SRX Services Gateway
Highlighted
SRX Services Gateway

monitor traffic on clustered srx 340

‎08-11-2018 08:25 AM

Hello,

 

A possible easy question, but i am not able to figure it out.

I want to monitor traffic from the internet to a web server though a couple of **bleep** 340 set up in a cluster

 

I found:

run monitor traffic interface ge-0/0/0 matching "host 10.130.38.94" no-resolve

But i do not have a ge interface any more.

 

So i tried:

run monitor traffic interface reth1.0 matching "host 10.130.38.94" no-resolve

But i only get arp messeges... ?

 

I would be grate if someone had the anserv.. :O)

 

Kind regards Gert

 

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: monitor traffic on clustered srx 340

‎08-11-2018 08:52 AM

The 'monitor traffic' command only shows traffic to or from the routing engine.  If you want to watch transit traffic, and can't perform a packet capture, then the simplest option is to create a very specific security policy to match and log your interesting traffic.

Highlighted
SRX Services Gateway

Re: monitor traffic on clustered srx 340

‎08-11-2018 10:48 AM

ok, i did not think of that.

 

but what if i want to monitor flow (connection/denied/allowed) from a ip.

 

do you have an excmple.. ? :O)

 

 

Kind regards Gert

 

Highlighted
SRX Services Gateway
Solution
Accepted by topic author GertJensen
‎08-11-2018 02:33 PM

Re: monitor traffic on clustered srx 340

[ Edited ]
‎08-11-2018 01:47 PM

Hi, Gert

 

A quick way to monitor the traffic passing through the SRX is to check at the current session:

 

    > show security flow sessions destination-prefix [INTERNAL_SERVER_ADDRESS]

 

Now I believe you are looking for logs like these ones (when the traffic is permitted/denied by your security-policies):

 

Jan 21 18:20:12  240-3 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 172.27.199.166/12288->172.27.201.39/1024 icmp 172.27.199.166/12288->172.27.201.39/1024 None None 1 p1 trust junos-host 8224 N/A(N/A) ge-0/0/0.0
Jan 21 18:20:13 240-3 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 172.27.199.166/11520->172.27.201.39/1024 icmp 172.27.199.166/11520->172.27.201.39/1024 None None 1 p1 trust junos-host 8218 1(60) 1(60) 4 N/A(N/A) ge-0/0/0.0

 

Here I provide a couple of articles with configuration examples to achieve that:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16509

https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Traffic-Log/m-p/319310#M48675

https://kb.juniper.net/InfoCenter/index?page=content&id=KB26771 (this one is for traffic destined to the SRX but the config exmaple works)

 

I hope it helps.

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Feedback