpn-outside 63172 1(76) 1(76) 0
Thank-you,
Dan Sullivan