Check out my new Script on jncie.de
I designed it basically for my Home-Lab but then i thought that i share it with the World.
Since the “translating” process from ASCII-Art to Juniper can be frustrating (/n // /t etc.) you simply put your Text, ASCII Art or whatever into the Generator and let the fun begin π
Hope you enjoy this
Have you ever wondered where the SRX stores the Logs for what it denied?
Back in my Checkpoint days we had this nice Dashboard which showed us the Packets that the Firewall denied so we could immediately check if our Rules applied successfully or not. Since the SRX can’t show this, here’s a nice little trick to show you all Packets being blocked by the Firewall. For this to work you would have to create a “log session-init” Deny-Rule for every zone as the “last” Rule (of course there still is implicit deny, but implicit deny does not log by default). When facing many Zones, this will be much too complex. It can be done simpler:
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match source-address any set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match destination-address any set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match application any set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny then deny set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny then log session-init set apply-groups default-deny-group
This adds a Group to every Zone. The Zone-Specific Rules apply first – so your Rule-set it safe, since it is more specific and as we all know JunOS always puts the more specific first. At the End the group policy will be inserted – right before your implicit deny (which is “invisible”).
If you are like me, you don’t want to look at the “messages” log, since it contains many more Events – not so good when looking at denied Packets. So create a new File to put only the “Deny”-Packets in it:
system {
syslog {
file session-create-log {
any any;
match RT_FLOW_SESSION_CREATE;
}
file denied-traffic-log {
any any;
match RT_FLOW_SESSION_DENY
}
}
With “show log {name of logfile}” you can watch the Packets, that have been denied. Of course if your colleague is on the phone and you want him to press his connection-button so you can instantly monitor, whats happening you can issue the “monitor start {name of logfile}”. This will show all events “Live” on the CLI. Don’t forget to turn this off “monitor stop {name of logfile}”. You can however “rotate” the Files so they don’t steal your free Disk Space:
set system syslog file denied-traffic-log archive size 100k set system syslog file denied-traffic-log archive files 5 set system syslog file denied-traffic-log archive world-readable
JUNOS 11.4R1 introduced “global security policies” – you can (and I prefer this) do it via another way:
set security policies global policy default-log-and-drop match source-address any set security policies global policy default-log-and-drop match destination-address any set security policies global policy default-log-and-drop match application any set security policies global policy default-log-and-drop then deny set security policies global policy default-log-and-drop then log session-init
But remember:
You have to use global address-books for this solution to apply – you cannot mix Zone-Specific address-books and global-address-books.
I always prefer the global address book since you don’t have to create Hosts 2-times when they are needed in different Zones – but that’s just my “taste”.
I went to the Juniper Summit in Frankfurt, Germany on Wednesday the 13th of April. It was really interesting seeing so many Juniper Employees and Partners and of course also the great Minds who shared many good Sessions with the Crowd. Also Juniper took the 20years and we all received various gifts and a 20Years Sticker – way to go Juniper!
The Juniper Power-Bank
Customers sometimes ask me, what the Difference between a POC and a Pilot is. I found this nice Sheet (but had to modify it / tweak it since it did not reflect correctly in my Opinion)
Although a Pilot is very near the Production I personally would never purchase licenses before I checked, that the Pilot works flawlessly. I think one of the biggest Core-Differences is, that a Poc is on Vendor-near Hardware in the Lab and the Pilot is happening in your Live-Infrastructure with the final Vendor Hardware and Config.
