Have you ever wondered where the SRX stores the Logs for what it denied?
Back in my Checkpoint days we had this nice Dashboard which showed us the Packets that the Firewall denied so we could immediately check if our Rules applied successfully or not. Since the SRX can’t show this, here’s a nice little trick to show you all Packets being blocked by the Firewall. For this to work you would have to create a “log session-init” Deny-Rule for every zone as the “last” Rule (of course there still is implicit deny, but implicit deny does not log by default). When facing many Zones, this will be much too complex. It can be done simpler:
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match source-address any set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match destination-address any set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match application any set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny then deny set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny then log session-init set apply-groups default-deny-group
This adds a Group to every Zone. The Zone-Specific Rules apply first – so your Rule-set it safe, since it is more specific and as we all know JunOS always puts the more specific first. At the End the group policy will be inserted – right before your implicit deny (which is “invisible”).
If you are like me, you don’t want to look at the “messages” log, since it contains many more Events – not so good when looking at denied Packets. So create a new File to put only the “Deny”-Packets in it:
system { syslog { file session-create-log { any any; match RT_FLOW_SESSION_CREATE; } file denied-traffic-log { any any; match RT_FLOW_SESSION_DENY } }
With “show log {name of logfile}” you can watch the Packets, that have been denied. Of course if your colleague is on the phone and you want him to press his connection-button so you can instantly monitor, whats happening you can issue the “monitor start {name of logfile}”. This will show all events “Live” on the CLI. Don’t forget to turn this off “monitor stop {name of logfile}”. You can however “rotate” the Files so they don’t steal your free Disk Space:
set system syslog file denied-traffic-log archive size 100k set system syslog file denied-traffic-log archive files 5 set system syslog file denied-traffic-log archive world-readable
JUNOS 11.4R1 introduced “global security policies” – you can (and I prefer this) do it via another way:
set security policies global policy default-log-and-drop match source-address any set security policies global policy default-log-and-drop match destination-address any set security policies global policy default-log-and-drop match application any set security policies global policy default-log-and-drop then deny set security policies global policy default-log-and-drop then log session-init
But remember:
You have to use global address-books for this solution to apply – you cannot mix Zone-Specific address-books and global-address-books.
I always prefer the global address book since you don’t have to create Hosts 2-times when they are needed in different Zones – but that’s just my “taste”.