Logging the Dropped Packets Using Default Deny-all Option
The evaluated configuration device drops all IPv6 traffic by default. This topic describes how to log packets dropped by this default deny-all option.
Before you begin, log in with your root account and edit the configuration.
You can enter the configuration commands in any order and commit all the commands at once.
To log packets dropped by the default deny-all option:
- Configure a network security policy in a global context
and specify the security policy match criteria.[edit security policy]user@host# set global policy always-last-default-deny-and-log match source-address any destination-address any application any
- Specify the policy action to take when the packet matches
the criteria.[edit security policy]user@host# set global policy always-last-default-deny-and-log then deny
- Configure the security policy to enable logs at the session
initialization time.[edit security policy]user@host# set global policy always-last-default-deny-and-log then log session-init
This procedure might capture a very large amount of data until you have configured the other policies.
To permit all IPv6 traffic into an NFX device, configure the device with flow-based forwarding mode. While the default policy in flow-based forwarding mode is still to drop all IPv6 traffic, you can now add rules to permit selected types of IPv6 traffic.