Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] The 'show firewall log' command does not display attached interface while filter is in output direction

0

0
Article ID: KB35111 KB Last Updated: 30 Sep 2019Version: 1.0 Summary:

In the case of a firewall filter with log/syslog action, if the filter applies to the output direction of the interface while traffic matches the output filter, running the command, 'show firewall log' will not display the attached interface, but the input interface instead.  This is expected behavior.

Symptoms:

Topology and Configuration

  • On r2, firewall filter filter-out is applied on interface xe-0/0/1.0 output
  • Transit traffic is from r1 with source 1.1.1.1 to destination 3.3.3.3
  • The traffic matches term 1 of output firewall filter filter-out of xe-0/0/1

user@r2# show firewall family inet filter filter-out
term 1 {
    from {
        source-address {
            1.1.1.1/32;
        }
        destination-address {
            3.3.3.3/32;
        }
    }
    then {
        count filter-out-xe001;
        log;
        syslog;
        accept;
    }
}
term 2 {
    then accept;
}

user@r2# show interfaces
xe-0/0/0 {
    unit 0 {
        family inet {
            address 10.0.0.2/30;
        }
    }
}
xe-0/0/1 {
    unit 0 {
        family inet {
            filter {
                output filter-out;
            }
            address 10.1.0.1/30;
        }
    }
}

Start ping from r1 and check the filter counter on r2. You can see firewall log with packets arriving at interface (xe-0/0/0), but not the output filter attached interface (xe-0/0/1).

user@r1> ping 3.3.3.3 source 1.1.1.1 no-resolve
PING 3.3.3.3 (3.3.3.3): 56 data bytes
64 bytes from 3.3.3.3: icmp_seq=0 ttl=63 time=36.226 ms
64 bytes from 3.3.3.3: icmp_seq=1 ttl=63 time=50.204 ms
......

user@r2> show firewall counter filter filter-out filter-out-xe001   
Filter: filter-out                                             
Counters:
Name                                                Bytes              Packets
filter-out-xe001                                     6296                   78

user@r2> show firewall log
Log :
Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
23:12:00  pfe       A      xe-0/0/0.0  ICMP            1.1.1.1                          3.3.3.3
23:11:59  pfe       A      xe-0/0/0.0  ICMP            1.1.1.1                          3.3.3.3
......

user@r2> show log messages |match FW_SYSLOG    
Sep 22 23:11:58  r2 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: xe-0/0/0.0 A 0800 2c:6b:f5:99:79:00 -> 2c:6b:f5:52:23:00 icmp 1.1.1.1 3.3.3.3     8     0 (1 packets)
Sep 22 23:13:32  r2 fpc0 PFE_FW_SYSLOG_ETH_IP: FW: xe-0/0/0.0 A 0800 2c:6b:f5:99:79:00 -> 2c:6b:f5:52:23:00 icmp 1.1.1.1 3.3.3.3     8     0 (1 packets)
......
 

Solution:

This is expected behavior. The output fields for the 'show firewall log' command displays a physical interface name if the packet arrived at a port on a line card.

For more information, refer to the technical document on show firewall log

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search