Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] APPTRACK logs do not display USERFW information (username is not shown)

0

0

Article ID: KB32211 KB Last Updated: 30 Sep 2017Version: 1.0
Summary:

For tracking purposes, SRX can use the feature UserFW to provide a granular match condition to allow/block traffic based on an authenticated username. â€‹Application Tracking can also use the UserFW information to provide user detais in security logs. These APPTRACK logs are especially useful when Junos Space is being used to monitor session utilization by users.

Symptoms:

When the policy match condition is too wide (source-identity any), the application tracking is not able to check the UserFW authentication table. Hence, it does not bring all the user details (username/role) tor the APPTRACK log statistics. 

from-zone A to-zone B {

     policy 1 {
         match {
             source-address any;
             destination-address any;
             application any;
             source-identity any;  
         }
         then {
             permit {
                 firewall-authentication {
                     user-firewall {
                         access-profile profile1;
                     }
                 }
             }
             log {
                 session-init;
                 session-close;
             }

security-zone A {
....
     application-tracking;
     source-identity-log;
}
security-zone B {
...
     application-tracking;
     source-identity-log;
}


We can see in the APPTRACK log that username and role information are not been tracked even though, for this case, the user in this session is authenticated.

Msg: 1 2017-01-01T11:11.11.000+00:00 srx RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.105 reason="TCP SERVER RST" source-address="1.2.3.4" source-port="59846" destination-address="5.6.7.8" destination-port="443" service-name="junos-https" application="SSL" nested-application="UNKNOWN" nat-source-address="1.2.3.4" nat-source-port="59846" nat-destination-address="5.6.7.8" nat-destination-port="443" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="1" source-zone-name="A" destination-zone-name="B" session-id-32="24689299" packets-from-client="14" bytes-from-client="1775" packets-from-server="16" bytes-from-server="6402" elapsed-time="3" username="N/A" roles="N/A" encrypted="No"]

Cause:

This is an expected behavior, as "source-identity any" is the default configuration that does not apply the UserFW to this policy. If none of the policies apply the UserFW, then the user's information will not be tracked.

Solution:

The solution for this behavior is to change the match condition option to "​source-identity authenticated-user" (as shown below) or to a specific username (like "source-identity john"):

from-zone A to-zone B {

     policy 1 {
         match {
             source-address any;
             destination-address any;
             application any;
             source-identity authenticated-user;  
         }
         then {
             permit {
                 firewall-authentication {
                     user-firewall {
                         access-profile profile1;
                     }
                 }
             }
             log {
                 session-init;
                 session-close;
             }


Using this option, the APPTRACK feature is able to check the UserFW information. This is confirmed via APPTRACK log:

Msg: 2 2017-01-01T11:33.10.032+00:00 srx RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.105 reason="TCP SERVER RST" source-address="1.2.3.4" source-port="59846" destination-address="5.6.7.8" destination-port="443" service-name="junos-https" application="SSL" nested-application="UNKNOWN" nat-source-address="1.2.3.4" nat-source-port="59846" nat-destination-address="5.6.7.8" nat-destination-port="443" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="1" source-zone-name="A" destination-zone-name="B" session-id-32="24689299" packets-from-client="14" bytes-from-client="1775" packets-from-server="16" bytes-from-server="6402" elapsed-time="4" username="john" roles="N/A" encrypted="No"]


Note: Once the user information is tracked, it is tracked globally. This means that if at least one security policy applies the UserFW as shown above, the user information will be tracked also for all the other security policies, even for those using "source-identity any".

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search