Knowledge Search


×
 

[SRX] APPTRACK logs do not display USERFW information (username is not shown)

  [KB32211] Show Article Properties


Summary:

For tracking purposes, SRX can use the feature UserFW to provide a granular match condition to allow/block traffic based on an authenticated username. â€‹Application Tracking can also use the UserFW information to provide user detais in security logs. These APPTRACK logs are especially useful when Junos Space is being used to monitor session utilization by users.

Symptoms:

When the policy match condition is too wide (source-identity any), the application tracking is not able to check the UserFW authentication table. Hence, it does not bring all the user details (username/role) tor the APPTRACK log statistics. 

from-zone A to-zone B {

     policy 1 {
         match {
             source-address any;
             destination-address any;
             application any;
             source-identity any;  
         }
         then {
             permit {
                 firewall-authentication {
                     user-firewall {
                         access-profile profile1;
                     }
                 }
             }
             log {
                 session-init;
                 session-close;
             }

security-zone A {
....
     application-tracking;
     source-identity-log;
}
security-zone B {
...
     application-tracking;
     source-identity-log;
}


We can see in the APPTRACK log that username and role information are not been tracked even though, for this case, the user in this session is authenticated.

Msg: 1 2017-01-01T11:11.11.000+00:00 srx RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.105 reason="TCP SERVER RST" source-address="1.2.3.4" source-port="59846" destination-address="5.6.7.8" destination-port="443" service-name="junos-https" application="SSL" nested-application="UNKNOWN" nat-source-address="1.2.3.4" nat-source-port="59846" nat-destination-address="5.6.7.8" nat-destination-port="443" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="1" source-zone-name="A" destination-zone-name="B" session-id-32="24689299" packets-from-client="14" bytes-from-client="1775" packets-from-server="16" bytes-from-server="6402" elapsed-time="3" username="N/A" roles="N/A" encrypted="No"]

Cause:

This is an expected behavior, as "source-identity any" is the default configuration that does not apply the UserFW to this policy. If none of the policies apply the UserFW, then the user's information will not be tracked.

Solution:

The solution for this behavior is to change the match condition option to "​source-identity authenticated-user" (as shown below) or to a specific username (like "source-identity john"):

from-zone A to-zone B {

     policy 1 {
         match {
             source-address any;
             destination-address any;
             application any;
             source-identity authenticated-user;  
         }
         then {
             permit {
                 firewall-authentication {
                     user-firewall {
                         access-profile profile1;
                     }
                 }
             }
             log {
                 session-init;
                 session-close;
             }


Using this option, the APPTRACK feature is able to check the UserFW information. This is confirmed via APPTRACK log:

Msg: 2 2017-01-01T11:33.10.032+00:00 srx RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.105 reason="TCP SERVER RST" source-address="1.2.3.4" source-port="59846" destination-address="5.6.7.8" destination-port="443" service-name="junos-https" application="SSL" nested-application="UNKNOWN" nat-source-address="1.2.3.4" nat-source-port="59846" nat-destination-address="5.6.7.8" nat-destination-port="443" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="1" source-zone-name="A" destination-zone-name="B" session-id-32="24689299" packets-from-client="14" bytes-from-client="1775" packets-from-server="16" bytes-from-server="6402" elapsed-time="4" username="john" roles="N/A" encrypted="No"]


Note: Once the user information is tracked, it is tracked globally. This means that if at least one security policy applies the UserFW as shown above, the user information will be tracked also for all the other security policies, even for those using "source-identity any".

Related Links: