SRX Services Gateway
Highlighted
SRX Services Gateway

Filter logging

Thursday

Hi  Everyone,

 

Please  consider the following example:

H1-199.199.199.1--199.199.199.10 F1 SRX--Rest of the network.

 

We want to  use filter   to log  traffic,just the first 100 bytes of  each IP PACKET , for extended  period of time say  1 hr.

My issue is  when I used  filter with log,  It  can  only  hold traffic  for 2 minutes.  It is heavy traffic environmnet.

Below  is my config:

set firewall filter  family  inet  GREAT  term T1  from source-address 199.199.199.1

set firewall filter  family  inet  GREAT  term T1  then log

set firewall filter  family  inet  GREAT  term T1  then accept

set firewall filter  family  inet  GREAT  term T2  then accept

set  interface  f1/1 unit0 family inet filter input  GREAT.

 

I want  my  to log  atleast 2 M of  logs using above filter.  How can I do that?

 

 

Thanks

 

 

2 REPLIES
SRX Services Gateway

Re: Filter logging

Thursday

Hi, here is two options, 

1) try to comfigure then syslog , with this all info will be copied to system syslog , but in heavy traffic environmnet, ddos protection and other limitation will prevent from logging too much messages

2) better options will use jflow/netflow and send packet statistics to external server 

SRX Services Gateway
Solution
Accepted by topic author sarahr202
Sunday

Re: Filter logging

Thursday

Hello,

 


@sarahr202 wrote:

 

 

We want to  use filter   to log  traffic,just the first 100 bytes of  each IP PACKET , for extended  period of time say  1 hr.

My issue is  when I used  filter with log,  It  can  only  hold traffic  for 2 minutes.  It is heavy traffic environmnet.

 

 

  


 

SRX logs only IP header + partially L4 header (udp ports, tcp ports + flags, icmp type+code) . You won't be able to log anything beyond L4 header, sorry.

 


@sarahr202 wrote:

first 100 bytes of  each IP PACKET , for extended  period of time say  1 hr.

 

  


Leaving aside the fact that SRX is not able to syslog payload beyond L4 header, let's do some simple math, shall we? Let's say this is SRX100 with 100Mbps of 512-Byte packets. That's 24Kpps.

So, for 1 hour (3600 secs) it will generate 69GBytes of logging. Then You'd need:

1/ since ANY SRX won't be able to store it locally, You need an external syslog server capable of writing 24Kpps of syslog messages per SRX

2/ this syslog server must have an appropriately sized disk 

 

Inference:

1/ You need to look elsewhere/beyond SRX logging capabilities to meet Your requirement

2/ if You still wnat to pursue that with SRX, configure packet replication on SRX itself (by means of anaylzer/port-mirroring or simply have a VLAN with mac-learning disabled) and funnel the replicated packets to a Linux server of Your choice with Wireshark running on it. Of course, don't forget the server disk requirements.

 HTH

Thx
Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !