Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to: Configure traffic logging on SRX5000.

0

0

Article ID: KB13641 KB Last Updated: 25 Mar 2020Version: 2.0
Summary:
This article provides an example of how to configure logging on policies and send traffic logs to external syslog server.
Symptoms:
SRX 5000 series do not send session logs to the Routing Engine (RE). Since system logging is done on the RE, that means that session or traffic logs cannot be written to the RE file system. Therefore all traffic logging must be sent to external syslog server. Furthermore since fxp0 belongs to the RE, the syslog server must be reachable by an interface on an IOC. Traffic logging cannot be sent out fxp0.
Solution:
Below is an example of how to configure traffic logging on SRX cluster. Syslog server hardware/software requirements and configuration is beyond the scope of this article as this would be a third-party (non-Juniper) server.


Basic Topology
                                                 +-------------+
                                                 |Syslog Server|
                 +---------------------+    +----|  10.90.1.2  |
                 |     SRX Cluster     |    |    +-------------+
+----------+     |                     |    |
|  Clients |-----|reth4.101   reth6.201|----+
+----------+     |10.80.1.1   10.90.1.1|    |    +-------------+
10.80.1.0/24     |                     |    |    | ISP Router  |
                 |         fpx0        |    +----| 10.90.1.254 |
                 |    172.19.46.62/51  |         +-------------+
                 +---------------------+
                            |
                            |
                      +------------+
                      | NSM Server | 
                      |172.19.46.30|
                      +------------+

So from above we can see clients on trust side and servers on untrust side. Syslog server on untrust side accessible via reth6.201 and NSM server (not required but included in the example to illustrate the management domain) is accessible from fxp0. Also, the SRX is configured in a JUNOS software Services Redundancy Protocol (JSRP) cluster in this example as JSRP is commonly used for SRX 5000 series.  The sample configuration is from the above topology.

In order to send traffic to external syslog server, first configure syslog server parameters within [edit security log] hierarchy. Then, within the security policies specify log on session-close (required) and log on session-init (optional).


Example Configuration
interfaces {
    ge-10/0/0 {
        gigether-options {
            redundant-parent reth4;
        }
    }
    ge-10/1/0 {
        gigether-options {
            redundant-parent reth6;
        }
    }
    ge-22/0/0 {
        gigether-options {
            redundant-parent reth4;
        }
    }
    ge-22/1/0 {
        gigether-options {
            redundant-parent reth6;
        }
    }
    reth4 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 101 {
            vlan-id 101;
            family inet {
                address 10.80.1.1/24;
            }
        }
    }
    reth6 {
        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 201 {
            vlan-id 201;
            family inet {
                address 10.90.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop 10.90.1.254;
            retain;
        }
    }
}
security {
    log {
source-address 10.90.1.1;
stream trafficlogs {
host {
10.90.1.2;
}
}
}
zones { security-zone trust { address-book { address net_10-80-1-0--24 10.80.1.0/24; } interfaces { reth4.101; } } security-zone untrust { interfaces { reth6.201; } } } policies { from-zone trust to-zone untrust { policy 187464 { match { source-address net_10-80-1-0--24; destination-address any; application any; } then { permit; log {
session-init;
session-close;
} } } } } }

Note that the above configuration example only highlights the relevant configurations for traffic logging. It is assumed that all other configurations are complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search