firewall.juniper

The logs from a Juniper firewall are marked with the  firewall.juniper.type.subtype tag.  
This article describes the configuration for the following Juniper products:

Firewall Juniper SRX Series

1. Tag structure

The elements type (srx) and subtype (utm,idp,system,traffic) are fixed and they identify the type and format of the event that is being sent. These elements can have one of the following values, corresponding to the different log types and depending on which version of SRX you are using:

  • firewall.juniper.srx.utm
  • firewall.juniper.srx.idp
  • firewall.juniper.srx.system 
  • firewall.juniper.srx.traffic - if you are using a version previous to 12.3
  • firewall.juniper.srx.traffic.v12 - if you are using a version from 12.3 to 14
  • firewall.juniper.srx.traffic.v14 - if you are using a 14.X version
  • firewall.juniper.srx.traffic.v15 - if you are using a version from 14 to 15.1X49-D80 
  • firewall.juniper.srx.traffic.v16 - if you are using  a  15.1X49-D80 and later versions

For more information on how tags work, check Introduction to tags article.

2. In-house Relay configuration

First step is to install an In-house Relay for the correct tagging of the logs.

Then you should define a new rule where all the events coming to the port 515 UPD are tagged as firewall.juniper.type.subtype.

  • This rule also covers the adding of the corresponding type.subtype to the firewall.juniper depending on the events nature. 
  • This information is extracted from the message using a regular expression. The data captured is used to create the final label for each event.
  • It is possible to change the port where the log events are sent, but in this example the standard syslog port 514 UDP is used.

To create the rule use the following fields:

  • Rule 1:
    • Source Port  514
    • Source Tag  RT_FLOW    
    • Target Tag  Use one of the tags as explained above
    • Check the following boxes:
      • Stop Processing


  • Rule 2:
    • Source Port  514
    • Source Tag → RT_UTM       
    • Target Tag  firewall.juniper.srx.utm
    • Check the following boxes:
      • Stop Processing

          

  • Rule 3:
    • Source Port  514
    • Source Tag  RT_IDP
    • Target Tag  firewall.juniper.srx.idp
    • Check the following boxes:
      • Stop Processing


  • Rule 4:
    • Source Port  514
    • Target Tag  firewall.juniper.srx.system
    • Check the following boxes:
      • Send without tag
The system log will show events from the *nix system. 

3. SRX log drops - rule

The SRX does not log packets dropped by default. A rule needs to be defined at the end of the rule base to drop all and to activate the logging.

  • Configuration for JunOS versions earlier to v11.4 

  1. Create a template group. Note that  <*> is a wild card character to match any security zone.

    set groups default-deny-template security policies from-zone <*> to-zone  policy defult-deny match source-address any
    set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match destination-address any
    set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match application any
    set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny then deny
    set groups default-deny-template security policies from-zone <*> to-zone<*> policy defult-deny then log session-init
  2. Apply the group. The following configuration statement applies the template groups between all zones that already have a policy context:

    set apply-groups default-deny-template
  • Configuration for JunOS versions later than v11.4 

    set security policies global policy default-deny match source-address any
    set security policies global policy default-deny match destination-address any
    set security policies global policy default-deny match application any
    set security policies global policy default-deny then deny
    set security policies global policy default-deny then log session-ini

4. Juniper structured-data format

In case the structured-data format is activated, some modifications have to be made to the In-house Relay rule. To set the structured-data mode:

set system syslog file policy_session structured-data
set system syslog file default-log-messages structured-data

The following In-house Relay rules for structured-data mode have to be applied:

  • Rule 1:
    • Source Port  13003
    • Source Data  ^.*? RT_FLOW - .*$
    • Target Tag  firewall.juniper.srx.traffic
    • Check the following boxes:
      • Stop Processing
      • Send without tag

  • Rule 2:
    • Source Port  13003
    • Source Data  ^.*? RT_UTM - .*$
    • Target Tag  firewall.juniper.srx.utm
    • Check the following boxes:
      • Stop Processing
      • Send without tag


  • Rule 3:
    • Source Port  13003
    • Source Data  ^.*? RT_IDP - .*$
    • Target Tag  firewall.juniper.srx.idp
      Check the following boxes:
      • Stop Processing
      • Send without tag


  • Rule 4:
    • IP  <Juniper IP>
    • Source Port  13003
    • Target Tag  firewall.juniper.srx.system
    • Check the following boxes:
      • Send without tag

Firewall Juniper ISG / SSG

1. Tag structure

The elements type and subtype are fixed and they identify the type and format of the event that is being sent. These elements can have one of the following values, corresponding to the different log types:

  • firewall.juniper.isg.traffic / firewall.juniper.ssg.traffic
  • firewall.juniper.isg.system / firewall.juniper.ssg.system

For more information on how tags work, please check Introduction to tags article.

2. In-house relay configuration

The NSM GUI does not allow to send to the same remote logger using two different destination ports, one for traffic and another for system. It is necessary to separate events in the In-house Relay using two different rules that process events from the same port and IP:

  • Rule 1:
    • Source Port → 514
    • Source Message → "\\[Root]system-[^][0-9](traffic):"
    • Target Tag → firewall.juniper.isg.traffic                                                                                                        
    • Check the following boxes:
      • Stop Processing
  • Rule 2:
    • IP → <Juniper IP>
    • Source Port → 514
    • Target Tag → all the rest as firewall.juniper.isg.system

  

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US