SRX Default Drop Log

Have you ever wondered where the SRX stores the Logs for what it denied?
Back in my Checkpoint days we had this nice Dashboard which showed us the Packets that the Firewall denied so we could immediately check if our Rules applied successfully or not. Since the SRX can’t show this, here’s a nice little trick to show you all Packets being blocked by the Firewall. For this to work you would have to create a “log session-init” Deny-Rule for every zone as the “last” Rule (of course there still is implicit deny, but implicit deny does not log by default). When facing many Zones, this will be much too complex. It can be done simpler:

This adds a Group to every Zone. The Zone-Specific Rules apply first – so your Rule-set it safe, since it is more specific and as we all know JunOS always puts the more specific first. At the End the group policy will be inserted – right before your implicit deny (which is “invisible”).

If you are like me, you don’t want to look at the “messages” log, since it contains many more Events – not so good when looking at denied Packets. So create a new File to put only the “Deny”-Packets in it:

With “show log {name of logfile}” you can watch the Packets, that have been denied. Of course if your colleague is on the phone and you want him to press his connection-button so you can instantly monitor, whats happening you can issue the “monitor start {name of logfile}”. This will show all events “Live” on the CLI. Don’t forget to turn this off “monitor stop {name of logfile}”. You can however “rotate” the Files so they don’t steal your free Disk Space:

 

JUNOS 11.4R1 introduced “global security policies” – you can (and I prefer this) do it via another way:

But remember:
You have to use global address-books for this solution to apply – you cannot mix Zone-Specific address-books and global-address-books.
I always prefer the global address book since you don’t have to create Hosts 2-times when they are needed in different Zones – but that’s just my “taste”.

 

 

Leave a Comment

Captcha * Time limit is exhausted. Please reload CAPTCHA.