Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Policy not logging traffic on Juniper firewall



Article ID: KB12283 KB Last Updated: 27 Dec 2017Version: 6.0
When a policy is configured to log traffic, I don't see anything in the log, why?
Policy not logging traffic
This can occur under several situations.  Reasons for this are shown below.

1.  Another policy matches the criteria other than the policy in question.  If using a MIP, refer to next reason.
a) To determine if the traffic is being allowed, enter the command:

get session src-ip <source IP> dst-ip <destination IP>

You should  see matching session output similar to this:

id 32058/s**,vsys 0,flag 00000050/0080/0021,policy 32,time 1, dip 0 module 0
 if 0(nspflag 800001):>,1,0010db69a5f0,sess token 4,vlan 0,tun 0,vsd 0,route 5
 if 3(nspflag 0010):<-,1,000000000000,sess token 8,vlan 0,tun 0,vsd 0,route 0

The top line in this scenario shows "policy 32".  You can review policies on the firewall to determine if this is the desired policy for the traffic in question. If a change is required, reorder the policies so the desired policy to be hit occurs prior to the policy actually being accessed.  If the policy desired to be accessed is already before the one hit then double check the source, destination, and service to make sure they match.

b) Another reason why another policy may not match is due to address translation occurring before the traffic reaches the firewall.
2.  A MIP is configured for the policy
MIPS reside in the Global zone.  Policies from built-in or user-defined zones will be hit first.  If a policy is configured specifically to a MIP address it will be used.  If neither of the former two items apply, a global policy search will be performed.  A MIP will not hit a policy which reads 'set policy from <zone1> to <zone2> any any an deny' because the MIP must be specifically referenced in order for it to be hit.  Placing a policy in the global zone which reads 'set policy from <zone1> to global any any any deny log' will allow you to log all traffic that would otherwise be dropped.  Please note that depending upon the amount of unexpected traffic your firewall receives, this could log a very large amount of denied traffic. For more information, refer to KB7696 - No traffic logs generated for packets denied by policy, whose destination is a MIP address.
3.  Logging may not be enabled on the policy
To verify logging, enter the command:  get policy id <id>
where <id> represents the policy number, and look for 'log close' or 'log init'.  If it reports 'log no', then logging is disabled.

name:"none" (id 9), zone web -> Untrust,action Permit, status "enabled"
src "Any", dst "Any", serv "ANY"
Policies on this vpn tunnel: 0
nat off, Web filtering : disabled
vpn unknown vpn, policy flag 00010000, session backup: on
traffic shapping off, scheduler n/a, serv flag 00
log close, log count 0, alert no, counter yes(1) byte rate(sec/min) 0/0
total octets 0, counter(session/packet/octet) 0/0/1
No Authentication
No User, User Group or Group expression set

To verify from the WebUI, reviewing the policies. Those that have logging enabled will have a grid symbol in the "options" column.  By clicking "edit" for the policy you'll also see the "logging" checkbox selected.
4.  Logging may be enabled for 'session close', which is the default, and the session may not have closed. 
To confirm if the policy logging is configured for 'log at session close', enter the command 'get policy <id>', and look for 'log close'. 

In the WebUI, selecting the 'Logging' checkbox will direct the firewall to log all traffic to which this policy applies. The security device generates logs when sessions end.

Selecting the checkbox 'at Session Beginning' will direct the firewall to generate logs when sessions start.  The output of the 'get policy <id>' will report 'log init'.
5.  The traffic is flowing through a different router or firewall.
You can verify that the traffic is going thru the Juniper firewall by looking at the session with the command:   get session src-ip <client IP>

It will also report what policy the traffic is hitting.  If you don't see any output, then perform a traceroute on the client to confirm the path it is taking.
6.  Internal logging is disabled.
The command unset log module system level notification destination internal will disable the traffic logging from adding entries to the internal log.  Setting this command, set log module system level notification destination internal), will re-enable this feature.

Modification History:
2017-12-27: Article reviewed for accuracy. No changes made. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search