SRX

I want to notify to administrator when the traffic match with security policy on SRX using e-mail or snmp-trap.

Can SRX do this?

I think SRX can not notify using e-mail.

However, By using the event options,　is it feasible?

In that case, how do I specify the events? (RT_FLOW?)

Regards,

Hi,

For generating traps using the event-options, please go through the following link :-

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28307&actp=search

The event options have to match an event when the session hits the policy which can be "RT_FLOW" however the policy name would be in the middle of the syslog which is generated.

We also need the following two conditions :-

1. The RT_FLOW messages should be logged to the messages file using event mode (This can cause RE high CPU if a lot of hits are there on the policy).
2. Apply log -> session init to the security policy.

Regards,

Sahil Sharma

---------------------------------------------------

Please mark my solution as accepted if it helped, Kudos are appreciated as well.

HI GENC,

You can generate the event using SNMP or Syslog as  sahilsha mentioned, and if you have a SIEM or Syslog Server most support sending emails on specific events and you can even connect it to an SMS gateway to send out SMSs.

[ Example ]

policy p2-raise-trap-4-secpol {
    events [ RT_FLOW_SESSION_CREATE RT_FLOW_SESSION_CLOSE RT_FLOW_SESSION_DENY ];
    then {
        raise-trap;
    }

for permit action              >> RT_FLOW_SESSION_CREATE or RT_FLOW_SESSION_CLOSE

for deny or reject action >> RT_FLOW_SESSION_DENY