Log information from firewall filters

If you want to keep the track of what one of your firewalls is matching, you have two options.

Let’s say that you have this topology:

(lo0-10.255.21.243/32)R1(ge-0/0/0-1.1.1.1/24) ———- (ge-0/0/0-1.1.1.2/24)R2(lo0-10.255.26.130/32)

and on R2 you want to keep track of all packets that have a destination to R2’s Loopback0 interface.

This is where the filter would be applied:

 

[edit]
root@R2# show interfaces 
ge-0/0/0 {
    unit 0 {
        family inet {
            filter {
                input F-ge-0/0/0;
            }
            address 1.1.1.2/24;
        }
    }
}

[edit]
root@R2#

1. The first option would be to configure a filter like this:

 

[edit]
root@R2# show firewall 
family inet {
    filter F-ge-0/0/0 {
        term 1 {
            from {
                destination-address {
                    10.255.26.130/32;
                }
            }
            then {
                log;
                accept;
            }
        }
        term 2 {
            then accept;
        }
    }
}

[edit]
root@R2#

You can check the log by issuing the command: ‘show firewall log’:

 

[edit]
root@R2# run show firewall log    
Log :
Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
00:45:33  pfe       A      ge-0/0/0.0    ICMP            10.255.21.243                    10.255.26.130
00:45:32  pfe       A      ge-0/0/0.0    ICMP            10.255.21.243                    10.255.26.130
00:45:31  pfe       A      ge-0/0/0.0    ICMP            10.255.21.243                    10.255.26.130
00:45:30  pfe       A      ge-0/0/0.0    ICMP            10.255.21.243                    10.255.26.130


[edit]
root@R2#


You can use also ‘show firewall log detail’ command for a deep inspection of the packet that was matched by the filter.

Note that you cannot clear this content. The content of this buffer is overwritten as it has a limited size. If you want to clear it, a reboot is required.

2. The other option is to send this kind of information to a file in /var/log folder.

The file will be named firewall and you have to configure the router to create that file like this:

 

[edit]
root@R2# set system syslog file firewall firewall any     

[edit]
root@R2#

and modify the filter configuration like this:

 

[edit]
root@R2# show firewall 
family inet {
    filter F-ge-0/0/0 {
        term 1 {
            from {
                destination-address {
                    10.255.26.130/32;
                }
            }
            then {
                syslog;
                accept;
            }
        }
        term 2 {
            then accept;
        }
    }
}

[edit]
root@R2# 

This is what you are going to find in this file:

 

[edit]
root@R2# run show log firewall | match 243.21.255.10 
Jul 25 00:47:27  R2 i386_junos[2141]: PFE_FW_SYSLOG_IP: FW: ge-0/0/0.0   A icmp 243.21.255.10 130.26.255.10     8     0 (1 packets)
Jul 25 00:47:31  R2 i386_junos[2141]: PFE_FW_SYSLOG_IP: FW: ge-0/0/0.0   A icmp 243.21.255.10 130.26.255.10     8     0 (1 packets)
Jul 25 00:47:36  R2 i386_junos[2141]: PFE_FW_SYSLOG_IP: FW: ge-0/0/0.0   A icmp 243.21.255.10 130.26.255.10     8     0 (1 packets)
Jul 25 00:47:41  R2 i386_junos[2141]: PFE_FW_SYSLOG_IP: FW: ge-0/0/0.0   A icmp 243.21.255.10 130.26.255.10     8     0 (1 packets)
Jul 25 00:47:46  R2 i386_junos[2141]: PFE_FW_SYSLOG_IP: FW: ge-0/0/0.0   A icmp 243.21.255.10 130.26.255.10     8     0 (1 packets)
Jul 25 00:47:51  R2 i386_junos[2141]: PFE_FW_SYSLOG_IP: FW: ge-0/0/0.0   A icmp 243.21.255.10 130.26.255.10     8     0 (1 packets)
Jul 25 00:47:55  R2 i386_junos[2141]: PFE_FW_SYSLOG_IP: FW: ge-0/0/0.0   A icmp 243.21.255.10 130.26.255.10     8     0 (1 packets)
Jul 25 00:48:00  R2 i386_junos[2141]: PFE_FW_SYSLOG_IP: FW: ge-0/0/0.0   A icmp 243.21.255.10 130.26.255.10     8     0 (1 packets)
Jul 25 00:48:05  R2 i386_junos[2141]: PFE_FW_SYSLOG_IP: FW: ge-0/0/0.0   A icmp 243.21.255.10 130.26.255.10     8     0 (1 packets)

[edit]
root@R2#
The following two tabs change content below.

Paris ARAU

Paris ARAU is a networking professional with strong background on routing and switching technologies. He is a holder of CCIE R&S and dual JNCIE(SP and ENT). The day to day work allows him to dive deeply in networking technologies. Part of the continuously training, he is focusing on Software Defined Network and cloud computing.

Comments

This post currently has one response

Leave a Reply

Your email address will not be published. Required fields are marked *

Sidebar



%d bloggers like this: