There could be a few reasons you're not seeing logs: - With the groups configuration, you need to still have a policy configured in the configuration before the group applies (even if it is just a blank "set security policies from-zone a to-zone b". You can confirm this with a "| display inheritence" or simply a "show security policies from-zone a to-zone b" - A better way to do this in JunOS 11.2 onwards is with a Global policy now that it is supported rather than using groups - If the traffic you are testing is direct to the firewall, it won't be logged because it never hits a policy. It only works for transit traffic - On this note as well, if it is dropped for a non policy reason (No TCP SYN, no route, etc.) it won't show up in this file either
Hope this helps On Fri, Feb 22, 2013 at 12:39 PM, Mike Devlin <[email protected]> wrote: > So fingers crossed that this is an easy one for you guys, > > Device is an SRX210BE running 11.4R5.5 code. > > ive added the syslog host to the config > > meeks@MeeksNet-SRX210> show configuration system syslog > archive size 100k files 3; > user * { > any emergency; > } > host 192.168.1.12 { > any any; > } > file messages { > any critical; > authorization info; > } > file interactive-commands { > interactive-commands error; > } > file security { > security any; > } > file default-log-messages { > any any; > match "(requested 'commit' operation)|(copying configuration to > juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU > removal)|(FRU insertion)|(link UP)|(vc add)|(vc > > delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license > add)|(license delete)|(package -X update)|(package -X > delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD"; > structured-data; > } > > > > and implemented the default deny template i found here: > > http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS > > > meeks@MeeksNet-SRX210> show configuration groups > default-deny-template { > security { > policies { > from-zone untrust to-zone trust { > policy default-deny { > match { > source-address any; > destination-address any; > application any; > } > then { > deny; > log { > session-init; > } > } > } > } > } > } > } > > meeks@MeeksNet-SRX210> show configuration apply-groups > ## Last commit: 2013-02-21 16:05:36 EST by meeks > apply-groups default-deny-template; > > however, when i log on to the syslog host, and tail the syslog file i do > not see denies being logged remotely. > > if i apply the session-init and session-close options to permitted traffic, > it does get logged remotely. > > Alternatively, > > creating a new policy has the same result, regardless if i use reject or > deny > > meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone > trust policy deny-all > match { > source-address any; > destination-address any; > application any; > } > then { > deny; > log { > session-init; > } > } > > my google-foo is failing, so i hope you guys can help. > > Looking forward to hearing back from you, > > Mike > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp

