SRX Services Gateway
Highlighted
SRX Services Gateway

Transit traffic being logged in firewall filter log

‎06-07-2018 02:52 AM

I have a pair of SRX240s that seem to be logging transit traffic in the 'show firewall log' output. I've never seen this before, so it's rather confusing me.

 

05:37:27 pfe A ge-0/0/4.3000 TCP x.x.x.111 x.x.x.6
05:37:27 pfe A ge-0/0/4.3000 TCP x.x.x.111 x.x.x.6
05:37:27 pfe A ge-0/0/4.3000 TCP x.x.x.6 x.x.x.111
05:37:26 pfe A ge-0/0/4.3000 UDP x.x.x.22 x.x.x.35
05:37:25 pfe A ge-0/0/4.3000 UDP x.x.x.22 x.x.x.65

None of the addresses above exist on the SRX itself, but exist as external devices on its attached LAN interface. These nodes are on different subnets, but on the same interface, ge-0/0/4.3000, along with a few other secondary subnets. I have no filters configured to log anything except the lo0.0 filter, which logs discarded traffic to the RE. All this traffic is shown as 'action: accept'. Moreover, there are no firewall filters even applied to the interface that these nodes are on. 

 

I've done a search through the entire config (show configuration | match log) and found nothing that should be logging this traffic. It is happening on two SRXes. One is on 12.1X44-D40.2 and the other is on 12.1X46-D55.3.

 

What simple thing am I missing here? Does the SRX by default just log intra-interface traffic?

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Transit traffic being logged in firewall filter log

‎06-07-2018 06:39 AM

I bet it's some kind of exception traffic. Maybe ip options set?

 

Regards, Wojtek

Highlighted
SRX Services Gateway

Re: Transit traffic being logged in firewall filter log

‎06-07-2018 06:50 AM

Is this traffic being evaluated by any security policies, with a 'log' action?  IIRC, the local firewall log gets log entries from both the 'firewall' (interface/loopback) filters as well as regular firewall policies in the 'security' stanza.

Highlighted
SRX Services Gateway

Re: Transit traffic being logged in firewall filter log

‎06-07-2018 07:10 AM

@Louis Wessels wrote:

Is this traffic being evaluated by any security policies, with a 'log' action?  IIRC, the local firewall log gets log entries from both the 'firewall' (interface/loopback) filters as well as regular firewall policies in the 'security' stanza.


No, there are no log actions for 'accept' or 'permit' actions in the entire configuration. While I am inclined to believe you, I don't recall ever getting any data in the firewall log that was supposed to log from the security policies config, but maybe newer Junos changed that.

Highlighted
SRX Services Gateway

Re: Transit traffic being logged in firewall filter log

‎06-07-2018 07:20 AM

@wdudys wrote:

I bet it's some kind of exception traffic. Maybe ip options set?

 

Regards, Wojtek


Good thought, but sadly, no. I looked at a tcpdump of the traffic to see if this was the case and no IP options are set. Much of it is just DNS queries from a server on one subnet to a server on another subnet.

Feedback