Configure Traceoptions
In most cases, policy logging of the traffic being permitted and denied is sufficient to verify what Juniper ATP Cloud is doing with the SRX Series Firewall data. However, in some cases you might need more information. In these instances, you can use traceoptions to monitor traffic flow into and out of the SRX Series Firewall.
Using trace options are the equivalent of debugging tools. To debug packets as they pass through
the SRX Series Firewall, you need to configure traceoptions and flag
basic-datapath. This configuration will trace packets as they enter
the SRX Series Firewall until they exit, giving you details of the different actions the
SRX Series Firewall is taking along the way. See Debugging the Data Path in the SRX Series documentation for
details.
A minimum traceoptions configuration must include both a target
file and a flag. The target file
determines where the trace output is recorded. The flag defines what
type of data is collected. For more information about using
traceoptions, see the documentation for your SRX Series Firewall.
To set the trace output file, use the file filename option. The following example defines the trace output file
as srx_aamw.log:
edit services advanced-anti-malware traceoptions [edit services advanced-anti-malware traceoptions] set file srx_aamw.log
where flag defines what data to collect and
can be one of the following values:
all—Trace everything.connection—Trace connections to the server.content—Trace the content buffer management.daemon—Trace the Juniper ATP Cloud daemon.identification—Trace file identification.parser—Trace the protocol context parser.plugin—Trace the advanced anti-malware (AAMW) plug-in.policy—Trace the AAMW policy.
The following example traces connections to the SRX Series Firewall and the AAMW policy:
edit services advanced-anti-malware traceoptions [edit services advanced-anti-malware traceoptions]set services advanced-anti-malware traceoptions file skyatp.logset services advanced-anti-malware traceoptions file size 100M set services advanced-anti-malware traceoptions level allset services advanced-anti-malware traceoptions flag all
Before committing your traceoption configuration,
use the show services advanced-anti-malware command to
review your settings.
# show services advanced-anti-malware
url https://xxx.xxx.xxx.com;
authentication {
tls-profile
...
}
traceoptions {
file skyatp.log;
flag all;
...
}
...You can also configure public key infrastructure (PKI) trace options. For example:
set security pki traceoptions file pki.log set security pki traceoptions flag all
Debug tracing on both the Routing Engine and the Packet Forwarding Engine can be enabled for SSL proxy by setting the following configuration:
set services ssl traceoptions file ssl.log set services ssl traceoptions file size 100m set services ssl traceoptions flag all
You can enable logs in the SSL proxy profile to get to the root cause for the drop. The following errors are some of the most common:
Server certification validation error
The trusted CA configuration does not match your configuration.
System failures such as memory allocation failures
Ciphers do not match.
SSL versions do not match.
SSL options are not supported.
Root CA has expired. You need to load a new root CA.
Set flow trace options to troubleshoot traffic flowing through your SRX Series Firewall:
set security flow traceoptions flag all set security flow traceoptions file flow.log size 100M