SRX

HI

 

Ive followed https://kb.juniper.net/InfoCenter/index?page=content&id=KB28109&actp=search and after generating some bad traffic  :

 

root@srx210> show log traffic-log

root@srx210>

 

I have attached my running config , anyone got an idea of what im missing ??

 

Much appreciated

 

Thanks

NOTE: Admin removed the attachment due to violating the Terms and Conditions of the Community 

Can you collect "show security policies hit-count" couple of times and confirm there is traffic hitting deny policy?

Hi Suraj

 

Definitly something interresting is going on here . So lets say i ssh <ext ip> port 6543  ( which lead nowhere)

 

root@srx210> show security policies hit-count
Logical system: root-logical-system
Index From zone To zone Name Policy count
1 global global default-deny 0
2 Internal Internet All_Internal_Internet 34082

 

 

Now, I do have a NAT rule for port 2222 , which is de-activated, lets try to ssh to it

1 global global default-deny 5    < --- Getting some hits

 

root@srx210> show log traffic-log
Aug 19 08:22:47 srx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.1.31/63521->1.1.1.1/2222 None 6(0) default-deny(global) Internet Internal UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWN policy deny
Aug 19 08:22:48 srx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.1.31/63521->1.1.1.1/2222 None 6(0) default-deny(global) Internet Internal UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWN policy deny

 

 

Now if i ssh again , but change port to 9876 ( any random numbers) , nothing is showing up . Am i wrong to assume this *should* be capturing failed attempts ??

 

ssh or telnet to a closed port should reach that deny-all rule thus getting logged no ?

 

*confused*

 

Any help much appreciated

 

Thanks

 

 ***edited to put 1.1.1.1 as external IP

 

Add session-close to the global policy. As best practice, always try to add session-close option at the end of a deny policy. Session-init would only show traffic for session initiated but won't show a log for a denied traffic, it is good for logging permitted traffic

        }

        global {

            policy default-deny {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    deny;

                    log {

                        session-close;

                    }

                }

 

 

In my lab, I recreated your scenario as follows:
I created a HTTP deny policy then log session-close

[edit security policies from-zone lab to-zone outside]
+ policy HTTP {
+ match {
+ source-address any;
+ destination-address any;
+ application junos-http;
+ }
+ then {
+ deny;
+ }
+ }

[edit]
root@homefwsrx210# run show log traffic-log | last 15
Aug 21 08:23:00 homefwsrx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.0.0.17/58694->54.246.163.116/80 junos-http 6(0) HTTP lab outside UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN policy deny
Aug 21 08:23:00 homefwsrx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.0.0.17/58695->54.246.163.116/80 junos-http 6(0) HTTP lab outside UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN policy deny
Aug 21 08:23:00 homefwsrx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.0.0.17/58696->149.202.232.186/80 junos-http 6(0) HTTP lab outside UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN policy deny
Aug 21 08:23:00 homefwsrx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.0.0.17/58697->149.202.232.186/80 junos-http 6(0) HTTP lab outside UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN policy deny
Aug 21 08:23:00 homefwsrx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.0.0.17/58698->149.202.232.186/80 junos-http 6(0) HTTP lab outside UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN policy deny

**Kindly give Kudos if this works for you...

Hi Leke ,

 

Thanks for the tip, made the change , did some simple  telnet on random port still nothing , it only log hits on port 2222

 

Any idea ??

 

Aug 19 18:27:03 srx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 173.242.121.58/22989->1.1.1.1/2222 junos-ssh 6(0) default-deny(global) Internet Internal UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Aug 19 23:50:53 srx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 185.59.120.186/48370->1.1.1.1/2222 junos-ssh 6(0) default-deny(global) Internet Internal UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Aug 19 23:50:56 srx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 185.59.120.186/48370->1.1.1.1/2222 junos-ssh 6(0) default-deny(global) Internet Internal UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Aug 20 01:33:29 srx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 66.240.219.146/40082->1.1.1.1/2222 junos-ssh 6(0) default-deny(global) Internet Internal UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny

Try creating a specific security policy just like the default-global policy. Let's ignore the global policy for now.

set security policy from-zone internet to-zone inside policy default-deny then deny log session-close

Hi Leke

 

Just added this but it still doesnt log anything other then on port 2222 - this is weird

 

Much appreciate the help on this 😉

 

policy deny-internet {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-close;
}

This is weird. It should log everything actually.

Hi Leke ,

 

Actually , since I have added this rule, it doesnt even log attemps on 2222 anymore . Ive re-attached the latest config .

Maybe i missed something ?? Seriously this should be really basic .... scratch head

NOTE: Admin removed the attachment due to violating the Terms and Conditions of the Community 

egawd,

 

Can you add a deny policy with logging for the following context?

 

From-Zone Internet to-zone junos-host

 

Regards,

Anand

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Hi Anand

 

Ive added it , still not getting anything logged in any of the policy ....

 

from-zone Internet to-zone junos-host {
policy deny-junos {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-close;
}

HI 

 

 

A deny log looks like this

Aug 22 10:22:53 RT_FLOW: RT_FLOW_SESSION_DENY: session denied x.84.202.106/5060->x.89.238.178/2904 None 17(0) default-deny(global) untrust untrust UNKNOWN UNKNOWN N/A(N/A) ge-0/0/3.0 UNKNOWN policy deny

 Your config should work. So i am just suggesting something that we can try. Your current syslog matches 

 

file traffic-log {

            any any;

            match RT_FLOW_SESSION;

        }

    }

 

Can we try adding the event " RT_FLOW_SESSION_DENY"? I understand that "RT_FLOW_SESSION" is a superset of the deny event but I just want to make the logging more specific. 

 

Regards,

Anand

 

 

Hi Anand

 

Here is the latest config im using , same behaviors 😞

 

syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file traffic-log {
any any;
match RT_FLOW_SESSION_DENY;
}
}

**update

 

Ok so looks like it IS logging but only for port 2222 ( which i have NAT for )

 

Aug 22 14:55:39 srx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 190.182.192.226/53486->1.1.1.1/2222 junos-ssh 6(0) deny-internet Internet Internal UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny

 

Thats odd to say the least ...

Hi egawd,

 

I agree. Because in the flow the SRX does not have any action defined under NAT. It either translates if the traffic matches a rule or it doesnt. The Allow/Deny action comes under the policy. So irrespective of whether you NAT or not the traffic should be denied by your global policy. Let me lab this up. 

 

Regards,

Anand

Adding to this:-

 

Can you share your source and destination IPs used in this transaction and the corresponding routing? 

 

I want to ensure that this is not getting dropped at any other stage apart from policy in the flow, for ex reverse route lookup etc. 

 

In the current setting our logging will only work if the traffic is denied by policy. 

 

Regards,

Anand

I don't see anything wrong in your configuration. This is similar to what I have. I will lab your configuration and get back to you.

Hi Anand

Right now its the most basic setup ; i mean i cant get this to work so i wont complexify it 🙂

Internet ----> srx --------> lan
So for instance i do a telnet or ssh on port 999 ( any random ports) on public ip of the srx (1.1.1.1) ; this get denied but not logged

Does it help ?

Thanks

Hi egawd,

 

I was doing some testing on this and below are my findings.

 

1. RT_FLOW_SESSION_DENY is generated with "session-init" and not with "session-close". This makes sense the traffic was dropped while it was initiating. You need to modify the policy logging to include session-init

 

2. In your setup, we need policy to junos-host for this logs. Otherwise the traffic will hit self-traffic policy and wont hit the global policy.

 

Feel free to correct me if I have misunderstood any points here.

 

 

 

 

 

 

Hi

 

Yes i had read about the need for session-init , so had turned it on

I aslo have a rule denying Internet -> junos

 

I have attached a fresh copy of my running config , still not logging anything other then failed attempt to log on port 2222

 

Aug 23 22:29:32 srx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 71.6.135.131/63030->1.1.1.1/2222 None 17(0) deny-internet Internet Internal UNKNOW
N UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Aug 24 04:15:42 srx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 190.111.75.196/47769->1.1.1.1/2222 junos-ssh 6(0) deny-internet Internet Internal
UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Aug 24 04:15:45 srx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 190.111.75.196/47769->1.1.1.1/2222 junos-ssh 6(0) deny-internet Internet Internal
UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny

NOTE: Admin removed the attachment due to violating the Terms and Conditions of the Community 

Thanks for the update.

 

Can you share the "show route" output for the source IP and Destination IP for which the traffic logs are not generated?

 

 

 

Hi Suraj

 

Here is the output , also note i upgraded to 12.3X48-D30 , just in case it was an issue with the previous junos version , still no luck 😞

show troot@srx210> show route

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Access-internal/12] 00:10:19
> to 1.1.1.1 via ge-0/0/0.0
1.1.1.0/24 *[Direct/0] 00:10:19
> via ge-0/0/0.0
1.1.1.83/32 *[Local/0] 00:10:19
Local via ge-0/0/0.0
192.168.1.0/24 *[Direct/0] 00:10:26
> via ge-0/0/1.0
192.168.1.1/32 *[Local/0] 00:10:30
Local via ge-0/0/1.0

 

1.1.1.0 = internet
192.168 = intranet

Hi egawd,

Now it's clear. When you try log on port 2222 it hits Destination NAT rule nsw_destnat as you are trying to do this from Internet zone. And because of the destination NAT rule your traffic become a passthrough traffic through SRX and it hits policy deny-internet .

But when you open any other connection you wont hit the destination NAT rule and then traffic hits self-traffic-policy and session logging don’t happens. To verify this you change the destination port on NAT rule to 5555 from 2222 and you will see traffic logs for port 5555.

Also you will not see the logs if you try opening 2222 from 192.168.1.0/24

Hi Suraj

 

Im pretty sure you are correct if i change the port to something else it will only log this port.

Question remains, how do I log failed attempts on all ports , not just the one that has a NAT ?

 

I want to be able to see if 8.8.8.8 ( any internet ip) try to hit port 9876 ( any given ports) on the srx .

 

Thanks

Destination NAT config:

===============================================

destination {
pool 192_168_1_2_22 {
address 192.168.1.2/32 port 22;
}
rule-set nsw_destnat {
from zone Internet;
rule 0_File_Transfer--Internal_22 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
destination-port 2222;
then {
destination-nat pool 192_168_1_2_22;
}
}
}
}

===============================================

 

Lets take an example of below 2 flow

 

1. 173.242.121.58/22989->1.1.1.1/2222 

2. 173.242.121.58/22989->1.1.1.1/80

 

When the first packet hits SRX it matches the destination NAT rule and the traffic becomes this 173.242.121.58/22989->192.168.1.2/22 . The destination become 192.168.1.2 and this become a non-host-inbound traffic. Thus it hits seurity policy deny-internet and gets logged.

 

With second packet/stream, when it reach SRX it wont match the Destination NAT rule as the port number is not 2222 (specified on rule), and the traffic will continue as a host-inbound-traffic . This will hit the default "self-traffic-" policy and there is no logging on these.

 

And if we create a Junos-host policy we will be able to see the logs as this policy will take preferenc over junos-self-traffic policy. Below given is configuration you can try

 

 

set security policies from-zone Internet to-zone junos-host policy lab-test match source-address any
set security policies from-zone Internet to-zone junos-host policy lab-test match destination-address any
set security policies from-zone Internet to-zone junos-host policy lab-test match application any
set security policies from-zone Internet to-zone junos-host policy lab-test then deny
set security policies from-zone Internet to-zone junos-host policy lab-test then log session-close
set security policies from-zone Internet to-zone junos-host policy lab-test then log session-init

 

You may add below line for testing to make sure all ports are accepted under host-inbound-services.

set security zones security-zone Internet host-inbound-traffic system-services any-service

 

I hope this helps.

 

Hi Suraj

 

I already have the following :

 

from-zone Internet to-zone junos-host {
policy deny-junos {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
session-close;
}
}
}

Can you add the below config and check again. I feel the traffic maynot be reaching policy as they are not allowed under zone. On Internet zone you have enabled dhcp only.

 

delete security zones security-zone Internet host-inbound-traffic system-services
set security zones security-zone Internet host-inbound-traffic system-services any-service

 

 

Hi Suraj

 

Im not exactly sure what you are trying to do here but , its throwing out an error :

 

root@srx210# delete security zones security-zone Internet host-inbound-traffic system-services
warning: statement not found

 

 

If this help

root@srx210# show security zones
security-zone Internal {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
http;
https;
ssh;
}
}
}
}
application-tracking;
}
security-zone Internet {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}

 

 

Thanks

Can you try this?

delete security zones security-zone Internet host-inbound-traffic system-services dhcp
set security zones security-zone Internet host-inbound-traffic system-services any-service

Hi Suraj

 

Same error

 

root@srx210# delete security zones security-zone Internet host-inbound-traffic system-services dhcp
warning: statement not found

 

Any ideas ?

 

Thanks

My bad,you have defined it under interfaces. Didnt notice it. Please use belo

delete security zones security-zone Internet interfaces ge-0/0/0.0 host-inbound-traffic system-services

set security zones security-zone Internet host-inbound-traffic system-services any-service

Hi Suraj

 

Think you just nailed it , ran a simple ssh <ip> 666

 

on srx :

<14>1 2016-08-26T13:00:38.988-04:00 srx210 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.36 source-address="78.47.79.193" source-port="56654" destination-address="1.1.1.1" destination-port="666" service-name="None" protocol-id="6" icmp-type="0"
policy-name="deny-junos" source-zone-name="Internet" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/0.0" encrypted="UNKNOWN" reason="policy deny"] sessio
n denied 78.47.79.193/56654->1.1.1.1/666 None 6(0) deny-junos Internet junos-host UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
<14>1 2016-08-26T13:00:41.991-04:00 srx210 - - - - last message repeated 2 times

 

Now stupid question, i intend to give web access to another user so he can see logs and when i click on the log icon its empty , ive tried https://kb.juniper.net/InfoCenter/index?page=content&id=KB19490&smlogin=true&actp=search but its still empty , any idea ?

 

Much much much appreciated Suraj!!!

Figured it out

 

Thanks to everyone who helped me on this one !!!

Finally! Thanks for the update 🙂