Prior to working with Juniper SRX’s my firewall experience was predominantly Check Point. Two nice features of Check Point firewalls are Smart Log and Smart View Tracker which both provide easy access to firewall log records. When I started using SRX’s one of my first questions was how do I get to view dropped traffic?
One of the easiest ways to do this is to use a ‘Default Deny’ template group. Unless explicitly allowed by a Security Policy all traffic is dropped by default, however this traffic isn’t logged. Using a default deny template group and applying it between all Security Zones is the way to get around this and log the traffic being dropped.
Create the Template:
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match source-address any set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match destination-address any set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match application any set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny then deny set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny then log session-init
Apply the Template:
set apply-groups default-deny-template
Configure Syslog:
set system syslog user * any emergency set system syslog host 192.168.10.1 any any set system syslog host 192.168.10.1 match RT_FLOW_SESSION_DENY
You can now fire up your trusty syslog server (you do use one right?) and view the records generated by the Default Deny template that match the regular expression RT_FLOW_SESSION_DENY.
I hope this has been a useful explanation.
Thanks for reading.
Rich
Follow Rich on Twitter