This article provides the configuration to log traffic that is denied by the default deny policy.
Log traffic denied by default deny policy.
In Junos OS 11.4 and later, a global firewall rulebase is supported. This policy gets evaluated only if there is no match in the regular rulebase, hence it can be used to create a rule to log default deny traffic.
Note: If you want to achieve the deny-policy logging and your Junos OS version is older than 11.4, refer to KB20778 - [SRX] How to log traffic that is denied by default system security policy
Configuration:
set security policies global policy default-deny match source-address any
set security policies global policy default-deny match destination-address any
set security policies global policy default-deny match application any
set security policies global policy default-deny then deny
set security policies global policy default-deny then log session-init
Verification:
After committing the above configuration, you can verify it using the following commands:
root@SRX-1> show configuration security policies global
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
root@SRX-1> show security policies policy-name default-deny
Default policy: deny-all
Global policies:
Policy: default-deny, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: deny, log
If you are logging the traffic logs in a local file ( e.g traffic-log) , you would be able to see the traffic log as shown below :
> show log traffic-log
Sep 29 23:49:20 SRX-1 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.0.0.1/54924->192.168.1.1/53 junos-dns-udp 17(0) default-deny(global) trust trust UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Note: For more information on configuration for traffic logging, refer to KB16634 - SRX Getting Started - Configure Logging.
2020-03-22: Article reviewed for accuracy; no changes required.