How to do simple logging on an SRX? set system syslog archive size 100k set system syslog archive files 3 set system syslog file blocked-traffic any any set system syslog file blocked-traffic match RT_FLOW_SESSION_DENY set system syslog file accepted-traffic any any set system syslog file accepted-traffic match RT_FLOW_SESSION_CREATE Then on your policy rule have for example set security policies from-zone trust to-zone untrust policy then-log-and-drop match source-address any set security policies from-zone trust to-zone untrust policy then-log-and-drop match destination-address any set security policies from-zone trust to-zone untrust policy then-log-and-drop match application any set security policies from-zone trust to-zone untrust policy then-log-and-drop then reject set security policies from-zone trust to-zone untrust policy then-log-and-drop then log session-init And with show log blocked-traffic show log accepted-traffic see what's happening. Alternatively, monitor the packet flow on the device: set security flow traceoptions file flow-trace set security flow traceoptions file size 1m set security flow traceoptions file files 2 set security flow traceoptions file world-readable set security flow traceoptions flag basic-datapath set security flow traceoptions packet-filter filter1 destination-prefix 1.2.3.4/32 And with show log flow-trace examine the flow. For reference, here's an image that describes the processing order of different modules within JunOS. Original available in here: http://kb.juniper.net/InfoCenter/index?page=content&id=KB16110. Happy troubleshooting! |
Blog >