SRX Services Gateway
SRX Services Gateway

logging nat sessions

02.15.11   |  
‎02-15-2011 05:30 AM

Hello,

 

What is the best way to log nat sessions to a remote syslog with a srx 3600?

 

Thank you.

 

5 REPLIES
SRX Services Gateway

Re: logging nat sessions

[ Edited ]
02.15.11   |  
‎02-15-2011 07:44 AM

IF it's STRM you can create a custom filter from zone trust to untrust and put that in a report...  Otherwise, under the session RT_FLOW_SESSION_CREATE information that is sent you should have the following information...

 

src-nat-rule-name="None" dst-nat-rule-name="None"

 

 

SRX Services Gateway

Re: logging nat sessions

02.15.11   |  
‎02-15-2011 12:10 PM

I already got that.

My problem is about logging with a remote syslog. Don't want to log into a file.

 

Highlighted
SRX Services Gateway

Re: logging nat sessions

[ Edited ]
02.15.11   |  
‎02-15-2011 12:30 PM

Under system log to a host.  The host is the IP you want to log to.

 

syslog {
    host X.X.X.X {
        any any;
        match RT_FLOW_SESSION_CREATE | RT_FLOW_SESSION_DENY | RT_FLOW_SESSION_CLOSE | RT_IDP;
    }

SRX Services Gateway

Re: logging nat sessions

02.16.11   |  
‎02-16-2011 12:31 AM

Hi, on a SRX firewall device you do like this under the security log stanza you can configure this:

 

show configuration security log 

 

mode stream;
format syslog;
source-address X.X.X.X;
stream logserver {
    host {
        X.X.X.X;
    }
}
This will render a syslog stream to your logserver with all the sessions generated at your firewall device.
-John

 

SRX Services Gateway

Re: logging nat sessions

02.16.11   |  
‎02-16-2011 05:22 AM

Yeah, second that, Stream is the way to go.  You will get tons more information then just syslog on match statement.