Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring TCP Out-of-State Packet Logging on SRX Series Devices

    This example shows how to configure TCP out-of-state packet logging on SRX Series devices.

    Requirements

    No special configuration beyond device initialization is required before configuring this example.

    Overview

    In this example, you enable TCP out-of-state packet logging and configure the packet log filter and the throttle component for controlling the logging rate. In addition, this configuration provides you with the details for enabling TCP out-of-state logging on logical systems.

    Configuration

    To configure this example, perform the following tasks:

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

    set security flow packet-log enableset security flow packet-log packet-filter f1 source-prefix 1.1.1.1/32 destination-prefix 2.2.2.2/32 source-port 10000 destination-port 2000 protocol tcpset security flow packet-log throttle-interval 32set security log mode streamset logical-system LSYS1 security flow packet-log enableset logical-system LSYS1 security flow packet-log throttle-interval 128set security flow packet-log packet-filter f2 source-prefix 8.8.8.2/32 destination-prefix 9.9.9.2/32 source-port 20000 destination-port 8000 protocol tcp

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

    To configure TCP out-of-state packet drop logging:

    1. Enable packet logging in flow module.

      [edit]user@host# set security flow packet-log enable
    2. Configure packet filters to generate logs for the target traffic.

      [edit]user@host# set security flow packet-log packet-filter f1 source-prefix 1.1.1.1/32 destination-prefix 2.2.2.2/32 source-port 10000 destination-port 2000 protocol tcp
    3. Configure a throttle interval to control the logging rate.

      [edit]user@host# set security flow packet-log throttle-interval 32

      Note: The throttle interval is in milliseconds and should be configured as a power of two (0..32768).

    4. Enable TCP out-of-state logging on the device to save the logs on the server.

      [edit]user@host# set security log mode stream
    5. Configure TCP out-of-state logging on user logical systems.

      Note: TCP out-of-state logging can be enabled per logical system each with a with different throttle interval. All the user logical systems share the same global packet-filter configuration with root logical system.

      [edit]user@host# set logical-system LSYS1 security flow packet-log enableuser@host# set logical-system LSYS1 security flow packet-log throttle-interval 128user@host# set security flow packet-log packet-filter f2 source-prefix 8.8.8.2/32 destination-prefix 9.9.9.2/32 source-port 20000 destination-port 8000 protocol tcpset user@host# set logical-system LSYS1user@host# set security log mode stream

    Results

    From configuration mode, confirm the configuration of the interface by entering the show security and show security log | display set configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

    [edit]user@host# show securitylog {mode stream;}
    flow {packet-log {enable;throttle-interval 32;packet-filter f1 {protocol tcp;source-prefix 1.1.1.1/32;destination-prefix 2.2.2.2/32;source-port 10000;destination-port 2000;}}}
    zones {security-zone Host {host-inbound-traffic {system-services {all;}}interfaces {ge-0/0/0.0;}}}
    [edit]user@host# show security log | display setset security log mode stream

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    Verify the Configuration

    Purpose

    Verify that the configuration is correct.

    Action

    From operational mode, enter the show security flow command.

    Modified: 2017-09-18