Traffic logging JUNOS
From Teknologisk videncenter
For at lave logning af trafik igennem en SRX firewall, skal der oprettes en logfil hvor alle logbeskeder der indeholder RT_FLOW_SESSION gemmes i. Og derefter sættes session logging på firewall politikken.[1]
Logfil
[edit]
root@SRX07# <input>show system syslog file traffic-log</input>
any any;
match <notice>RT_FLOW_SESSION</notice>;Policy logging
Logningen kan ske når:
- sessionen oprettes med session-init(anbefales ved lange sessioner)
- Sessionen termineres med session-close(anbefales ved permit, da den indeholder mest information)
[edit security policies]
root@SRX07# <input>show</input>
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
<notice>log {
session-close;
}</notice>
}
}
}/var/log/traffic-log
Filerne bliver hurtigt store, så sørg for at have rigeligt plads og brug logrotate
root@SRX07# <input>run show log traffic-log?</input>
Possible completions:
<filename> Name of log file
traffic-log Size: <notice>106919</notice>, Last changed: Jan 12 21:51:13
traffic-log.0.gz Size: 9276, Last changed: Jan 12 21:45:00
root@SRX07# <input>run show log traffic-log | last</input>
Jan 12 21:52:36 SRX07 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 192.168.1.2/35988->8.8.8.8/1 icmp 10.0.0.26/18013->8.8.8.8/1 source-nat-rule None 1 trust-to-untrust trust untrust 23769 1(60) 1(60) 3 UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN
Jan 12 21:52:38 SRX07 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 192.168.1.2/35989->8.8.8.8/1 icmp 10.0.0.26/18154->8.8.8.8/1 source-nat-rule None 1 trust-to-untrust trust untrust 23770 1(60) 1(60) 4 UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN
Jan 12 21:52:38 SRX07 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 192.168.1.2/35990->8.8.8.8/1 icmp 10.0.0.26/18419->8.8.8.8/1 source-nat-rule None 1 trust-to-untrust trust untrust 23771 1(60) 1(60) 3 UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN
Jan 12 21:52:40 SRX07 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 192.168.1.2/35991->8.8.8.8/1 icmp 10.0.0.26/24641->8.8.8.8/1 source-nat-rule None 1 trust-to-untrust trust untrust 23772 1(60) 1(60) 4 UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN
Jan 12 21:52:40 SRX07 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 192.168.1.2/35992->8.8.8.8/1 icmp 10.0.0.26/27105->8.8.8.8/1 source-nat-rule None 1 trust-to-untrust trust untrust 23773 1(60) 1(60) 3 UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN
Jan 12 21:52:42 SRX07 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 192.168.1.2/35993->8.8.8.8/1 icmp 10.0.0.26/23506->8.8.8.8/1 source-nat-rule None 1 trust-to-untrust trust untrust 23774 1(60) 1(60) 4 UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN
Jan 12 21:52:42 SRX07 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 192.168.1.2/35994->8.8.8.8/1 icmp 10.0.0.26/32249->8.8.8.8/1 source-nat-rule None 1 trust-to-untrust trust untrust 23775 1(60) 1(60) 3 UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWNi eksemplet pinges 8.8.8.8 kontinuerligt fra en host med IP 192.168.1.2