Knowledge Search


×
 

How to configure exclude rules on ScreenOS 6.2 or later

  [KB25914] Show Article Properties


Summary:

This article provides information on how to configure exclude rules to prevent certain security events (alarms) from being generated in the audit log.

Symptoms:

How to configure exclude rules to prevent certain security events (alarms) from being generated in the audit log.

Solution:

You can set rules to exclude certain audit logs from being generated. This is a new feature that was introduced in ScreenOS 6.2.0 or later.

By default, no exclude rule is set and the security device generates all logs. You cannot set more than 10 exclude rules. However, you can modify the existing rules, as per the requirements of your network. Excluded security alarms are not generated in the audit log.

You must have security administrator privileges to include or exclude auditable events from the audit log. You can configure exclude rules based on the following attributes:

  • Rule ID: Enter an ID for the exclude rule. The valid number is from 1 to 10.

  • User ID: Enter the identity of the authenticated user. All security events that are enabled by this user are not generated in the audit log.

  • Event Type: Enter the event type of the security event. The audit log does not include security alarms of this event type. The number should be a valid event number that you wish to omit. For more information about event IDs, refer to www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_messages.pdf.

  • Source IP Address: Enter the source IP address in IPv4 or IPv6 address format. The audit log does not include security alarms from the specified source IP address.

  • Destination IP Address: Enter the destination IP address in IPv4 or IPv6 address format. The audit log does not include security alarms from the specified destination IP address.

  • Destination Port: Enter the destination port number.

  • Policy ID: Enter the policy number.

  • Event Result: Select the result of the security event. You can select Success for a successful event and Failure for an unsuccessful event.

Note: Configuring all parameters is not mandatory.

Click Add to save the new exclude rule. The audit log does not include security alarms that contain any of the above fields. The newly created exclude rule is added to the Configured Exclude Rules table. This table lists the exclude rules that are configured on the security device.

To modify an exclude rule, click Edit in the Configure column of the required rule. To delete an exclude rule, click Remove in the Configure column of the required rule.

To identify the alarm event type number, run the following command:

SSG520(M)-> get alarm event
Date              Time     Module Level Type Description
2012-09-25 21:22:07 system crit 00041 VPN 'VPN_135' from 172.27.201.139 is down.
2012-09-25 21:03:46 system crit 00040 VPN 'VPN_135' from 172.27.201.139 is up.

For more information about the alarms, refer to the ScreenOS Message Log Reference Guide, Release 6.3.0, Rev. 01.

Example - setting an exclude rule to exclude an event for the audit log

In this example, you (the root admin) can configure an exclude rule to prevent a failure event from being generated in the audit log. You can use the Web UI or the CLI to configure an exclude rule.

Using the Web UI:

Go to Admin > Exclude Rules, provide the following information, and click Add:

  • Rule ID: 1

  • User ID: admin

  • Event Type: 2

  • Source IP Address: 2.2.2.0

  • Destination IP Address: 3.3.3.0

  • Destination Port: 80

  • Event Result: Failure (select)

The Configured Exclude Rules table will display all the exclude rules that are configured on the security device:





Using the CLI:

Enter the following:

set log exclude-id 1 user-id admin event-type 2 src-ip 2.2.2.0 src-netmask 255.255.255.0 dst-ip 3.3.3.0 dst-netmask 255.255.255.0 dst-port 80 failure

To view the configured exclude rules:

SSG520(M)-> get log exclude
EXCLUDE RULES TOTAL SIZE : 1
------------------------------------------
EXCLUDE ID: 1
USER NAME : admin
EVENT TYPE: 2
SRC IP : 2.2.2.0
SRC MASK : 255.255.255.0
DST IP : 3.3.3.0
DST MASK : 255.255.255.0
DST PORT : 80
SUCCESS OR FAILURE: Failure
RULE ID : NONE
Related Links: