To avoid having to create a drop rule with logging enabled on an SRX for everyone Zone-to-Zone possibility, you can now create a global cleanup rule as of 12.1 like so:
# run show configuration security policies global | display set
set security policies global policy global_drop_all match source-address any
set security policies global policy global_drop_all match destination-address any
set security policies global policy global_drop_all match application any
set security policies global policy global_drop_all then deny
set security policies global policy global_drop_all then log session-init
A 'show security policies' will then show this as the last rule:set security policies global policy global_drop_all match source-address any
set security policies global policy global_drop_all match destination-address any
set security policies global policy global_drop_all match application any
set security policies global policy global_drop_all then deny
set security policies global policy global_drop_all then log session-init
Global policies:
Policy: global_drop_all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: deny, log
Source addresses: any
Destination addresses: any
Applications: any
Action: deny, log
Looking at the log itself it'll show up as:
Logging is currently configured as:
Apr 21 08:36:23 SRX210_A RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.0.10/33514->172.19.1.1/80 junos-http 6(0) global_drop_all(global) Trust Trust UNKNOWN UNKNOWN N/A(N/A) fe-0/0/6.0 No
Logging is currently configured as:
set system syslog file traffic-log any any
set system syslog file traffic-log match RT_FLOW_SESSION
set system syslog file traffic-log match RT_FLOW_SESSION
No comments:
Post a Comment