Home > Support > KB Home

How to: Configure traffic logging on SRX5000.

[KB13641] Show KB Properties

SUMMARY:
This article provides an example of how to configure logging on policies and send traffic logs to external syslog server.

PROBLEM OR GOAL:
SRX 5000 series do not send session logs to the Routing Engine (RE). Since system logging is done on the RE, that means that session or traffic logs cannot be written to the RE file system. Therefore all traffic logging must be sent to external syslog server. Furthermore since fxp0 belongs to the RE, the syslog server must be reachable by an interface on an IOC. Traffic logging cannot be sent out fxp0.

SOLUTION:
Below is an example of how to configure traffic logging on SRX cluster. Syslog server hardware/software requirements and configuration is beyond the scope of this article as this would be a third-party (non-Juniper) server.

Basic Topology +-------------+ |Syslog Server| +---------------------+ +----| 10.90.1.2 | | SRX Cluster | | +-------------+ +----------+ | | | | Clients |-----|reth4.101 reth6.201|----+ +----------+ |10.80.1.1 10.90.1.1| | +-------------+ 10.80.1.0/24 | | | | ISP Router | | fpx0 | +----| 10.90.1.254 | | 172.19.46.62/51 | +-------------+ +---------------------+ | | +------------+ | NSM Server | |172.19.46.30| +------------+ So from above we can see clients on trust side and servers on untrust side. Syslog server on untrust side accessible via reth6.201 and NSM server (not required but included in the example to illustrate the management domain) is accessible from fxp0. Also, the SRX is configured in a JUNOS software Services Redundancy Protocol (JSRP) cluster in this example as JSRP is commonly used for SRX 5000 series. The sample configuration is from the above topology. In order to send traffic to external syslog server, first configure syslog server parameters within [edit security log] hierarchy. Then, within the security policies specify log on session-close (required) and log on session-init (optional).

Example Configuration interfaces { ge-10/0/0 { gigether-options { redundant-parent reth4; } } ge-10/1/0 { gigether-options { redundant-parent reth6; } } ge-22/0/0 { gigether-options { redundant-parent reth4; } } ge-22/1/0 { gigether-options { redundant-parent reth6; } } reth4 { vlan-tagging; redundant-ether-options { redundancy-group 1; } unit 101 { vlan-id 101; family inet { address 10.80.1.1/24; } } } reth6 { vlan-tagging; redundant-ether-options { redundancy-group 1; } unit 201 { vlan-id 201; family inet { address 10.90.1.1/24; } } } } routing-options {

1 of 2

2012/03/21 04:44 PM

static { route 0.0.0.0/0 { next-hop 10.90.1.254; retain; } } } security { log { source-address 10.90.1.1; stream trafficlogs { host { 10.90.1.2; } } } zones { security-zone trust { address-book { address net_10-80-1-0--24 10.80.1.0/24; } interfaces { reth4.101; } } security-zone untrust { interfaces { reth6.201; } } } policies { from-zone trust to-zone untrust { policy 187464 { match { source-address net_10-80-1-0--24; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } } } Note that the above configuration example only highlights the relevant configurations for traffic logging. It is assumed that all other configurations are complete.

PURPOSE:
Configuration

RELATED LINKS:

2 of 2

2012/03/21 04:44 PM