Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] Why do I see 0.0.0.0 as the destination address in IDP logs in NSM?

0

0

Article ID: KB13557 KB Last Updated: 29 Sep 2020Version: 3.0
Summary:
In some circumstances, log entries from ISG/IDP devices can appear in NSM with destination address of 0.0.0.0. (This is true of IDP enabled SRX as well.)
 
Solution:
In NSM, the default setting for log suppression is shown below.  Notice the checkbox "Include Destination IPs When Performing Log Suppression" is unchecked by default.




ISG/IDP devices which enable log suppression will suppress the attack log according to five keys:
source-ip
destination-ip
attack-id
rule-id
vsys-id

When the checkbox is unchecked as it is above, the destination field of an attack log will be set zero to make more logs suppressed.  This process happens on the IDP module, so when NSM receives the log, there is no destination address, thus 0.0.0.0 is displayed.

When the checkbox is checked, the destination field will be kept. (The device must be updated from NSM after the checkbox value is changed.)

NOTE: When talking about log suppression in this case, it refers to the sending of multiple logs on the same event.  By default, log suppression is enabled without including the destination IP. This is simply done to reduce the amount of logs coming from the IDP in regards to the same event. It is also important to note that the first instance of any new event requiring a log entry is always sent.  However, if an event would trigger several logs (i.e. 13 logs or more) the IDP suppresses from sending the duplicates. The same is true for any minor change in an event.  For example, in a DDOS attack, the source address is likely to change frequently; for each change of source, we would indeed send a log.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search