Knowledge Base
Search our Knowledge Base sites to find answers to your questions.
Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles[Archive] Why do I see 0.0.0.0 as the destination address in IDP logs in NSM?
Solution:
In NSM, the default setting for log suppression is shown below. Notice the checkbox "Include Destination IPs When Performing Log Suppression" is unchecked by default.
ISG/IDP devices which enable log suppression will suppress the attack log according to five keys:
When the checkbox is unchecked as it is above, the destination field of an attack log will be set zero to make more logs suppressed. This process happens on the IDP module, so when NSM receives the log, there is no destination address, thus 0.0.0.0 is displayed.
When the checkbox is checked, the destination field will be kept. (The device must be updated from NSM after the checkbox value is changed.)
NOTE: When talking about log suppression in this case, it refers to the sending of multiple logs on the same event. By default, log suppression is enabled without including the destination IP. This is simply done to reduce the amount of logs coming from the IDP in regards to the same event. It is also important to note that the first instance of any new event requiring a log entry is always sent. However, if an event would trigger several logs (i.e. 13 logs or more) the IDP suppresses from sending the duplicates. The same is true for any minor change in an event. For example, in a DDOS attack, the source address is likely to change frequently; for each change of source, we would indeed send a log.
ISG/IDP devices which enable log suppression will suppress the attack log according to five keys:
source-ip
destination-ip
attack-id
rule-id
vsys-id
When the checkbox is unchecked as it is above, the destination field of an attack log will be set zero to make more logs suppressed. This process happens on the IDP module, so when NSM receives the log, there is no destination address, thus 0.0.0.0 is displayed.
When the checkbox is checked, the destination field will be kept. (The device must be updated from NSM after the checkbox value is changed.)
NOTE: When talking about log suppression in this case, it refers to the sending of multiple logs on the same event. By default, log suppression is enabled without including the destination IP. This is simply done to reduce the amount of logs coming from the IDP in regards to the same event. It is also important to note that the first instance of any new event requiring a log entry is always sent. However, if an event would trigger several logs (i.e. 13 logs or more) the IDP suppresses from sending the duplicates. The same is true for any minor change in an event. For example, in a DDOS attack, the source address is likely to change frequently; for each change of source, we would indeed send a log.
Getting Up and Running with Junos
Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search