Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure traceoptions

In most cases, policy logging of the traffic being permitted and denied is sufficient to verify what Juniper ATP Cloud is doing with the SRX Series Firewall data. However, in some cases you may need more information. In these instances, you can use traceoptions to monitor traffic flow into and out of the SRX Series Firewall.

Using trace options are the equivalent of debugging tools. To debug packets as they traverse the SRX Series Firewall, you need to configure traceoptions and flag basic-datapath. This will trace packets as they enter the SRX Series Firewall until they exit, giving you details of the different actions the SRX Series Firewall is taking along the way. Refer to Debugging the Data Path in the SRX Series documentation for details.

A minimum traceoptions configuration must include both a target file and a flag. The target file determines where the trace output is recorded. The flag defines what type of data is collected. For more information on using traceoptions, see the documentation for your SRX Series Firewall.

To set the trace output file, use the file filename option. The following example defines the trace output file as srx_aamw.log:

where flag defines what data to collect and can be one of the following values:

  • all—Trace everything.

  • connection—Trace connections to the server.

  • content—Trace the content buffer management.

  • daemon—Trace the Juniper ATP Cloud daemon.

  • identification—Trace file identification.

  • parser—Trace the protocol context parser.

  • plugin—Trace the advanced anti-malware plugin.

  • policy—Trace the advanced anti-malware policy.

The following example traces connections to the SRX Series Firewall and the advanced anti-malware policy:

Before committing your traceoption configuration, use the show services advanced-anti-malware command to review your settings.

You can also configure public key infrastructure (PKI) trace options. For example:

Debug tracing on both the Routing Engine and the Packet Forwarding Engine can be enabled for SSL proxy by setting the following configuration:

You can enable logs in the SSL proxy profile to get to the root cause for the drop. The following errors are some of the most common:

  • Server certification validation error.

  • The trusted CA configuration does not match your configuration.

  • System failures such as memory allocation failures.

  • Ciphers do not match.

  • SSL versions do not match.

  • SSL options are not supported.

  • Root CA has expired. You need to load a new root CA.

Set flow trace options to troubleshoot traffic flowing through your SRX Series Firewall: