syslog data traffic
- Jean-luc KRIKER
Owned by Jean-luc KRIKER
Jul 30, 2020
3 min read
Loading data...
https://kb.juniper.net/InfoCenter/index?page=content&id=KB16509&actp=METADATA
| found the traffic type | show flow session Netbox@SRX300-1-RL102# run show security flow session destination-prefix 192.168.200.0/24
Session ID: 3655, Policy name: self-traffic-policy/1, Timeout: 566, Valid
In: 192.168.200.2/54200 --> 192.168.200.1/22;tcp, Conn Tag: 0x0, If: .local..8, Pkts: 4204, Bytes: 311177,
Out: 192.168.200.1/22 --> 192.168.200.2/54200;tcp, Conn Tag: 0x0, If: ae0.0, Pkts: 2894, Bytes: 484081,
Session ID: 5485, Policy name: self-traffic-policy/1, Timeout: 566, Valid
In: 192.168.200.1/65261 --> 192.168.200.2/22;tcp, Conn Tag: 0x0, If: ae0.0, Pkts: 4680, Bytes: 329221,
Out: 192.168.200.2/22 --> 192.168.200.1/65261;tcp, Conn Tag: 0x0, If: .local..8, Pkts: 4201, Bytes: 606817,
Total sessions: 2
[edit system syslog]
Netbox@SRX300-1-RL102# run show security flow session destination-prefix 192.168.200.0/24 extensive
Session ID: 3655, Status: Normal
Flags: 0x100040/0x0/0x2/0x8123
Policy name: self-traffic-policy/1
Source NAT pool: Null, Application: junos-ssh/22
Dynamic application: junos:SSH, Dynamic nested application: junos:UNKNOWN
Encryption: No
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 1800, Current timeout: 510
Session State: Valid
Start time: 3170806, Duration: 4390
In: 192.168.200.2/54200 --> 192.168.200.1/22;tcp,
Conn Tag: 0x0, Interface: .local..8,
Session token: 0x8002, Flag: 0x1631
Route: 0xfffb0006, Gateway: 192.168.200.2, Tunnel ID: 0, Tunnel type: None
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 4204, Bytes: 311177
Out: 192.168.200.1/22 --> 192.168.200.2/54200;tcp,
Conn Tag: 0x0, Interface: ae0.0,
Session token: 0x8009, Flag: 0x1620
Route: 0x5c1302, Gateway: 192.168.200.1, Tunnel ID: 0, Tunnel type: None
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 2894, Bytes: 484081
Session ID: 5485, Status: Normal
Flags: 0x100040/0x0/0x2/0x8123
Policy name: self-traffic-policy/1
Source NAT pool: Null, Application: junos-ssh/22
Dynamic application: junos:SSH, Dynamic nested application: junos:UNKNOWN
Encryption: No
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 1800, Current timeout: 510
Session State: Valid
Start time: 3171151, Duration: 4045
In: 192.168.200.1/65261 --> 192.168.200.2/22;tcp,
Conn Tag: 0x0, Interface: ae0.0,
Session token: 0x8009, Flag: 0x1621
Route: 0x5c1302, Gateway: 192.168.200.1, Tunnel ID: 0, Tunnel type: None
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 4680, Bytes: 329221
Out: 192.168.200.2/22 --> 192.168.200.1/65261;tcp,
Conn Tag: 0x0, Interface: .local..8,
Session token: 0x8002, Flag: 0x1630
Route: 0xfffb0006, Gateway: 192.168.200.2, Tunnel ID: 0, Tunnel type: None
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 4201, Bytes: 606817
Total sessions: 2
|
| config of syslog | syslog config file jlk_test {
any any;
match RT_FLOW_SESSION;
}
set system syslog file jlk_test any any
set system syslog file jlk_test match RT_FLOW_SESSION
|
policy to log [edit security policies from-zone BMS1Zone to-zone junos-host]
Netbox@SRX300-1-RL102# show
policy AllowAll_B_2_jh {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log { <<<<<<<<<<<<<<<<<<<<<<<< here to log the sessions
session-init;
session-close;
}
}
}
[edit security policies from-zone BMS1Zone to-zone junos-host]
Netbox@SRX300-1-RL102# show | display set
set security policies from-zone BMS1Zone to-zone junos-host policy AllowAll_B_2_jh match source-address any
set security policies from-zone BMS1Zone to-zone junos-host policy AllowAll_B_2_jh match destination-address any
set security policies from-zone BMS1Zone to-zone junos-host policy AllowAll_B_2_jh match application any
set security policies from-zone BMS1Zone to-zone junos-host policy AllowAll_B_2_jh then permit
set security policies from-zone BMS1Zone to-zone junos-host policy AllowAll_B_2_jh then log session-init
set security policies from-zone BMS1Zone to-zone junos-host policy AllowAll_B_2_jh then log session-close
| |
| show log <file_name> | code [edit system syslog] Netbox@SRX300-1-RL102# run show log jlk_test Jul 30 12:26:33 SRX300-1-RL102 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.200.1/60566->192.168.200.2/22 0x0 junos-ssh 192.168.200.1/60566->192.168.200.2/22 0x0 N/A N/A N/A N/A 6 AllowAll_B_2_jh BMS1Zone junos-host 7995 33(4421) 30(5081) 262 SSH UNKNOWN N/A(N/A) ae0.0 No Remote-Access Command 4 Supports File Transfer;Known Vulnerabilities;Capable of Tunneling; NA 0 0.0.0.0/0->0.0.0.0/0 NA NA N/A N/A |