Knowledge Center Search


 

[SRX] How to log traffic that is denied by default system security policy

  [KB20778] Show KB Properties

  [KB20778] Hide KB Properties

Categories:
Knowledge Base ID: KB20778
Last Updated: 07 Apr 2014
Version: 4.0

Summary:

This article explains how to log traffic that is denied by Junos OS’s default implicit security policy, which denies all packets. A workaround is provided to use template policies to configure explicit deny policies between all zones.

Problem or Goal:

Logging of traffic is denied by default system security policy.

Cause:

Solution:

By default, Junos OS denies all traffic through an SRX Series device. In fact, an implicit default security policy exists that denies all packets.

Logging traffic that is denied by this implicit deny is not possible as of now in Junos OS.

As a workaround, an explicit deny policy can be configured between the security zones, and logging can be enabled in this policy that would serve the purpose of logging traffic denied by system default policy.

Instead of configuring explicit deny policies between all zones, it is easy to use template policies with the help of  group configuration.

Configuration 

Create a template group

set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match source-address any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match destination-address any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match application any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny then deny
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny then log session-init

Where <*> is a wild card character, to match any security zone.

Apply the group

The following configuration statement applies the template groups between all zones for which there already exists a policy context.

set apply-groups default-deny-template
Verification

You can  verify the inheritance of this group between security zones using the following command :

[edit]
root@SRX#show security policies from-zone trust to-zone trust | display inheritance
policy p1 {
    match {
        source-address any;
        destination-address any;
        application junos-http;
    }
    then {
        permit;
    }
}
##
## 'defult-deny' was inherited from group 'default-deny-template'
##
    policy defult-deny {
##
## 'match' was inherited from group 'default-deny-template'
##
        match {
##
##          'any' was inherited from group 'default-deny-template'
##
            source-address any;
##
            'default-deny-template'
##
            destination-address any;
##
##          'any' was inherited from group 'default-deny-template'
##          Warning: application or application-set must be defined
##
            application any;
        }
##
##      'then' was inherited from group 'default-deny-template'
##
        then {
##
##          'deny' was inherited from group 'default-deny-template'
##
            deny;
##
##          'log' was inherited from group 'default-deny-template'
##
            log {
##
##              'session-init' was inherited from group 'default-deny-template'
                session-init;
            }
        } 
    }

*** In order to activate the template group policy, more than one security policy must be present.

For other examples, refer to the Technical Documentation:

Example: Configuring a Security Policy to Permit or Deny All Traffic

NOTE : If new policies are added please deactivate and  reactivate the above groups configuration.

Purpose:
Configuration
Implementation

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.