Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to log traffic for the default deny policy

0

0

Article ID: KB28109 KB Last Updated: 25 Mar 2020Version: 2.0
Summary:

This article provides the configuration to log traffic that is denied by the default deny policy.

Symptoms:

Log traffic denied by default deny policy.

Solution:

In Junos OS 11.4 and later, a global firewall rulebase is supported. This policy gets evaluated only if there is no match in the regular rulebase, hence it can be used to create a rule to log default deny traffic.

Note: If you want to achieve the deny-policy logging and your Junos OS version is older than 11.4, refer to KB20778 - [SRX] How to log traffic that is denied by default system security policy

Configuration:

set security policies global policy default-deny match source-address any
set security policies global policy default-deny match destination-address any
set security policies global policy default-deny match application any
set security policies global policy default-deny then deny
set security policies global policy default-deny then log session-init

Verification:

After committing the above configuration, you can verify it using the following commands:

root@SRX-1>  show configuration security policies global
policy default-deny {
        match {
                 source-address any;
                 destination-address any;
                 application any;
         }
         then {
                   deny;
                   log {
                          session-init;
                   }
         }
}

root@SRX-1> show security policies policy-name default-deny


Default policy: deny-all
Global policies:
Policy: default-deny, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: deny, log

 

If you are logging the traffic logs in a local file ( e.g traffic-log) , you would be able to see the traffic log as shown below :

> show log traffic-log

Sep 29 23:49:20 SRX-1 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.0.0.1/54924->192.168.1.1/53 junos-dns-udp 17(0) default-deny(global) trust trust UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
 

Note: For more information on configuration for traffic logging, refer to KB16634 - SRX Getting Started - Configure Logging.

Modification History:

2020-03-22: Article reviewed for accuracy; no changes required.

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search