This (remote syslog) works for me on SRX550's running 12.1R1.9
This will apply a default deny & log to the end of your security policies, so you don't need to reorder policies after adding a new one.

I have had issues logging locally where the box will stop logging after a while. Not a big issue, since it all gets piped off to a syslog server, but still annoying.
Syntax for that was:
        file traffic-log {
            any any;
            match RT_FLOW_SESSION;
            structured-data;
        }



groups {
    global-policy {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy default-logdrop {
                        match {
                            source-address any;
                            destination-address any;
                            application any;
                        }
                        then {
                            deny;
                            log {
                                session-init;
                            }
                        }
                    }
                }
            }
        }
    }
}
system {
        syslog {
                host x.x.x.x {
                        any any;
                }
        }
}
security {
        apply-groups global-policy;
}



On Mon, 25 Feb 2013 16:10:49 -0500, Mike Devlin wrote:
nope, that didnt work either :(

meeks@MeeksNet-SRX210# run show log TEST-DENY

[edit]

meeks@MeeksNet-SRX210# show system syslog file TEST-DENY
any any;
match RT_FLOW;

[edit]

On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon
<[email protected]>wrote:

Hello Mike

Was wondering if you can get the deny logs while doing local logging?

set system syslog file TEST-DENY any any
set system syslog file TEST-DENY match RT_FLOW

Regards
Farrukh


On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin <[email protected]> wrote:

So fingers crossed that this is an easy one for you guys,

Device is an SRX210BE running 11.4R5.5 code.

ive added the syslog host to the config

meeks@MeeksNet-SRX210> show configuration system syslog
archive size 100k files 3;
user * {
    any emergency;
}
host 192.168.1.12 {
    any any;
}
file messages {
    any critical;
    authorization info;
}
file interactive-commands {
    interactive-commands error;
}
file security {
    security any;
}
file default-log-messages {
    any any;
    match "(requested 'commit' operation)|(copying configuration to
juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
removal)|(FRU insertion)|(link UP)|(vc add)|(vc


delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license
add)|(license delete)|(package -X update)|(package -X

delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD";
    structured-data;
}



and implemented the default deny template i found here:


http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS


meeks@MeeksNet-SRX210> show configuration groups
default-deny-template {
    security {
        policies {
            from-zone untrust to-zone trust {
                policy default-deny {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        deny;
                        log {
                            session-init;
                        }
                    }
                }
            }
        }
    }
}

meeks@MeeksNet-SRX210> show configuration apply-groups
## Last commit: 2013-02-21 16:05:36 EST by meeks
apply-groups default-deny-template;

however, when i log on to the syslog host, and tail the syslog file i do
not see denies being logged remotely.

if i apply the session-init and session-close options to permitted
traffic,
it does get logged remotely.

Alternatively,

creating a new policy has the same result, regardless if i use reject or
deny

meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone
trust policy deny-all
match {
    source-address any;
    destination-address any;
    application any;
}
then {
    deny;
    log {
        session-init;
    }
}

my google-foo is failing, so i hope you guys can help.

Looking forward to hearing back from you,

Mike
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp



_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp

Reply via email to