Firewall Filter Configuration > Configuring Firewall Filter System Logging

System logging can be configured for the firewall filter process. You can set system logging to record messages of a particular level or all levels. The messages are sent to a system logging file.

The following is a sample system logging configuration for the firewall filter icmp-syslog. For more information about configuring system logging, see the JUNOS System Basics Configuration Guide.

[edit]

system {

    syslog {                  

        file filter {

            firewall any;

            archive no-world-readable;

        }

    }

}

This causes the syslog daemon to write any messages with the syslog facility of firewall to the file /var/log/filter. This keeps the messages out of the main system log file and makes them easier to find.

Example: Configuring Firewall Filter System Logging

Create a filter that logs and counts ICMP packets that have 192.168.207.222 as either their source or destination:

[edit]

firewall {

    family inet {

         filter icmp-syslog {

        term icmp-match {

            from {

            address {

                192.168.207.222/32;

            }

            protocol icmp;

            }

            then {

            count packets;

            syslog;

            accept;

           }

        }

        term default {

            then accept;

        }

        }

    }

}

Enter the show log filter command to display the results:

root@systech> show log filter

Mar 20 08:03:11 systech feb FW: so-0/1/0.0   A icmp 192.168.207.222 
192.168.207.223     0     0 (1 packets)

This output file contains the following fields:

• Date and Time—Date and time at which the packet was received (not shown in the default).
• Filter action:

• A—Accept (or next term)
• D—Discard
• R—Reject

• Protocol—Packet's protocol name or number.
• Source address—Source IP address in the packet.
• Destination address—Destination IP address in the packet.

 


   
NOTE: If the protocol is ICMP, the ICMP type and code are displayed. For all other protocols, the source and destination ports are displayed.


 

The last two fields (both zero) are the source and destination TCP/UDP ports, respectively, and are shown for TCP or UDP packets only. This log message indicates that only one packet for this match has been detected in about a one-second interval. If packets arrive faster, the system log function compresses the information so that less output is generated, and displays an output similar to the following:

root@systech> show log filter

Mar 20 08:08:45 systech feb FW: so-0/1/0.0   A icmp 192.168.207.222 
192.168.207.223     0     0 (515 packets)