Example: Configuring TCP Out-of-State Packet Logging on SRX Series Devices
This example shows how to configure TCP out-of-state packet logging on SRX Series devices.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, you enable TCP out-of-state packet logging and configure the packet log filter and the throttle component for controlling the logging rate. In addition, this configuration provides you with the details for enabling TCP out-of-state logging on logical systems.
Configuration
To configure this example, perform the following tasks:
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure TCP out-of-state packet drop logging:
Enable packet logging in flow module.
[edit]user@host# set security flow packet-log enableConfigure packet filters to generate logs for the target traffic.
[edit]user@host# set security flow packet-log packet-filter f1 source-prefix 1.1.1.1/32 destination-prefix 2.2.2.2/32 source-port 10000 destination-port 2000 protocol tcpConfigure a throttle interval to control the logging rate.
[edit]user@host# set security flow packet-log throttle-interval 32
Note: The throttle interval is in milliseconds and should be configured as a power of two (0..32768).
Enable TCP out-of-state logging on the device to save the logs on the server.
[edit]user@host# set security log mode streamConfigure TCP out-of-state logging on user logical systems.
Note: TCP out-of-state logging can be enabled per logical system each with a with different throttle interval. All the user logical systems share the same global packet-filter configuration with root logical system.
[edit]user@host# set logical-system LSYS1 security flow packet-log enableuser@host# set logical-system LSYS1 security flow packet-log throttle-interval 128user@host# set security flow packet-log packet-filter f2 source-prefix 8.8.8.2/32 destination-prefix 9.9.9.2/32 source-port 20000 destination-port 8000 protocol tcpsetuser@host# set logical-system LSYS1user@host# set security log mode stream
Results
From configuration mode, confirm the configuration of the interface by entering the show security and show security log | display set configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
If you are done configuring the device, enter commit from configuration mode.
Verification
Verify the Configuration
Purpose
Verify that the configuration is correct.
Action
From operational mode, enter the show security flow command.
