SRX Services Gateway
Highlighted
SRX Services Gateway

Firewall Filter Packet Capture Problem

12.28.09   |  
‎12-28-2009 11:29 AM

I have an SRX240 running Junos 9.6R2.11. I'm not sure if I'm missing something or just plain stupid.

 

I have a firewall filter configured like so:

bdfleming@site# show firewall filter lan_inbound
<<<snip>>>
term leaked_private_traffic {
    from {
        source-address {
            10.0.0.0/8;
            192.168.0.0/16;
            172.16.0.0/12;
        }
    }
    then {
        count "Leaked Private Traffic (Dropped)";
        discard;
    }
}
<<<snip>>>

 

I see traffic matching this term at the rate of ~2 packets per second (roughtly). I'd like to capture some of these packets to help the users find their misbehaving device but I'm having problems getting the term to sample correclty.

 

If I add a "sample" action to the term, my sample file does not get built and the device does not capture the trafic before discarding it. If I change the action from "discard" to "accept", I see packets match and arrive in my sample file. The obvious side effect is allowing traffic through the filter that I'd rather drop in typical operation.

 

So my question is: Can you sample discarded packets using a firewall filter that is applied ingress? If so, would anyone care to share a working configuration?

 

Much appreciated for any coments, suggestions, or insights.

3 REPLIES
SRX Services Gateway

Re: Firewall Filter Packet Capture Problem

12.29.09   |  
‎12-29-2009 08:15 PM

Sample has default action of accept. Refer to this link to firewall filter configuration in JUNOS.

 

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-...

 

-Richard

SRX Services Gateway

Re: Firewall Filter Packet Capture Problem

01.05.10   |  
‎01-05-2010 08:41 AM

Thanks for the reply and link, Richard.

 

If anyone from Juniper is watching, it would be nice to sample discarded packets as well in some cases. I understand that the flow of traffic through the box might make that impossible, just offering up a feature suggestion.

SRX Services Gateway

Re: Firewall Filter Packet Capture Problem

01.06.10   |  
‎01-06-2010 04:57 AM

Hello Brad,

Sampling of discarded pkts is possible with "next term" filter action. Your filter should look like:

 

 

term leaked_private_traffic_sample {
    from {
        source-address {
            10.0.0.0/8;
            192.168.0.0/16;
            172.16.0.0/12;
        }
    }
    then {
        count "Leaked Private Traffic (Dropped in next term)";
        next term;
    }
term leaked_private_traffic_drop {
    from {
        source-address {
            10.0.0.0/8;
            192.168.0.0/16;
            172.16.0.0/12;
        }
    }
    then {
        discard;
    }

 

 

I tested it and it works for me on 10.R1. Please post your results here if possible.

Rgds

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !