SRX

Hi,

I'm trying to log all traffic information for a specific device when it access the internet on my srx branch series network but when I do a "show log traffic-log" command the log file is empty.

Here's my current config for the logs:

set system syslog file traffic-log any any
set system syslog file traffic-log match RT_FLOW_SESSION
set security policies from-zone trust to-zone untrust policy default-permit match source-address Desktop123
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit then log session-init
set security policies from-zone trust to-zone untrust policy default-permit then log session-close

I even tried changing the source-address to any with "set security policies from-zone trust to-zone untrust policy default-permit match source-address any" but I am still unable to get any log information.

Can anyone tell me what I am doing wrong?

Thanks!

Hi,

Do 'show security flow session' and check which policy you're hitting.
For example:
When I try to ping 8.8.8.8 from my PC , and do the 'show security flow session destination-prefix 8.8.8.8' command, I see that I'm hitting policy named "1" :

Session ID: 3275, Policy name: 1/7, Timeout: 2, Valid
In: 192.168.1.2/63193 --> 8.8.8.8/53;udp, If: vlan.0, Pkts: 1, Bytes: 74
Out: 8.8.8.8/53 --> 10.0.0.16/24406;udp, If: fe-0/0/0.0, Pkts: 1, Bytes: 90

Can you confirm that you're hitting the policy " from-zone trust to-zone untrust policy default-permit " ?

Thanks! I was able to figure out what was wrong after looking at the flow session output. I just had to change the order of the policies and it started working.

I can see all the ip addresses the computer is accessing in the logs, is there way to see URLs as well?