SRX

Hello Experts,

I have done the below config to enable logs in a SRX Firewall.

file traffic-log {
    any any;
    match RT_FLOW_SESSION;
}
file accepted-traffic {
    any any;
    match RT_FLOW_SESSION_CREATE;
}
file blocked-traffic {
    any any;
    match RT_FLOW_SESSION_DENY;
}

But for some reason the logs are not showing in any of the file. This FW is actively passing traffic between two zones. Any help to identify the problem will appreciated.

user@FW> show log accepted-traffic 

user@FW> show log blocked-traffic 

user@FW> show log traffic-log 
Feb  6 13:03:46  FW mgd[71518]: UI_CFG_AUDIT_SET: User 'user' set: [system syslog file accepted-traffic match] <unconfigured> -> "RT_FLOW_SESSION_CREATE"
Feb  6 13:03:46  FW mgd[71518]: UI_CMDLINE_READ_LINE: User 'user', command 'set file accepted-traffic match RT_FLOW_SESSION_CREATE '
Feb  6 13:04:19  FW mgd[71518]: UI_CFG_AUDIT_SET: User 'user' set: [system syslog file blocked-traffic match] <unconfigured> -> "RT_FLOW_SESSION_DENY"
Feb  6 13:04:19  FW mgd[71518]: UI_CMDLINE_READ_LINE: User 'user', command 'set file blocked-traffic match RT_FLOW_SESSION_DENY '

user@FW> 

You will also need to configure specific security policies for logging, using either 'then log session-init' or 'then log session-close' (or both) in the policy action.  A quick example can be found in https://kb.juniper.net/InfoCenter/index?page=content&id=KB16509 - step 2 would be the part you need.

Be careful when configuring policy logging.  Depending on the number of policies you are logging, and the amount of traffic you have, you can easily overwhelm the firewall CPU.

Hope this helps.

Louis

Thanks Louis!

How to log traffic that has been blocked by the implicit deny rule?

You can't technically log against the implicit deny, but use can use apply-groups to do the same thing.  One KB that shows it is https://kb.juniper.net/InfoCenter/index?page=content&id=KB21317.

You could also configure a deny-and-log policy for each of the zone pairs you want to log, but that can be cumbersome.  Plus if you later configure other policies for that zone pair, you'll have to move the deny-and-log policy to make sure policies are checked in the proper order.  The advantage of the group policy is that the inherited policy is always inserted after any manually configured policies, but before the implicit deny.

To test this I have added this extra LOG_DROP policy config at the end, but the logging still not working.

user@FW> show configuration security policies from-zone untrust to-zone trust policy LOG_DROP 
match {
    source-address any;
    destination-address any;
    application any;
}
then {
    deny;
    log {
        session-init;
    }
}

user@FW> show configuration system syslog                                                        
archive size 100k files 3;
user * {
    any emergency;
}
host 10.10.10.10 {
    any notice;
}
file messages {
    any notice;
    authorization info;
}
file interactive-commands {
    interactive-commands any;
}
file accepted-traffic {
    any any;
    match RT_FLOW_SESSION_CREATE;
}
file blocked-traffic {
    any any;
    match RT_FLOW_SESSION_DENY;
}

user@FW> 

The logs are still empty even though there is denied traffic at the FW.

user@FW> show log blocked-traffic                                                                

user@FW> 

Any help would be appreiciated.

To confirm, there are hits against your LOG_DROP policy in 'show security policies hit-count'?  Do you see the log messages on your syslog server?  (The facility might need to be changed 'any info' or 'any any'.)

What model of SRX are you working with?

Yes, there is hits against that policy.

user@FW> show security policies hit-count | match LOG 
Logical system: root-logical-system
 8       untrust          trust             LOG_DROP       39           

The log count is increasing as well.

user@FW> show security policies hit-count | match LOG    
Logical system: root-logical-system
 8       untrust          trust             LOG_DROP       42           

user@FW> 

-------------------------------------

user@FW> show version 
Hostname: xxxxx
Model: srx345-dual-ac
Junos: 15.1X49-D110.4
JUNOS Software Release [15.1X49-D110.4]

The syslog server gets logs from the device, but its not traffic related logs.

Interesting, seems like maybe things changed with the SRX300 series and/or 15.1 software.  See if you get anything from the commands 'show security log', 'show security log file', and 'show log bin_messages'.  If nothing shows in those, you may need to configure 'set security log mode event' and 'set security log format binary'.  Another possibility would be to configure log streaming to your syslog server, but the security logs won't be kept on-box in that case.

The security device section of the system log configuration guide at https://www.juniper.net/documentation/en_US/junos/topics/concept/security-system-log-message-overview.html should help.  I've been referring to the sections discussing security logs and on-box logging.

I believe on some of the newer versions no security logging occurs until turned on under this hierarchy similar to the high end SRX models.

security > logs

I have added these config, but still no luck.

user@FW> show configuration security log     
cache;
mode stream;
report;

user@FW> 

I surprised to learn that just turning on logging on the box is this much of a hassle in Juniper. 

Try 'set security log mode event' for on-box logging.  Stream logs must be sent to an external destination, and can only be sent through a revenue port and not the management port.

Awesome! That did the trick. Thanks Louis!!!

user@FW> show log blocked-traffic 
Feb 16 09:38:36  FW RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.10.10.12/44694->10.10.22.50/2233 0x0 None 6(0) LOG_DROP untrust trust UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Feb 16 09:38:39  FW last message repeated 2 times


user@FW> 

user@FW> show log accepted-traffic 
Feb 16 09:41:07  FW RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.10.10.12/47570->10.10.22.50/22 0x0 junos-ssh 10.10.79.12/47570->10.10.200.50/22 0x0 N/A N/A static rule 17 6 SH untrust trust 137665 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN

user@FW>