Difference between revisions of "Traffic logging JUNOS"
From Teknologisk videncenter
m (Created page with "For at lave logning af trafik igennem en SRX firewall, skal der oprettes en logfil hvor alle logbeskeder der indeholder RT_FLOW_SESSION gemmes i. Og derefter sættes session logg...") |
m |
||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | For at lave logning af trafik igennem en SRX firewall, skal der oprettes en logfil hvor alle logbeskeder der indeholder RT_FLOW_SESSION gemmes i. Og derefter sættes session logging på firewall politikken. | + | For at lave logning af trafik igennem en SRX firewall, skal der oprettes en logfil hvor alle logbeskeder der indeholder RT_FLOW_SESSION gemmes i. Og derefter sættes session logging på firewall politikken.<ref>[http://kb.juniper.net/InfoCenter/index?page=content&id=KB16509 SRX Getting Started - Configure Traffic Logging (Security Policy Logs)]</ref> |
=Logfil= | =Logfil= | ||
<source lang=cli> | <source lang=cli> | ||
Line 50: | Line 50: | ||
</source> | </source> | ||
i eksemplet pinges 8.8.8.8 kontinuerligt fra en host med IP 192.168.1.2 | i eksemplet pinges 8.8.8.8 kontinuerligt fra en host med IP 192.168.1.2 | ||
+ | =References= | ||
+ | <references /> | ||
+ | {{Source cli}} | ||
+ | [[Category:Juniper]] |
Latest revision as of 21:55, 12 January 2015
For at lave logning af trafik igennem en SRX firewall, skal der oprettes en logfil hvor alle logbeskeder der indeholder RT_FLOW_SESSION gemmes i. Og derefter sættes session logging på firewall politikken.[1]
Logfil
[edit]
root@SRX07# <input>show system syslog file traffic-log</input>
any any;
match <notice>RT_FLOW_SESSION</notice>;
Policy logging
Logningen kan ske når:
- sessionen oprettes med session-init(anbefales ved lange sessioner)
- Sessionen termineres med session-close(anbefales ved permit, da den indeholder mest information)
[edit security policies]
root@SRX07# <input>show</input>
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
<notice>log {
session-close;
}</notice>
}
}
}
/var/log/traffic-log
Filerne bliver hurtigt store, så sørg for at have rigeligt plads og brug logrotate
root@SRX07# <input>run show log traffic-log?</input>
Possible completions:
<filename> Name of log file
traffic-log Size: <notice>106919</notice>, Last changed: Jan 12 21:51:13
traffic-log.0.gz Size: 9276, Last changed: Jan 12 21:45:00
root@SRX07# <input>run show log traffic-log | last</input>
Jan 12 21:52:36 SRX07 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 192.168.1.2/35988->8.8.8.8/1 icmp 10.0.0.26/18013->8.8.8.8/1 source-nat-rule None 1 trust-to-untrust trust untrust 23769 1(60) 1(60) 3 UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN
Jan 12 21:52:38 SRX07 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 192.168.1.2/35989->8.8.8.8/1 icmp 10.0.0.26/18154->8.8.8.8/1 source-nat-rule None 1 trust-to-untrust trust untrust 23770 1(60) 1(60) 4 UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN
Jan 12 21:52:38 SRX07 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 192.168.1.2/35990->8.8.8.8/1 icmp 10.0.0.26/18419->8.8.8.8/1 source-nat-rule None 1 trust-to-untrust trust untrust 23771 1(60) 1(60) 3 UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN
Jan 12 21:52:40 SRX07 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 192.168.1.2/35991->8.8.8.8/1 icmp 10.0.0.26/24641->8.8.8.8/1 source-nat-rule None 1 trust-to-untrust trust untrust 23772 1(60) 1(60) 4 UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN
Jan 12 21:52:40 SRX07 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 192.168.1.2/35992->8.8.8.8/1 icmp 10.0.0.26/27105->8.8.8.8/1 source-nat-rule None 1 trust-to-untrust trust untrust 23773 1(60) 1(60) 3 UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN
Jan 12 21:52:42 SRX07 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 192.168.1.2/35993->8.8.8.8/1 icmp 10.0.0.26/23506->8.8.8.8/1 source-nat-rule None 1 trust-to-untrust trust untrust 23774 1(60) 1(60) 4 UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN
Jan 12 21:52:42 SRX07 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 192.168.1.2/35994->8.8.8.8/1 icmp 10.0.0.26/32249->8.8.8.8/1 source-nat-rule None 1 trust-to-untrust trust untrust 23775 1(60) 1(60) 3 UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN
i eksemplet pinges 8.8.8.8 kontinuerligt fra en host med IP 192.168.1.2