vSRX
Highlighted
vSRX

JFlow on vSRX

‎08-29-2018 05:57 PM

Hi Experts ,

    I am trying to enable Jflow on vSRX and configured below mentioned configuration but unable to see any data locally or on collector and as per my understanding inline-jflow and sflow is for hardware based and these are virtual SRX firewall .

 

set groups aws-default interfaces ge-0/0/0 unit 0 family inet sampling input

set groups aws-default interfaces ge-0/0/0 unit 0 family inet sampling output

set groups aws-default interfaces ge-0/0/0 unit 0 family inet address 10.0.10.93/24

set groups aws-default interfaces ge-0/0/1 unit 0 family inet sampling input

set groups aws-default interfaces ge-0/0/1 unit 0 family inet sampling output

set groups aws-default interfaces ge-0/0/1 unit 0 family inet address 10.0.20.38/24

set groups aws-default forwarding-options sampling input rate 100

set groups aws-default forwarding-options sampling input run-length 0

set groups aws-default forwarding-options sampling family inet output flow-server 169.61.84.3 port 2055

set groups aws-default forwarding-options sampling family inet output flow-server 169.61.84.3 version9 template IPV4-JFLOW-TEMPLATE-NETORC

set groups aws-default forwarding-options sampling family inet output inline-jflow source-address 10.0.10.93

 

Secondly if i am trying configuration in Solarwinds then its giving error.

 

https://support.solarwinds.com/Success_Center/Netflow_Traffic_Analyzer_(NTA)/Knowledgebase_Articles/...

 

 

root@Wanclouds-Jnpr-vSRX# set groups aws-default forwarding-options sampling input rate 100 

 

root@Wanclouds-Jnpr-vSRX# ...tions sampling family inet output flow-server 46.101.56.147 port 2055                               

 

root@Wanclouds-Jnpr-vSRX# set groups aws-default forwarding-options sampling family inet output flow-server 46.101.56.147 version9  

 

[edit]

root@Wanclouds-Jnpr-vSRX# set groups aws-default interfaces ge-0/0/0 unit 0 family inet sampling input 

 

root@Wanclouds-Jnpr-vSRX# set groups aws-default interfaces ge-0/0/0 unit 0 family inet sampling output 

 

root@Wanclouds-Jnpr-vSRX# set groups aws-default interfaces ge-0/0/1 unit 0 family inet sampling output 

 

root@Wanclouds-Jnpr-vSRX# set groups aws-default interfaces ge-0/0/1 unit 0 family inet sampling input 

 

[edit]

root@Wanclouds-Jnpr-vSRX# commit check 

[edit forwarding-options sampling family inet output flow-server 46.101.56.147]

  'version9'

    Service PIC or inline-jflow (j-series and SRX only) must be specified for version9

[edit forwarding-options sampling family inet output flow-server 46.101.56.147]

  'version9'

    Missing mandatory statement: 'template'

error: configuration check-out failed: (missing mandatory statements)

 

 

 

 

 

9 REPLIES 9
Highlighted
vSRX

Re: JFlow on vSRX

‎08-29-2018 07:43 PM

Hello,

 

About the error message, It is because Template is not called in the below line:-

 

set groups aws-default forwarding-options sampling family inet output flow-server 46.101.56.147 version9  

 

Do try to call the configured template and check if the commit is allowed or not.

 

I think inline-jflow does work on vSRX so you can either apply firewall filter on the outgoing interface to check if the samples are sent out or not.

 

Regards,

 

Rushi

Highlighted
vSRX

Re: JFlow on vSRX

‎08-29-2018 10:29 PM

Thanks Rushi for looking into it but if u see the configs i m using inline-jflow and the interfaces are part of routing instance and the same interface ge-0/0/0.0 is 1:1 NAT with public which is my source IP or out going interface. And atleast it should show some flows locally with the help of this command 

 

root@Wanclouds-Jnpr-vSRX> show services accounting flow 

 

root@Wanclouds-Jnpr-vSRX> 

 

Is there anything missing in the Configs ?

 

set groups aws-default interfaces ge-0/0/0 unit 0 family inet sampling input

set groups aws-default interfaces ge-0/0/0 unit 0 family inet sampling output

set groups aws-default interfaces ge-0/0/0 unit 0 family inet address 10.0.10.93/24

set groups aws-default interfaces ge-0/0/1 unit 0 family inet sampling input

set groups aws-default interfaces ge-0/0/1 unit 0 family inet sampling output

set groups aws-default interfaces ge-0/0/1 unit 0 family inet address 10.0.20.38/24

set groups aws-default forwarding-options sampling input rate 100

set groups aws-default forwarding-options sampling input run-length 0

set groups aws-default forwarding-options sampling family inet output flow-server 169.61.84.3 port 2055

set groups aws-default forwarding-options sampling family inet output flow-server 169.61.84.3 version9 template IPV4-JFLOW-TEMPLATE-NETORC

set groups aws-default forwarding-options sampling family inet output inline-jflow source-address 10.0.10.93

set groups aws-default routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

set groups aws-default routing-options static route 188.166.150.236/32 next-table DATAPLANE-VPN-WANCLOUDS.inet.0

set groups aws-default routing-instances DATAPLANE-VPN-WANCLOUDS instance-type virtual-router

set groups aws-default routing-instances DATAPLANE-VPN-WANCLOUDS interface ge-0/0/0.0

set groups aws-default routing-instances DATAPLANE-VPN-WANCLOUDS interface ge-0/0/1.0

set groups aws-default routing-instances DATAPLANE-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1

 

Regards

Syed.

Highlighted
vSRX

Re: JFlow on vSRX

‎08-29-2018 10:41 PM

 i just checked with this command and its showing some date sent let me check on collector if i am getting some traffic or not

 

 

root@Wanclouds-Jnpr-vSRX> show services accounting flow inline-jflow    

  Flow information

    FPC Slot: 0

    Flow Packets: 4, Flow Bytes: 430

    Active Flows: 0, Total Flows: 3

    Flows Exported: 3, Flow Packets Exported: 55

    Flows Inactive Timed Out: 3, Flows Active Timed Out: 3

Highlighted
vSRX

Re: JFlow on vSRX

‎08-29-2018 10:52 PM

Hello,

 

Indeed. The original configuration that was committed successfully appeared to be correct one.

In my opinion, the flow packets should be sent out of the vSRX.

 

Regards,

 

Rushi

Highlighted
vSRX

Re: JFlow on vSRX

‎08-29-2018 11:04 PM

Hello,

 

I am able to commit the configuration you shared in the lab device.

 

Regards,

 

Rushi

Highlighted
vSRX

Re: JFlow on vSRX

‎08-31-2018 08:29 AM

I think the problem in my setup is my source or public interface is part of routing-instance not sure if juniper supports syslog or netflow source from interface part of routing-instance .The reason for this setup is its deployed in AWS cloud and we have 1 elastic IP and i am binding/attaching to Dataplane interface to make S-S IPsec work but if i bind elastic IP  to FXP or management interface then syslog and netflow working .

For snmp Juniper supports routing instance example.

 

set snmp v3 usm local-engine user NetorcUser authentication-sha authentication-password Netorc@123!

 

set snmp v3 usm local-engine user NetorcUser privacy-des privacy-password xxxxx

set snmp v3 vacm security-to-group security-model usm security-name NetorcUser group NetorcGroup

set snmp v3 vacm access group NetorcGroup context-prefix DATAPLANE-VPN-WANCLOUDS security-model usm security-level privacy context-match exact

set snmp v3 vacm access group NetorcGroup context-prefix DATAPLANE-VPN-WANCLOUDS security-model usm security-level privacy read-view NetorcViewGLOBAL

set snmp v3 vacm access group NetorcGroup context-prefix DATAPLANE-VPN-WANCLOUDS security-model usm security-level privacy notify-view NetorcViewGLOBAL

set snmp engine-id use-default-ip-address

set snmp view NetorcViewGLOBAL oid internet include

set snmp view NetorcViewGLOBAL oid .1 include

set snmp routing-instance-access

Highlighted
vSRX

Re: JFlow on vSRX

‎09-25-2018 04:40 AM

Hello,

 

For logging, you can try the configuration in the link below:

 

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/source-ad...

 

Regards,

 

Rushi

Highlighted
vSRX

Re: JFlow on vSRX

‎09-25-2018 01:16 PM

Thanks Rushi could u please check if its supported in vSRX version  as i tried for Netflow and seems like no such options are available after source-address mentioned in the link 

 

root@Wanclouds-Jnpr-vSRX#

set groups aws-default forwarding-options sampling family inet output inline-jflow source-address 10.0.254.186 ?

Possible completions:

  <[Enter]>            Execute this command

+ apply-groups         Groups from which to inherit configuration data

 

Regards

Syed Faizullah.

  flow-export-rate     Flow export rate of monitored packets in kpps (1..400)

  |                    Pipe through a command

Highlighted
vSRX

Re: JFlow on vSRX

‎09-25-2018 01:25 PM

 

Hi Rushi ,

   Even we tried for syslog as u mentioned but no options available after source-address see outsputs mentioned below.

 

root@Wanclouds-Jnpr-vSRX# set system syslog source-address 10.0.10.93 ?    

Possible completions:

  <[Enter]>            Execute this command

  allow-duplicates     Do not suppress the repeated message for all targets

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> archive              Archive file information

> console              Console logging

> file                 File in which to log data

> host                 Host to be notified

  log-rotate-frequency  Rotate log frequency (1..59 minutes)

> server               Enable syslog server

> time-format          Additional information to include in system log timestamp

> user                 Notify a user of the event

  |                    Pipe through a command

[edit]

 

 

Currently we are running version 15.1X49-D133 . Please let me know if can open a case and expediate it or request to open a bug .

 

root@Wanclouds-Jnpr-vSRX> show version 

Hostname: Wanclouds-Jnpr-vSRX

Model: vsrx

Junos: 15.1X49-D133

JUNOS Software Release [15.1X49-D133]

 

Regards

Syed Faizullah.