Logging the Dropped Packets Using Default Deny-all Option
The evaluated configuration device drops all IPv6 traffic by default. This topic describes how to log packets dropped by this default deny-all option.
Before you begin, log in with your root account on a Junos OS device running Junos OS Release 12.3X48-D30 and edit the configuration.
You can enter the configuration commands in any order and commit all the commands at once.
To log packets dropped by the default deny-all option:
- Configure a network security policy in a global context
and specify the security policy match criteria.[edit security policy]user@host# set global policy always-last-default-deny-and-log match source-address any destination-address any application any
- Specify the policy action to take when the packet matches
the criteria.[edit security policy]user@host# set global policy always-last-default-deny-and-log then deny
- Configure the security policy to enable logs at the session
initialization time.[edit security policy]user@host# set global policy always-last-default-deny-and-log then log session-init
This procedure might capture a very large amount of data until you have configured the other policies.
To permit all IPv6 traffic into an SRX Series device, configure the device with flow-based forwarding mode. While the default policy in flow-based forwarding mode is still to drop all IPv6 traffic, you can now add rules to permit selected types of IPv6 traffic.