Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to configure High-End SRX devices to send traffic logs to NSM

0

0

Article ID: KB16643 KB Last Updated: 04 Mar 2017Version: 7.0
Summary:

Getting the traffic logs from SRX device in NSM log viewer.

Symptoms:

By default SRX devices do not send logs to NSM – both branch and high-end ones. For high-end SRX devices an additional configuration is required to send these to the NSM.

Note:  For additional related information for both branch and high-end SRX devices, refer to KB16448 - Sending logs to NSM from SRX devices.

Solution:

Configuration tips:

  1. On the SRX, make sure logging is enabled in the policy.  For example:
    set security policies from-zone trust to-zone untrust policy 1 match source-address any
    set security policies from-zone trust to-zone untrust policy 1 match destination-address any
    set security policies from-zone trust to-zone untrust policy 1 match application any
    set security policies from-zone trust to-zone untrust policy 1 then permit
    set security policies from-zone trust to-zone untrust policy 1 then log session-init
    set security policies from-zone trust to-zone untrust policy 1 then log session-close


  2. Configure the following commands to get logs from the JUNOS device. The following commands are required to send all logs to the NSM:
  3. set system syslog file default-log-messages any any
    set system syslog file default-log-messages structured-data


    If the SRX is in a cluster, the above syslog commands must also be set in the cluster nodes:

    set groups node0 system syslog file default-log-messages any any
    set groups node0 system syslog file default-log-messages structured-data
    set groups node1 system syslog file default-log-messages any any
    set groups node1 system syslog file default-log-messages structured-data


    The command above enables sending the data plane logs to the control plane, and then from there it can be sent to NSM. Data plane logs cannot directly go to NSM.

  4. It may be necessary to rate limit the event logs from the data plane to the control plane due to limited resources on the control plane to process high volumes of logs.

  5. This command is required only on high end SRX devices and not on branch SRX models:

    set security log mode event event-rate <logs per second>

    The recommended value for high end SRX is 1000 logs per second to control plane.

  6. In NSM, add the device.
  7.  

Testing the configuration:

Make sure the rule configured for logging has some traffic flowing through. Send some traffic matching the above rule. A simple ping from PC in one zone to the other ( trust to untrust ) would do for testing purpose.

You can check if it is logging on the SRX using the following command:

show log default-log-messages | last 5

An example of the output is as follows:

root@node0-router# run show log default-log-messages | last 5
<14>1 2010-02-08T12:48:26.893Z node0-router RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.34 source-address="192.168.33.2" source-port="12" destination-address="192.168.44.2" destination-port="64830" service-name="icmp" nat-source-address="192.168.33.2" nat-source-port="12" nat-destination-address="192.168.44.2" nat-destination-port="64830" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="1" source-zone-name="trust" destination-zone-name="untrust" session-id-32="10"] session created 192.168.33.2/12->192.168.44.2/64830 icmp 192.168.33.2/12->192.168.44.2/64830 None None 1 1 trust untrust 10
<14>1 2010-02-08T12:48:27.092Z node0-router RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.34 reason="response received" source-address="192.168.33.2" source-port="9" destination-address="192.168.44.2" destination-port="64830" service-name="icmp" nat-source-address="192.168.33.2" nat-source-port="9" nat-destination-address="192.168.44.2" nat-destination-port="64830" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="1" source-zone-name="trust" destination-zone-name="untrust" session-id-32="9" packets-from-client="1" bytes-from-client="84" packets-from-server="1" bytes-from-server="84" elapsed-time="4"] session closed response received: 192.168.33.2/9->192.168.44.2/64830 icmp 192.168.33.2/9->192.168.44.2/64830 None None 1 1 trust untrust 9 1(84) 1(84) 4

If the above configurations are done in the device and you see logs in the output of above command, you should see the logs in NSM Logviewer->Predefined->Traffic logs:

 

Notes:
For Branch SRX devices, traffic logging to NSM is supported from 9.6 JunOS.
For High-End SRX devices traffic logging to NSM is supported from 10.0r2 JunOS.

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search