vSRX
vSRX

JFlow on vSRX

‎08-29-2018 05:57 PM

Hi Experts ,

    I am trying to enable Jflow on vSRX and configured below mentioned configuration but unable to see any data locally or on collector and as per my understanding inline-jflow and sflow is for hardware based and these are virtual SRX firewall .

 

set groups aws-default interfaces ge-0/0/0 unit 0 family inet sampling input

set groups aws-default interfaces ge-0/0/0 unit 0 family inet sampling output

set groups aws-default interfaces ge-0/0/0 unit 0 family inet address 10.0.10.93/24

set groups aws-default interfaces ge-0/0/1 unit 0 family inet sampling input

set groups aws-default interfaces ge-0/0/1 unit 0 family inet sampling output

set groups aws-default interfaces ge-0/0/1 unit 0 family inet address 10.0.20.38/24

set groups aws-default forwarding-options sampling input rate 100

set groups aws-default forwarding-options sampling input run-length 0

set groups aws-default forwarding-options sampling family inet output flow-server 169.61.84.3 port 2055

set groups aws-default forwarding-options sampling family inet output flow-server 169.61.84.3 version9 template IPV4-JFLOW-TEMPLATE-NETORC

set groups aws-default forwarding-options sampling family inet output inline-jflow source-address 10.0.10.93

 

Secondly if i am trying configuration in Solarwinds then its giving error.

 

https://support.solarwinds.com/Success_Center/Netflow_Traffic_Analyzer_(NTA)/Knowledgebase_Articles/...

 

 

root@Wanclouds-Jnpr-vSRX# set groups aws-default forwarding-options sampling input rate 100 

 

root@Wanclouds-Jnpr-vSRX# ...tions sampling family inet output flow-server 46.101.56.147 port 2055                               

 

root@Wanclouds-Jnpr-vSRX# set groups aws-default forwarding-options sampling family inet output flow-server 46.101.56.147 version9  

 

[edit]

root@Wanclouds-Jnpr-vSRX# set groups aws-default interfaces ge-0/0/0 unit 0 family inet sampling input 

 

root@Wanclouds-Jnpr-vSRX# set groups aws-default interfaces ge-0/0/0 unit 0 family inet sampling output 

 

root@Wanclouds-Jnpr-vSRX# set groups aws-default interfaces ge-0/0/1 unit 0 family inet sampling output 

 

root@Wanclouds-Jnpr-vSRX# set groups aws-default interfaces ge-0/0/1 unit 0 family inet sampling input 

 

[edit]

root@Wanclouds-Jnpr-vSRX# commit check 

[edit forwarding-options sampling family inet output flow-server 46.101.56.147]

  'version9'

    Service PIC or inline-jflow (j-series and SRX only) must be specified for version9

[edit forwarding-options sampling family inet output flow-server 46.101.56.147]

  'version9'

    Missing mandatory statement: 'template'

error: configuration check-out failed: (missing mandatory statements)

 

 

 

 

 

9 REPLIES 9
vSRX

Re: JFlow on vSRX

‎08-29-2018 07:43 PM

Hello,

 

About the error message, It is because Template is not called in the below line:-

 

set groups aws-default forwarding-options sampling family inet output flow-server 46.101.56.147 version9  

 

Do try to call the configured template and check if the commit is allowed or not.

 

I think inline-jflow does work on vSRX so you can either apply firewall filter on the outgoing interface to check if the samples are sent out or not.

 

Regards,

 

Rushi

vSRX

Re: JFlow on vSRX

‎08-29-2018 10:29 PM

Thanks Rushi for looking into it but if u see the configs i m using inline-jflow and the interfaces are part of routing instance and the same interface ge-0/0/0.0 is 1:1 NAT with public which is my source IP or out going interface. And atleast it should show some flows locally with the help of this command 

 

root@Wanclouds-Jnpr-vSRX> show services accounting flow 

 

root@Wanclouds-Jnpr-vSRX> 

 

Is there anything missing in the Configs ?

 

set groups aws-default interfaces ge-0/0/0 unit 0 family inet sampling input

set groups aws-default interfaces ge-0/0/0 unit 0 family inet sampling output

set groups aws-default interfaces ge-0/0/0 unit 0 family inet address 10.0.10.93/24

set groups aws-default interfaces ge-0/0/1 unit 0 family inet sampling input

set groups aws-default interfaces ge-0/0/1 unit 0 family inet sampling output

set groups aws-default interfaces ge-0/0/1 unit 0 family inet address 10.0.20.38/24

set groups aws-default forwarding-options sampling input rate 100

set groups aws-default forwarding-options sampling input run-length 0

set groups aws-default forwarding-options sampling family inet output flow-server 169.61.84.3 port 2055

set groups aws-default forwarding-options sampling family inet output flow-server 169.61.84.3 version9 template IPV4-JFLOW-TEMPLATE-NETORC

set groups aws-default forwarding-options sampling family inet output inline-jflow source-address 10.0.10.93

set groups aws-default routing-options static route 0.0.0.0/0 next-hop 10.0.254.1

set groups aws-default routing-options static route 188.166.150.236/32 next-table DATAPLANE-VPN-WANCLOUDS.inet.0

set groups aws-default routing-instances DATAPLANE-VPN-WANCLOUDS instance-type virtual-router

set groups aws-default routing-instances DATAPLANE-VPN-WANCLOUDS interface ge-0/0/0.0

set groups aws-default routing-instances DATAPLANE-VPN-WANCLOUDS interface ge-0/0/1.0

set groups aws-default routing-instances DATAPLANE-VPN-WANCLOUDS routing-options static route 0.0.0.0/0 next-hop 10.0.10.1

 

Regards

Syed.

vSRX

Re: JFlow on vSRX

‎08-29-2018 10:41 PM

 i just checked with this command and its showing some date sent let me check on collector if i am getting some traffic or not

 

 

root@Wanclouds-Jnpr-vSRX> show services accounting flow inline-jflow    

  Flow information

    FPC Slot: 0

    Flow Packets: 4, Flow Bytes: 430

    Active Flows: 0, Total Flows: 3

    Flows Exported: 3, Flow Packets Exported: 55

    Flows Inactive Timed Out: 3, Flows Active Timed Out: 3

vSRX

Re: JFlow on vSRX

‎08-29-2018 10:52 PM

Hello,

 

Indeed. The original configuration that was committed successfully appeared to be correct one.

In my opinion, the flow packets should be sent out of the vSRX.

 

Regards,

 

Rushi

vSRX

Re: JFlow on vSRX

‎08-29-2018 11:04 PM

Hello,

 

I am able to commit the configuration you shared in the lab device.

 

Regards,

 

Rushi

vSRX

Re: JFlow on vSRX

‎08-31-2018 08:29 AM

I think the problem in my setup is my source or public interface is part of routing-instance not sure if juniper supports syslog or netflow source from interface part of routing-instance .The reason for this setup is its deployed in AWS cloud and we have 1 elastic IP and i am binding/attaching to Dataplane interface to make S-S IPsec work but if i bind elastic IP  to FXP or management interface then syslog and netflow working .

For snmp Juniper supports routing instance example.

 

set snmp v3 usm local-engine user NetorcUser authentication-sha authentication-password Netorc@123!

 

set snmp v3 usm local-engine user NetorcUser privacy-des privacy-password xxxxx

set snmp v3 vacm security-to-group security-model usm security-name NetorcUser group NetorcGroup

set snmp v3 vacm access group NetorcGroup context-prefix DATAPLANE-VPN-WANCLOUDS security-model usm security-level privacy context-match exact

set snmp v3 vacm access group NetorcGroup context-prefix DATAPLANE-VPN-WANCLOUDS security-model usm security-level privacy read-view NetorcViewGLOBAL

set snmp v3 vacm access group NetorcGroup context-prefix DATAPLANE-VPN-WANCLOUDS security-model usm security-level privacy notify-view NetorcViewGLOBAL

set snmp engine-id use-default-ip-address

set snmp view NetorcViewGLOBAL oid internet include

set snmp view NetorcViewGLOBAL oid .1 include

set snmp routing-instance-access

vSRX

Re: JFlow on vSRX

‎09-25-2018 04:40 AM

Hello,

 

For logging, you can try the configuration in the link below:

 

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/source-ad...

 

Regards,

 

Rushi

vSRX

Re: JFlow on vSRX

‎09-25-2018 01:16 PM

Thanks Rushi could u please check if its supported in vSRX version  as i tried for Netflow and seems like no such options are available after source-address mentioned in the link 

 

root@Wanclouds-Jnpr-vSRX#

set groups aws-default forwarding-options sampling family inet output inline-jflow source-address 10.0.254.186 ?

Possible completions:

  <[Enter]>            Execute this command

+ apply-groups         Groups from which to inherit configuration data

 

Regards

Syed Faizullah.

  flow-export-rate     Flow export rate of monitored packets in kpps (1..400)

  |                    Pipe through a command

vSRX

Re: JFlow on vSRX

‎09-25-2018 01:25 PM

 

Hi Rushi ,

   Even we tried for syslog as u mentioned but no options available after source-address see outsputs mentioned below.

 

root@Wanclouds-Jnpr-vSRX# set system syslog source-address 10.0.10.93 ?    

Possible completions:

  <[Enter]>            Execute this command

  allow-duplicates     Do not suppress the repeated message for all targets

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> archive              Archive file information

> console              Console logging

> file                 File in which to log data

> host                 Host to be notified

  log-rotate-frequency  Rotate log frequency (1..59 minutes)

> server               Enable syslog server

> time-format          Additional information to include in system log timestamp

> user                 Notify a user of the event

  |                    Pipe through a command

[edit]

 

 

Currently we are running version 15.1X49-D133 . Please let me know if can open a case and expediate it or request to open a bug .

 

root@Wanclouds-Jnpr-vSRX> show version 

Hostname: Wanclouds-Jnpr-vSRX

Model: vsrx

Junos: 15.1X49-D133

JUNOS Software Release [15.1X49-D133]

 

Regards

Syed Faizullah.