Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[J/SRX] Example Configuration - Junos Traffic Log

0

0

Article ID: KB10112 KB Last Updated: 05 Mar 2017Version: 11.0
Summary:

Configuring the Junos Traffic Log on a J Series or SRX Series device can be useful for tracking usage patterns of a particular policy.

Solution:

This article applies to J Series and SRX devices running Junos 10.0 and above.

J Series and SRX Series devices provide traffic logs to monitor and record the traffic that policies permit across zones. A traffic log notes the following elements for each session:

  • Date and time of the message
  • Message type (session-init or session-close)
  • Source address and port number  
  • Destination address and port number
  • IP protocol
  • Session Index (sid)
  • Policy Index (pid)
  • Bytes sent and received
  • The duration of the session

In addition, a session-close log will also display a close reason value. Refer to the Junos documentation for possible reason values.

To log traffic that a J Series or SRX Series device receives, enable the log option for all policies of interest. Traffic logs are normally entered only after a session for the particular policy has closed. However, the option to start logging at session initiation is also available. Logging session-init will not show bytes sent/received or duration, but it can be useful for troubleshooting purposes to confirm when a session is first created.


There are three ways to view the logs:

To configure the Traffic Log, perform the following steps.
From J-Web:
  1. Navigate to Configuration > Security > Policies > FW Policies.
  2. Choose the From Zone and To Zone policies to be logged.
  3. Click on the policy for which you would like to enable logging.
  4. Click on the EDIT button at the top
  5. Check the box to Log at Session Close Time and/or Log at Session Init Time depending on what you output is required.
    Log at Session Close Time will not show any log outputs until the session either closes or ages out.
  6. Click OK.
  7. Once the logging is enabled, you will see the small Green Icon as shown under


From CLI:

set security policies from-zone trust to-zone untrust policy permit-all match source-address any
set security policies from-zone trust to-zone untrust policy permit-all match destination-address any
set security policies from-zone trust to-zone untrust policy permit-all match application any
set security policies from-zone trust to-zone untrust policy permit-all then permit source-nat interface
set security policies from-zone trust to-zone untrust policy permit-all then log session-init
set security policies from-zone trust to-zone untrust policy permit-all then log session-close

To view Policy Logs:
From J-Web:
Navigate to Events > View Events.  All traffic logs are located within messages log.  However, the messages log captures much more than just traffic logs.  To ease viewing of the logs, filter for only specific message descriptions. Refer to KB19490 - How to enable and view traffic logs in J-Web/GUI for SRX devices

Regular expressions can be used to filter the log output.  For traffic logs, use “session-init|session-close” within the Text in Event Description field.  Note that for 9.5 and later versions of Junos and all SRX branch platforms, use "RT_FLOW_SESSION" instead as the logging output has changed. The pipe ( | ) symbol means either “session-init” or “session-close” will match the filter and be displayed.

Note: You can configure a separate log dedicated to only capture traffic logs. 



From CLI:
The below CLI command will show the messages log and filter for only entries that contain "session-init" and session-close" (pre 9.5 on J-Series) within the description or RT_FLOW_SESSION (9.5 and later and SRX): 
show log messages | match "session-init|session-close" 

  or
show log messages | match RT_FLOW_SESSION

Below is an example of the output and the meaning of each section:

Message type   Src IP/port           Dest IP/port    
------------   ---------------       ------------    
session-close- 172.19.51.171/1259 -> 10.10.10.10/23, 

Proto  Sess ID   Pol ID  Bytes Sent/Recv Duration
-----  -------   ------  --------------- --------
6(0),  sid=1341, pid=5,  4791/5428(183), 230 sec (83252)
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search