Configure Logging in Juniper Firewall Filter

Share This Article: Share on Facebook0Share on Google+1Tweet about this on TwitterShare on LinkedIn2Pin on Pinterest0Email this to someone

Logs are important feature that can be very handy to troubleshoot or monitor networks. You can configure firewall filters in various Juniper devices. Juniper’s SRX, EX, MX, T and other series devices support stateless firewall filters. Firewall filters are like access control lists (ACLs) in Cisco world. Firewall filters can be used to allow or reject packets based on various match conditions. You can apply firewall filter to a port, VLAN, or layer 3 interface. A firewall filter can have multiple terms that define specific match conditions and actions. Firewall filters are executed from top to bottom. In this port, I will show steps to configure logging in Juniper firewall filter.

Configure Logging in Juniper Firewall Filter

Configure Logging in Juniper Firewall Filter

Juniper firewall filters are made up of terms and match conditions. A filter can contain numerous terms. A term can contain various match conditions and actions. An example of firewall rule is shown below. The rule has two terms, T1 and T2. T1 matches traffic from any source address and destination port of 22 or 443 and has the action of accept. T2 has the action of reject. So only traffic matching destination port 22 or 443 will accepted by the interface fe-0/0/2, all other traffic will be dropped. Both terms have action of syslog. Syslog command logs all the packets of the corresponding terms.

[edit firewall]
root@SRX240# show
filter TEST {
term T1 {
from {
source-address {
192.168.1.1/32;
}
destination-port [ 22 443 ];
}
then {
syslog;
accept;
}
}
term T2 {
then {
syslog;
reject;
}
}
}

The filter is applied to the interface,

[edit interfaces fe-0/0/2]
root@SRX240# show
description “CONNECTED TO INTERNET”;
unit 0 {
family inet {
filter {
input TEST;
}
address 2.2.2.2/30;
}
}

There are also other match conditions and actions. You can match traffic based on source and destination IP address, mac address, port numbers, protocol numbers, dscp number, dot1q tag, icmp type, and many other. Remember, Juniper firewall filters are stateless and unidirectional. The filters won’t track states of the connection. Similarly, it also doesn’t care about return traffic. So you have option to apply firewall filters on both inbound (input) and outbound (output) traffic of an interface. To permit or deny transient traffic, you can apply firewall filters in transient interfaces. Likewise, to permit or deny traffic to Juniper device’s routing engine, you can apply firewall filter in loopback 0 interface. For example, to block SSG login attack you can create and apply firewall filter in loopback interface.

To view the log of firewall filter, create a custom syslog of firewall facility. Here is how you do that,

[edit system syslog]
root@SRX240# set file FILTER firewall any

Now, to view the log of firewall filters, type

root@SRX240> show log FILTER

In this way you can configure firewall filter and monitor log in Juniper SRX device.

The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork . Follow Bipin Giri on Google+. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.