SRX Services Gateway
Highlighted
SRX Services Gateway

SRX IDP Traffic Logging Format Explanation

‎07-22-2019 11:45 PM

With a Juniper SRX Firewall with traffic event logging configuration to setup to output "RT_IDP|RT_FLOW_SESSION" to a file on the SRX there are pieces of log information which are appended to the end of the log/event entry.

For example with the 2 below log events the last 3 words in the first log event refers to "HTTP UNKNOWN UNKNOWN" and the second log line the last 3 words refer to "UNKNOWN UNKNOWN UNKNOWN".

 

Does anyone what the last 3 words in SRX traffic log files refer to?

 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.25.255.2/33355->10.10.5.5/80 0x0 junos-http 10.25.255.2/33355->192.168.2.5/80 0x0 N/A N/A destination rule ENT 6 ENT Internet ENT 9719 N/A(N/A) ge-0/0/0.0 HTTP UNKNOWN UNKNOWN
1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.25.255.2/5432->10.18.5.5/80 0x0 junos-http 10.25.255.2/5432->192.168.2.5/80 0x0 N/A N/A destination rule ENT 6 ENT Internet ENT 10378 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN

Thanks.

2 REPLIES 2
SRX Services Gateway
Solution
Accepted by topic author danewm
‎07-23-2019 12:30 AM

Re: SRX IDP Traffic Logging Format Explanation

‎07-22-2019 11:55 PM

Hello,

 

Those three fields are application, nested application and encryption respectively. Please see the description added in the log below:

 

1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.25.255.2/5432->10.18.5.5/80 0x0 junos-http 10.25.255.2/5432->192.168.2.5/80 0x0 N/A N/A destination rule ENT 6 ENT Internet ENT 10378 N/A(N/A) ge-0/0/0.0 UNKNOWN(application) UNKNOWN(nested-application) UNKNOWN(encryption).

 

Examples for each term:

Application: HTTP

Nested-Application: Facebook Messenger(protocols that work over parent application)

Encryption: If traffic is encrypted (HTTPS).

 

Regards,

Prakash




SRX Services Gateway

Re: SRX IDP Traffic Logging Format Explanation

‎07-23-2019 12:56 AM

Hello,

 

Syslog explorer is THE tool to find out. It is available for free in Juniper public website

https://apps.juniper.net/syslog-explorer/

 

And Your message is explained at

https://apps.juniper.net/syslog-explorer/#msg=RT_FLOW_SESSION_CREATE&sw=Junos%20OS&rel=19.2R1

 

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !