Stuff I'm Up To

Technical Ramblings

Monitor Security Flow — November 15, 2017

Monitor Security Flow

We stream the Juniper SRX logs out to our syslog server and that seems to work quite well. It is reliant upon us having the relevant log setting in the rules.

So for rules where we allow we can log the data at session-close

...
    then {
        permit;
        log {
            session-close;
        }
    }

But in our Deny All rules we log the session-init – because a denied session never gets closed (it’s never opened). So the session-init just logs the attempt.

...
    then {
        deny;
        log {
            session-init;
        }
    }

But what if we’re missing some rule logging, or are a bit unsure if packets coming in are actually coming in or not? That where monitor security flow comes in handy.

At the cli on the SRX you need to setup and activate the security flow, the filters to apply and the file to log to. In this example we’re going to capture packets from a specific ip address on a particular interface.

Create a named filter called ‘myfilter’ and then create a file to log into.

> monitor security flow filter interface reth0 source-prefix 192.168.56.10 myfilter
> monitor security flow file size 10240 securityflow.log

Then you can start and stop the monitor as you need. Then look at the content of the file.

> monitor security flow start
> monitor security flow stop
> show log securityflow.log

View the current status of your monitor

> show monitor security flow

Monitor security flow session status: Active
Monitor security flow trace file: /var/log/securityflow.log
Monitor security flow filters: 1
  Name: myfilter
    Status: Active
    Source: 192.168.56.10/32 (port 0~65535)
    Destination: 0.0.0.0/0 (port 0~65535)
    Logical system: root-logical-system
    Interface: reth0.0

Copy the log file to another system if you want to analyse it further

> file copy /var/log/securityflow.log scp://user@server.domain.local:~/

After stopping your monitor, you can then tidy up removing your file and filter using

> file delete /var/log/securityflow.log
> clear monitor security flow filter myfilter

 

Advertisements
JunOS static-nat and proxy-arp — October 31, 2017

JunOS static-nat and proxy-arp

I’m still relatively new to this JunOS, even though it’s been installed for several months now. Today’s problem was not passing traffic through a new static-nat that I’d setup. I checked the config for static-nats that already existed and couldn’t see the problem.

I needed to look at how the static-nat gets presented on the interface. It’s no good having a NAT rule if you don’t actively acknowledge that you are active on that IP address on an interface. No proxy-arp means nothing gets passed to NAT because the IP doesn’t exist on the network.

To do this make sure you add a proxy-arp address on the interface that you want to access the IP address.

eg.

set security proxy-arp interface reth1.99 address 192.168.99.99/32

Then you’ll have a related rule entry in your security nat static rule-set stanza to handle the translation.

eg.

show rule MyRule   
match {
    destination-address 192.168.99.99/32;
}
then {
    static-nat {
        prefix {
            192.168.0.99/32;
        }
    }
}

 

Backing Up Juniper Configs — March 1, 2016