Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to log traffic that is denied by default system security policy

0

0

Article ID: KB20778 KB Last Updated: 30 Mar 2020Version: 6.0
Summary:

This article explains how to log traffic that is denied by Junos OS’s default implicit security policy, which denies all packets. A workaround is provided to use template policies to configure explicit deny policies between all zones.

 

Symptoms:

Logging of traffic is denied by default system security policy.

 

Solution:

By default, Junos OS denies all traffic through an SRX Series device. In fact, an implicit default security policy exists that denies all packets.

Logging traffic that is denied by this implicit deny is not possible as of now in Junos OS.

As a workaround, an explicit deny policy can be configured between the security zones, and logging can be enabled in this policy that would serve the purpose of logging traffic denied by system default policy.

Instead of configuring explicit deny policies between all zones, it is easy to use template policies with the help of group configuration.

 

Configuration 

 

Create a template group

set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny match source-address any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny match destination-address any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny match application any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny then deny
set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny then log session-init

Where <*> is a wild card character, to match any security zone.

 

Apply the group

The following configuration statement applies the template groups between all zones for which there already exists a policy context.

set apply-groups default-deny-template
Verification

You can verify the inheritance of this group between security zones using the following command:

[edit]
root@SRX#show security policies from-zone trust to-zone trust | display inheritance
policy p1 {
    match {
        source-address any;
        destination-address any;
        application junos-http;
    }
    then {
        permit;
    }
}
##
## 'default-deny' was inherited from group 'default-deny-template'
##
    policy default-deny {
##
## 'match' was inherited from group 'default-deny-template'
##
        match {
##
##          'any' was inherited from group 'default-deny-template'
##
            source-address any;
##
            'default-deny-template'
##
            destination-address any;
##
##          'any' was inherited from group 'default-deny-template'
##          Warning: application or application-set must be defined
##
            application any;
        }
##
##      'then' was inherited from group 'default-deny-template'
##
        then {
##
##          'deny' was inherited from group 'default-deny-template'
##
            deny;
##
##          'log' was inherited from group 'default-deny-template'
##
            log {
##
##              'session-init' was inherited from group 'default-deny-template'
                session-init;
            }
        } 
    }

*** In order to activate the template group policy, more than one security policy must be present.
 

For other examples, refer to Example: Configuring a Security Policy to Permit or Deny All Traffic.

 

NOTE : If new policies are added please deactivate and reactivate the above groups configuration.

 

Modification History:

2020-03-30: Article reviewed for accuracy; no changes required.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search