Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Sample Code Audits of Configuration Changes

This sample code audits all changes to the configuration secret data and sends the logs to a file named Audit-File:

This sample code expands the scope of the minimum audit to audit all changes to the configuration, not just secret data, and sends the logs to a file named Audit-File:

Example: System Logging of Configuration Changes

This example shows a sample configuration and makes changes to users and secret data.

The new configuration changes the secret data configuration statements and adds a new user.

The following table provides details about the auditable events.

Table 1: Auditable Events
Requirement Auditable Events Additional Audit Record Contents Audit Records
FAU_GEN.1 None None
  • Start-up and shut-down of the audit functions;

Note: There is no manual startup/shutdown of the local audit function, which is tied to startup/shutdown of the TOE itself, logs for which implicitly indicate the audit function stopping and starting as well.

TOE Shutdown:

<45>1 2024-11-13T11:27:56.011Z NFX150 eventd 24288 SYSTEM_SHUTDOWN [junos@2636.1.1.1.4.138.9 type="<unknown>" username="<unknown>" time="<unknown>" message="no message"] System <unknown> by <unknown> at <unknown>: no message

TOE Startup:

<45>1 2024-11-13T11:27:56.013Z NFX150 eventd 24288 SYSTEM_OPERATIONAL - System is operational

<38>1 2024-11-13T11:28:05.813Z NFX150 jlaunchd 24296 - - Registered PID 24289(event-processing): new process

  • All auditable events for the not specified level of audit; and
  • All administrative actions comprising:
    • Administrative login and logout (name of user account shall be logged if individual user accounts are required for Administrators).

Login:

<38>1 2024-07-18T11:34:28.205Z NFX150 sshd 5531 - - Accepted keyboard-interactive/pam for acumensec from 10.1.2.146 port 54420 ssh2

<190>1 2024-07-18T11:34:28.364Z NFX150 mgd 5541 UI_AUTH_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec" authentication-level="j-security-admin"] Authenticated user 'acumensec' assigned to class 'j-security-admin'

<190>1 2024-07-18T11:34:28.364Z NFX150 mgd 5541 UI_LOGIN_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec" class-name="j-security-admin" local-peer="" pid="5541" ssh-connection="10.1.2.146 54420 10.1.2.6 22" client-mode="cli"] User 'acumensec' login, class 'j-security-admin' [5541], ssh-connection '10.1.2.146 54420 10.1.2.6 22', client-mode 'cli'

Logout:

<38>1 2024-07-17T10:40:57.779Z NFX150 sshd 29357 - - Received disconnect from 10.1.3.92 port 34182:11: disconnected by user

<38>1 2024-07-17T10:40:57.779Z NFX150 sshd 29357 - - Disconnected from user acumensec 10.1.3.92 port 34182

  • Changes to TSF data related to configuration changes (in addition to the information that a change occurred it shall be logged what has been changed).

<182>1 2024-07-17T10:32:00.654Z NFX150 mgd 26982 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[system syslog file TOElogs_file any\]" delimiter="" data="unconfigured" value="any"] User 'admin' set: [system syslog file TOElogs_file any] unconfigured -- "any"

<190>1 2024-07-17T10:32:00.655Z NFX150 mgd 26982 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set system syslog file TOElogs_file any any "] User 'admin', command 'set system syslog file TOElogs_file any any '

  • Generating/import of, changing, or deleting of cryptographic keys (in addition to the action itself a unique key name or key reference shall be logged).

Generation of cryptographic keys(IPsec):

**NOTE: The unique identifier for the keys is the certificate ID of the associated certificate configured on the TOE**

<190>1 2024-10-16T05:39:01.730Z NFX150 mgd 64571 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="request security pki generate-key-pair size 2048 type rsa certificate-id NFX150TOE "] User 'admin', command 'request security pki generate-key-pair size 2048 type rsa certificate-id NFX150TOE '

<29>1 2024-10-16T05:39:06.575Z NFX150 pkid 24852 PKID_PV_KEYPAIR_GEN [junos@2636.1.1.1.4.138.9 argument1="2048" argument2="RSA" argument3="NFX150TOE"] A 2048 bit RSA key-Pair has been generated for NFX150TOE

Deletion of cryptographic keys(IPsec):

<190>1 2024-10-16T05:35:25.593Z NFX150 mgd 64571 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="clear security pki key-pair certificate-id NFX150TOE "] User 'admin', command 'clear security pki key-pair certificate-id NFX150TOE '

<29>1 2024-10-16T05:35:25.608Z NFX150 pkid 24852 PKID_PV_KEYPAIR_DEL_SUCCESS [junos@2636.1.1.1.4.138.9 type-string="NFX150TOE"] Key pair deleted successfully for NFX150TOE

Import of cryptographic keys (SSH):

**NOTE: The unique identifier of the keys is the username associated with those keys**

<182>1 2025-03-24T12:53:11.580Z NFX150 mgd 1089 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[system login user cctester authentication ssh-rsa /* SECRET-DATA */\]" delimiter="" value=""] User 'admin' set: [system login user cctester authentication ssh-rsa /* SECRET-DATA */]

<190>1 2025-03-24T12:53:11.581Z NFX150 mgd 1089 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set system login user cctester authentication ssh-rsa /* SECRET-DATA */ "] User 'admin', command 'set system login user cctester authentication ssh-rsa /* SECRET-DATA */ '

Deletion of cryptographic keys (SSH):

<190>1 2025-03-24T12:40:00.188Z NFX150 mgd 1089 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="delete system login user cctester authentication ssh-rsa /* SECRET-DATA */ "] User 'admin', command 'delete system login user cctester authentication ssh-rsa /* SECRET-DATA */ '

<182>1 2025-03-24T12:40:00.189Z NFX150 mgd 1089 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.9 username="admin" action="delete" pathname="[system login user cctester authentication ssh-rsa /* SECRET-DATA */\]" delimiter="" value=""] User 'admin' delete: [system login user cctester authentication ssh-rsa /* SECRET-DATA */]

  • [Resetting passwords (name of related user account shall be logged).

**NOTE: The logs mention data=”unconfigured” as the old value even when resetting an existing password to mask the sensitive information.

<182>1 2024-07-23T13:26:45.830Z NFX150 mgd 43275 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[system login user good008 authentication\]" delimiter="" data="unconfigured" value="plain-text-password"] User 'admin' set: [system login user good008 authentication] unconfigured -- "plain-text-password"

<190>1 2024-07-23T13:26:53.093Z NFX150 mgd 43275 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set system login user good008 class users authentication plain-text-password "] User 'admin', command 'set system login user good008 class users authentication plain-text-password '

  • [Starting and stopping services]];

Starting services

<182>1 2024-07-24T11:49:39.001Z NFX150 mgd 23797 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[system services netconf ssh\]" delimiter="" value=""] User 'admin' set: [system services netconf ssh]

<190>1 2024-07-24T11:49:39.001Z NFX150 mgd 23797 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set system services netconf ssh "] User 'admin', command 'set system services netconf ssh '

Stopping services

<190>1 2024-07-24T10:50:18.789Z NFX150 mgd 23797 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="delete system services netconf ssh "] User 'admin', command 'delete system services netconf ssh '

<182>1 2024-07-24T10:50:18.790Z NFX150 mgd 23797 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.9 username="admin" action="delete" pathname="[system services netconf ssh\]" delimiter="" value=""] User 'admin' delete: [system services netconf ssh]
FAU_GEN.2 None None None
FAU_STG_EXT.1 Configuration of local audit settings. Identity of account making changes to the audit configuration.

Configuration of local audit settings.

<182>1 2024-07-17T10:32:00.654Z NFX150 mgd 26982 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[system syslog file TOElogs_file any\]" delimiter="" data="unconfigured" value="any"] User 'admin' set: [system syslog file TOElogs_file any] unconfigured -- "any"

<190>1 2024-07-17T10:32:00.655Z NFX150 mgd 26982 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set system syslog file TOElogs_file any any "] User 'admin', command 'set system syslog file TOElogs_file any any '
FCS_CKM.1 None None None
FCS_CKM.2 None None None
FCS_CKM.4 None None None
FCS_COP.1/DataEncryption None None None
FCS_COP.1/Hash None None None
FCS_COP.1/KeyedHash None None None
FCS_COP.1/SigGen None None None
FCS_IPSEC_EXT.1 Failure to establish an IPsec SA. Reason for failure.

Failure to establish an IPsec SA.

<27>1 2024-09-02T14:58:32.611Z NFX150 kmd 16398 - - IKE negotiation failed with error: Peer proposed phase1 negotiation mode (main/aggressive) does not match with configuration. IKE Version: 1, VPN: vpn1 Gateway: gw1, Local: 10.1.5.7/500, Remote: 10.1.5.8/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder
FCS_RBG_EXT.1 None None None
FDP_RIP.2 None None None
FCS_SSH_EXT.1
  • Failure to establish an SSH session
  • Establishment of SSH connection
  • Termination of SSH connection session
  • Dropping of packet(s) outside defined size limits
  • Reason for failure and Non-TOE endpoint of attempted connection (IP Address)
  • Non-TOE endpoint of connection (IP Address)
  • Non-TOE endpoint of connection (IP Address)
  • Packet size
  • Failure to establish an SSH session

<38>1 2024-08-05T12:54:03.488Z NFX150 sshd 37258 - - Unable to negotiate with 10.1.3.92 port 37664: no matching cipher found. Their offer: aes192-ctr [preauth]

<38>1 2024-08-05T12:54:03.488Z NFX150 sshd 37259 - - Unable to negotiate with 10.1.3.92 port 37664: no matching cipher found. Their offer: aes192-ctr

  • Establishment of SSH connection

<38>1 2024-08-05T09:41:01.960Z NFX150 sshd 25691 - - Accepted keyboard-interactive/pam for acumensec from 10.1.3.92 port 50968 ssh2

<190>1 2024-08-05T09:41:02.057Z NFX150 mgd 25709 UI_AUTH_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec" authentication-level="j-security-admin"] Authenticated user 'acumensec' assigned to class 'j-security-admin'

<190>1 2024-08-05T09:41:02.058Z NFX150 mgd 25709 UI_LOGIN_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec" class-name="j-security-admin" local-peer="" pid="25709" ssh-connection="10.1.3.92 50968 10.1.2.6 22" client-mode="cli"] User 'acumensec' login, class 'j-security-admin' [25709], ssh-connection '10.1.3.92 50968 10.1.2.6 22', client-mode 'cli'

  • Termination of SSH connection session

<190>1 2024-08-05T09:42:11.987Z NFX150 mgd 25709 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="exit "] User 'acumensec', command 'exit '

<190>1 2024-08-05T09:42:11.997Z NFX150 mgd 25709 UI_LOGOUT_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec"] User 'acumensec' logout

<38>1 2024-08-05T09:42:12.013Z NFX150 sshd 25707 - - Received disconnect from 10.1.3.92 port 50968:11: disconnected by user

<38>1 2024-08-05T09:42:12.013Z NFX150 sshd 25707 - - Disconnected from user acumensec 10.1.3.92 port 50968

  • Dropping of packet(s) outside defined size limits

<38>1 2024-08-06T11:19:03.492Z NFX150 sshd 17786 - - Potential replay attack detected on SSH connection initiated from 10.1.3.92:58422

<37>1 2024-08-06T11:19:03.493Z NFX150 sshd - SSH_MSG_REPLAY_DETECT [junos@2636.1.1.1.4.138.9 source-address="10.1.3.92" source-port="58422"] Potential replay attack detected on SSH connection initiated from 10.1.3.92:58422

<38>1 2024-08-06T11:19:03.494Z NFX150 sshd 17786 - - Bad packet length 262156.

<38>1 2024-08-06T11:19:03.494Z NFX150 sshd 17786 - - ssh_dispatch_run_fatal: Connection from user acumensec 10.1.3.92 port 58422: message authentication code incorrect
FCS_SSHS_EXT.1 No events specified N/A None
FFW_RUL_EXT.1 Application of rules configured with the ‘log’ operation
  • Source and destination addresses
  • Source and destination ports
  • Transport Layer Protocol
  • TOE Interface

Application of rules configured with the ‘log’ operation:

Time of Log: 2025-01-21 11:03:38 UTC, Filter: pfe, Filter action: accept, Name of interface: ge-1/0/1.0

Name of protocol: TCP, Packet Length: 52, Source address: 10.1.9.40:60514, Destination address: 10.1.3.108:1234
FFW_RUL_EXT.2
  • Dynamical definition of rule
  • Establishment of a session
 None

Dynamical definition of rule

<182>1 2025-03-24T11:40:20.867Z NFX250_TOE mgd 10011 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[firewall family inet filter TCP-port term allow from protocol tcp\]" delimiter="" value=""] User 'admin' set: [firewall family inet filter TCP-port term allow from protocol tcp]

<190>1 2025-03-24T11:40:20.868Z NFX250_TOE mgd 10011 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter TCP-port term allow from protocol tcp "] User 'admin', command 'set firewall family inet filter TCP-port term allow from protocol tcp '

<182>1 2025-03-24T11:40:43.831Z NFX250_TOE mgd 10011 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[firewall family inet filter TCP-port term allow from port 0-1024\]" delimiter="" value=""] User 'admin' set: [firewall family inet filter TCP-port term allow from port 0-1024]

<190>1 2025-03-24T11:40:43.832Z NFX250_TOE mgd 10011 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter TCP-port term allow from port 0-1024"] User 'admin', command 'set firewall family inet filter TCP-port term allow from port 0-1024 '

<182>1 2025-03-24T11:41:15.020Z NFX250_TOE mgd 10011 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[firewall family inet filter TCP-port term allow then\]" delimiter="" data="unconfigured" value="log"] User 'admin' set: [firewall family inet filter TCP-port term allow then] unconfigured -- "log"

<190>1 2025-03-24T11:41:15.021Z NFX250_TOE mgd 10011 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter TCP-port term allow then log "] User 'admin', command 'set firewall family inet filter TCP-port term allow then log '

<182>1 2025-03-24T11:41:26.074Z NFX250_TOE mgd 10011 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[firewall family inet filter TCP-port term allow then\]" delimiter="" data="unconfigured" value="accept"] User 'admin' set: [firewall family inet filter TCP-port term allow then] unconfigured -- "accept"

<190>1 2025-03-24T11:41:26.074Z NFX250_TOE mgd 10011 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter TCP-port term allow then accept "] User 'admin', command 'set firewall family inet filter TCP-port term allow then accept '

<182>1 2025-03-24T11:41:50.936Z NFX250_TOE mgd 10011 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[firewall family inet filter TCP-port term deny from protocol tcp\]" delimiter="" value=""] User 'admin' set: [firewall family inet filter TCP-port term deny from protocol tcp]

<190>1 2025-03-24T11:41:50.936Z NFX250_TOE mgd 10011 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter TCP-port term deny from protocol tcp"] User 'admin', command 'set firewall family inet filter TCP-port term deny from protocol tcp '

<182>1 2025-03-24T11:42:04.615Z NFX250_TOE mgd 10011 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[firewall family inet filter TCP-port term deny from port 1025-65535\]" delimiter="" value=""] User 'admin' set: [firewall family inet filter TCP-port term deny from port 1025-65535]

<190>1 2025-03-24T11:42:04.615Z NFX250_TOE mgd 10011 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter TCP-port term deny from port 1025-65535 "] User 'admin', command 'set firewall family inet filter TCP-port term deny from port 1025-65535 '

<182>1 2025-03-24T11:42:19.132Z NFX250_TOE mgd 10011 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[firewall family inet filter TCP-port term deny then\]" delimiter="" data="unconfigured" value="log"] User 'admin' set: [firewall family inet filter TCP-port term deny then] unconfigured -- "log"

<190>1 2025-03-24T11:42:19.133Z NFX250_TOE mgd 10011 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter TCP-port term deny then log "] User 'admin', command 'set firewall family inet filter TCP-port term deny then log '

<182>1 2025-03-24T11:42:30.592Z NFX250_TOE mgd 10011 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[firewall family inet filter TCP-port term deny then discard\]" delimiter="" value=""] User 'admin' set: [firewall family inet filter TCP-port term deny then discard]

<190>1 2025-03-24T11:42:30.592Z NFX250_TOE mgd 10011 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter TCP-port term deny then discard "] User 'admin', command 'set firewall family inet filter TCP-port term deny then discard '

Establishment of a session

Time of Log: 2024-09-19 12:48:44 UTC, Filter: pfe, Filter action: accept, Name of interface: ge-1/0/1.0

Name of protocol: TCP, Packet Length: 52, Source address: 10.1.9.40:1234, Destination address: 10.1.3.108:4321
FIA_AFL.1 Unsuccessful login attempts limit is met or exceeded Origin of the attempt (e.g., IP address)

Unsuccessful login attempts limit is met or exceeded

<37>1 2024-07-18T10:19:42.582Z NFX150 sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.4.138.9 username="acumensec" source-address="10.1.2.146"] Login failed for user 'acumensec' from ho st '10.1.2.146'

<37>1 2024-07-18T10:19:57.592Z NFX150 sshd - SSHD_LOGIN_ATTEMPTS_THRESHOLD [junos@2636.1.1.1.4.138.9 limit="3" username="acumensec"] Threshold for unsuccessful authentication attempts (3) reached by user 'acumensec'

<38>1 2024-07-18T10:19:57.595Z NFX150 sshd 448 - - Disconnecting authenticating user acume nsec 10.1.2.146 port 34858: Too many password failures for acumensec [preauth]
FIA_PMG_EXT.1 None None None
FIA_UAU.7 None None None
FIA_UIA_EXT.1 All use of identification and authentication mechanism Origin of the attempt (e.g., IP address)

All use of identification and authentication mechanism

Local Successful Login

<37>1 2024-07-19T12:25:05.484Z NFX150 login 95439 - - Login attempt for user acumensec from host [unknown]

<38>1 2024-07-19T12:25:10.272Z NFX150 login 95439 LOGIN_INFORMATION [junos@2636.1.1.1.4.138.9 username="acumensec" hostname="[unknown\]" tty-name="ttyu0"] User acumensec logged in from host [unknown] on device ttyu0

<190>1 2024-07-19T12:25:10.388Z NFX150 mgd 96096 UI_AUTH_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec" authentication-level="j-security-admin"] Authenticated user 'acumensec' assigned to class 'j-security-admin'

<190>1 2024-07-19T12:25:10.389Z NFX150 mgd 96096 UI_LOGIN_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec" class-name="j-security-admin" local-peer="" pid="96096" ssh-connection="" client-mode="cli"] User 'acumensec' login, class 'j-security-admin' [96096], ssh-connection '', client-mode 'cli'

Local Unsuccessful Login

<37>1 2024-07-19T12:12:21.876Z NFX150 login 95284 - - Login attempt for user acumensec from host [unknown]

<35>1 2024-07-19T12:12:28.163Z NFX150 login 95284 LOGIN_PAM_AUTHENTICATION_ERROR [junos@2636.1.1.1.4.138.9 username="acumensec"] Failed password for user acumensec

<37>1 2024-07-19T12:12:28.165Z NFX150 login 95284 LOGIN_FAILED [junos@2636.1.1.1.4.138.9 username="acumensec" source-address="ttyu0"] Login failed for user acumensec from host ttyu0

Remote Successful Password-Based Login

<38>1 2024-07-19T12:46:25.042Z NFX150 sshd 97371 - - Accepted keyboard-interactive/pam for acumensec from 10.1.2.146 port 53940 ssh2

<190>1 2024-07-19T12:46:25.191Z NFX150 mgd 97382 UI_AUTH_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec" authentication-level="j-security-admin"] Authenticated user 'acumensec' assigned to class 'j-security-admin'

<190>1 2024-07-19T12:46:25.192Z NFX150 mgd 97382 UI_LOGIN_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec" class-name="j-security-admin" local-peer="" pid="97382" ssh-connection="10.1.2.146 53940 10.1.2.6 22" client-mode="cli"] User 'acumensec' login, class 'j-security-admin' [97382], ssh-connection '10.1.2.146 53940 10.1.2.6 22', client-mode 'cli'

Remote Unsuccessful Password-Based Login

<35>1 2024-07-19T12:41:04.793Z NFX150 sshd 97034 - - error: PAM: Authentication error for acumensec from 10.1.2.146

<37>1 2024-07-19T12:41:04.794Z NFX150 sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.4.138.9 username="acumensec" source-address="10.1.2.146"] Login failed for user 'acumensec' from host '10.1.2.146'

Remote Successful Public Key-Based Login

<38>1 2024-07-19T13:52:39.678Z NFX150 sshd 2012 - - Accepted publickey for cctester from 10.1.2.146 port 58938 ssh2: RSA SHA256:+f9kJurfOpuewLZu7tEdnsexbIGJHmU5a7l0AEXhffU

<190>1 2024-07-19T13:52:39.858Z NFX150 mgd 2016 UI_AUTH_EVENT [junos@2636.1.1.1.4.138.9 username="cctester" authentication-level="j-users"] Authenticated user 'cctester' assigned to class 'j-users'

<190>1 2024-07-19T13:52:39.859Z NFX150 mgd 2016 UI_LOGIN_EVENT [junos@2636.1.1.1.4.138.9 username="cctester" class-name="j-users" local-peer="" pid="2016" ssh-connection="10.1.2.146 58938 10.1.2.6 22" client-mode="cli"] User 'cctester' login, class 'j-users' [2016], ssh-connection '10.1.2.146 58938 10.1.2.6 22', client-mode 'cli'

Remote Unsuccessful Public Key-Based Login

<38>1 2024-08-01T10:37:46.145Z NFX150 sshd 84319 - - Connection closed by authenticating user cctester 10.1.2.146 port 36438 [preauth]

<38>1 2024-08-01T10:37:46.145Z NFX150 sshd 84323 - - Connection closed by authenticating user cctester 10.1.2.146 port 36438
FIA_X509_EXT.1/Rev
  • Unsuccessful attempt to validate a certificate
  • Any addition, replacement or removal of trust anchors in the TOE's trust store
  • Reason for failure of certificate validation
  • Identification of certificates added, replaced or removed as trust anchor in the TOE's trust store
  • Unsuccessful attempt to validate a certificate

<27>1 2024-10-17T15:59:19.632Z NFX150 pkid 24852 PKID_CRL_CERTIFICATE_REVOKED [junos@.4.138.9 argument1="/C=US/O=Acumen/OU=CC/CN=AcumenICA" argument2="757035d2e563b6a5"] Certificate /C=US/O=Acumen/OU=CC/CN=AcumenICA with serial number 0x757035d2e563b6a5 is revoked

  • Any addition, replacement or removal of trust anchors in the TOE's trust store

Addition of trust anchor:

<190>1 2024-10-16T05:47:32.960Z NFX150 mgd 67658 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="request security pki ca-certificate load ca-profile AcumenROOT filename /var/tmp/Cert_R2/AcumenROOT.crt "] User 'admin', command 'request security pki ca-certificate load ca-profile AcumenROOT filename /var/tmp/Cert_R2/AcumenROOT.crt '

<29>1 2024-10-16T05:47:32.975Z NFX150 pkid 24852 PKID_PV_CERT_LOAD [junos@2636.1.1.1.4.138.9 type-string="AcumenROOT"] Certificate AcumenROOT has been successfully loaded

Removal of trust anchor:

<190>1 2024-10-16T09:49:45.340Z NFX150 mgd 64571 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="clear security pki ca-certificate ca-profile AcumenROOT "] User 'admin', command 'clear security pki ca-certificate ca-profile AcumenROOT '

<29>1 2024-10-16T09:49:45.354Z NFX150 pkid 24852 PKID_PV_CERT_DEL [junos@2636.1.1.1.4.138.9 type-string="AcumenROOT"] Certificate deletion has occurred for AcumenROOT
FIA_X509_EXT.2 None None None
FIA_X509_EXT.3 None None None
FMT_MOF.1/Functions None None None
FMT_MOF.1/ManualUpdate Any attempt to initiate a manual update None

Any attempt to initiate a manual update

<190>1 2025-01-02T09:38:31.558Z NFX150 mgd 88689 UI_CHILD_START [junos@2636.1.1.1.4.138.9 command="/usr/libexec/ui/package"] Starting child '/usr/libexec/ui/package'

<29>1 2025-01-02T09:38:31.563Z NFX150 mgd 88689 - - - /usr/libexec/ui/package -X update /var/public/jinstall-host-nfx-3-x86-64-23.4R1.10-secure-signed.tgz
FMT_MOF.1/Services None None None
FMT_MTD.1/CoreData None None None
FMT_MTD.1/CryptoKeys None None None

FMT_SMF.1

 All management activities of TSF data None
  • Ability to administer the TOE remotely;

<38>1 2024-07-26T08:10:33.345Z NFX150 sshd 94458 - - Accepted keyboard-interactive/pam for acumensec from 10.1.3.92 port 50990 ssh2

<190>1 2024-07-26T08:10:33.512Z NFX150 mgd 94466 UI_AUTH_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec" authentication-level="j-security-admin"] Authenticated user 'acumensec' assigned to class 'j-security-admin'

<190>1 2024-07-26T08:10:33.513Z NFX150 mgd 94466 UI_LOGIN_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec" class-name="j-security-admin" local-peer="" pid="94466" ssh-connection="10.1.3.92 50990 10.1.2.6 22" client-mode="cli"] User 'acumensec' login, class 'j-security-admin' [94466], ssh-connection '10.1.3.92 50990 10.1.2.6 22', client-mode 'cli'

  • Ability to configure the access banner;

<182>1 2024-07-30T13:24:40.593Z NFX150 mgd 21913 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[system login message\]" delimiter="" data="unconfigured" value="This is a LOGIN message.\\nAuthorized users only !!!"] User 'admin' set: [system login message] unconfigured -- "This is a LOGIN message.\nAuthorized users only !!!"

<190>1 2024-07-30T13:24:40.593Z NFX150 mgd 21913 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set system login message \"This is a LOGIN message.\\nAuthorized users only !!!\" "] User 'admin', command 'set system login message "This is a LOGIN message.\nAuthorized users only !!!" '

  • Ability to configure the remote session inactivity time before session termination;

<182>1 2024-07-26T09:03:43.831Z NFX150 mgd 87372 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[system login class security-admin idle-timeout\]" delimiter="" data="unconfigured" value="1"] User 'admin' set: [system login class security-admin idle-timeout] unconfigured -- "1"

<190>1 2024-07-26T09:03:43.831Z NFX150 mgd 87372 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set system login class security-admin idle-timeout 1 "] User 'admin', command 'set system login class security-admin idle-timeout 1 '

  • Ability to update the TOE, and to verify the updates using digital signature capability prior to installing those updates;

<190>1 2025-03-11T08:46:25.869Z NFX150 mgd 67883 UI_CHILD_START [junos@2636.1.1.1.4.138.9 command="/usr/libexec/ui/package"] Starting child '/usr/libexec/ui/package'

<29>1 2025-03-11T08:46:25.876Z NFX150 mgd 67883 - - /usr/libexec/ui/package -X update /var/public/jinstall-host-nfx-3-x86-64-23.4R1.10-secure-signed.tgz

<190>1 2025-03-11T09:06:03.372Z NFX150 mgd 67883 UI_CHILD_STATUS [junos@2636.1.1.1.4.138.9 command="/usr/libexec/ui/package" pid="68411" status-code="0"] Cleanup child '/usr/libexec/ui/package', PID 68411, status 0

<2>1 2025-03-11T09:50:23.500Z NFX150 kernel - - - md0: Preloaded image </packages/sets/active/boot/os-kernel/contents.izo> 11084800 bytes at 0xffffffff828aeab8

<118>1 2025-03-11T09:50:23.501Z NFX150 kernel - - - Verified os-kernel-prd-x86-64-20231122 signed by PackageProductionECP256_2023 method ECDSA256+SHA256

<118>1 2025-03-11T09:50:23.501Z NFX150 kernel - - - Verified os-libs-12-x86-64-20231122 signed by PackageProductionECP256_2023 method ECDSA256+SHA256

<118>1 2025-03-11T09:50:23.501Z NFX150 kernel - - - Verified os-runtime-x86-64-20231122 signed by PackageProductionECP256_2023 method ECDSA256+SHA256

<118>1 2025-03-11T09:50:23.501Z NFX150 kernel - - - Verified os-package-20231117 signed by PackageProductionECP256_2023 method ECDSA256+SHA256

  • Ability to start and stop services;

Starting services

<182>1 2024-07-24T11:49:39.001Z NFX150 mgd 23797 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[system services netconf ssh\]" delimiter="" value=""] User 'admin' set: [system services netconf ssh]

<190>1 2024-07-24T11:49:39.001Z NFX150 mgd 23797 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set system services netconf ssh "] User 'admin', command 'set system services netconf ssh '

Stopping services

<190>1 2024-07-24T10:50:18.789Z NFX150 mgd 23797 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="delete system services netconf ssh "] User 'admin', command 'delete system services netconf ssh '

<182>1 2024-07-24T10:50:18.790Z NFX150 mgd 23797 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.9 username="admin" action="delete" pathname="[system services netconf ssh\]" delimiter="" value=""] User 'admin' delete: [system services netconf ssh]

  • Ability to configure local audit behavior (e.g. changes to storage locations for audit; changes to behavior when local audit storage space is full; changes to local audit storage size)

<182>1 2024-07-23T12:29:46.831Z NFX150 mgd 43275 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[system syslog file syslog archive size\]" delimiter="\"" data="10m" value="11m"] User 'admin' set: [system syslog file syslog archive size] "10m "11m"

<190>1 2024-07-23T12:29:46.832Z NFX150 mgd 43275 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set system syslog file syslog archive size 11m "] User 'admin', command 'set system syslog file syslog archive size 11m'

  • Ability to modify the behavior of the transmission of audit data to an external IT entity;

<182>1 2024-07-24T11:49:39.001Z NFX150 mgd 23797 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[system services netconf ssh\]" delimiter="" value=""] User 'admin' set: [system services netconf ssh]

<190>1 2024-07-24T11:49:39.001Z NFX150 mgd 23797 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set system services netconf ssh "] User 'admin', command 'set system services netconf ssh '

  • Ability to manage the cryptographic keys;

<190>1 2024-09-23T13:05:08.962Z NFX150 mgd 83997 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="request security pki generate-key-pair size 2048 type rsa certificate-id NFX150TOE "] User 'admin', command 'request security pki generate-key-pair size 2048 type rsa certificate-id NFX150TOE '

<29>1 2024-09-23T13:05:29.177Z NFX150 pkid 16663 PKID_PV_KEYPAIR_GEN [junos@2636.1.1.1.4.138.9 argument1="2048" argument2="RSA" argument3="NFX150TOE"] A 2048 bit RSA key-Pair has been generated for NFX150TOE

  • Ability to manage the cryptographic functionality;

<190>1 2024-09-23T13:30:38.193Z NFX150 mgd 83997 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="request security pki generate-certificate-request certificate-id NFX150TOE subject CN=NFX150TOE,OU=CC,O=Acumen,C=US ip-address 10.1.5.7 "] User 'admin', command 'request security pki generate-certificate-request certificate-id NFX150TOE subject CN=NFX150TOE,OU=CC,O=Acumen,C=US ip-address 10.1.5.7 '

  • Ability to configure thresholds for SSH rekeying;

<182>1 2024-08-14T05:59:19.113Z NFX150 mgd 92318 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[system services sshrekey time-limit\]" delimiter="" data="unconfigured" value="60"] User 'admin' set: [system services ssh rekey time-limit] unconfigured -- "60"

<190>1 2024-08-14T05:59:19.114Z NFX150 mgd 92318 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set system services ssh rekey time-limit 60 "] User 'admin', command 'set system services ssh rekey time-limit 60 '

<182>1 2024-08-20T11:10:08.058Z NFX150 mgd 16869 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[system services ssh rekey data-limit\]" delimiter="" data="unconfigured" value="10m"] User 'admin' set: [system services ssh rekey data-limit] unconfigured -- "10m"

<190>1 2024-08-20T11:10:08.059Z NFX150 mgd 16869 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set system services ssh rekey data-limit 10m "] User 'admin', command 'set system services ssh rekey data-limit 10m '

  • Ability to configure the lifetime for IPsec SAs;

<182>1 2024-08-23T12:05:35.101Z NFX150 mgd 99316 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[security ipsec proposal ipsec-proposal1 lifetime-seconds\]" delimiter="\"" data="86400" value="86400"] User 'admin' set: [security ipsec proposal ipsec-proposal1 lifetime-seconds] "86400 -- "86400"

<190>1 2024-08-23T12:05:35.102Z NFX150 mgd 99316 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set security ipsec proposal ipsec-proposal1 lifetime-seconds 86400 "] User 'admin', command 'set security ipsec proposal ipsec-proposal1 lifetime-seconds 86400 '

  • Ability to re-enable an Administrator account;

<190>1 2024-07-18T11:33:45.867Z NFX150 mgd 89675 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="clear system login lockout user acumensec "] User 'admin', command 'clear system login lockout user acumensec '

<37>1 2024-07-18T11:33:45.880Z NFX150 mgd 89675 LIBJNX_LOGIN_ACCOUNT_UNLOCKED [junos@2636.1.1.1.4.138.9 username="acumensec"] Account for user 'acumensec' has been unlocked for logins

  • Ability to set the time which is used for time-stamps;

<190>1 2024-07-17T05:22:26.3182 NFX150 mgd 86428 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set date 202401010808.08 "] User 'admin', command 'set date 202401010808.08

<190>1 2024-07-17T05:22:26.355Z NFX150 mgd 86428 UI_CHILD_START [junos@2636.1.1.1.4.138.9 command="/bin/date"] Starting child '/bin/date'

<37>1 2024-01-01T08:08:08.001Z NFX150 date 86525 - - date set by root

<190>1 2024-01-01T08:08:08.003Z NFX150 mgd 86428 UI_CHILD_STATUS [junos@2636.1.1.1.4.138.9 command="/bin/date" pid="86525" status-code="512"] Cleanup child '/bin/date', PID 86525, status 0x200

<29>1 2024-01-01T08:08:08.004Z NFX150 mgd 86428 UI_CHILD_EXITED [junos@2636.1.1.1.4.138.9 pid="86525" return-value="2" core-dump-status="" command="/bin/date"] Child exited: PID 86525, status 2, command '/bin/date'

<190>1 2024-01-01T08:08:08.004Z NFX150 mgd 86428 UI_COMMIT_PROGRESS [junos@2636.1.1.1.4.138.9 message="signaling 'Network security daemon', pid 16533, signal 31, status with notification errors enabled"] Commit operation in progress: signaling 'Network security daemon', pid 16533, signal 31, status 0 with notification errors enabled

<30>1 2024-01-01T08:08:08.005Z NFX150 nsd 16533 NSD_SYS_TIME_CHANGE - System time has changed.

  • Ability to configure the reference identifier for the peer;

<182>1 2024-10-16T10:10:27.659Z NFX150 mgd 67658 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[security ike gateway gw1 remote-identity inet\]" delimiter="" data="unconfigured" value="10.1.9.21"] User 'admin' set: [security ike gateway gw1 remote-identity inet] unconfigured -- "10.1.9.21"

  • Ability to manage the TOE’s trust store and designate X.509v3 certificates as trust anchors;

**NOTE: TOE by default only treats the root CA as a trust anchor and that there is no provision to designate other intermediate CAs as trust anchor**

<190>1 2024-10-16T05:47:32.960Z NFX150 mgd 67658 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="request security pki ca-certificate load ca-profile AcumenROOT filename /var/tmp/Cert_R2/AcumenROOT.crt "] User 'admin', command 'request security pki ca-certificate load ca-profile AcumenROOT filename /var/tmp/Cert_R2/AcumenROOT.crt '

<29>1 2024-10-16T05:47:32.975Z NFX150 pkid 24852 PKID_PV_CERT_LOAD [junos@2636.1.1.1.4.138.9 type-string="AcumenROOT"] Certificate AcumenROOT has been successfully loaded

  • Ability to administer the TOE locally;

<37>1 2024-07-19T12:25:05.484Z NFX150 login 95439 - - Login attempt for user acumensec from host [unknown]

<38>1 2024-07-19T12:25:10.272Z NFX150 login 95439 LOGIN_INFORMATION [junos@2636.1.1.1.4.138.9 username="acumensec" hostname="[unknown\]" tty-name="ttyu0"] User acumensec logged in from host [unknown] on device ttyu0

<190>1 2024-07-19T12:25:10.388Z NFX150 mgd 96096 UI_AUTH_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec" authentication-level="j-security-admin"] Authenticated user 'acumensec' assigned to class 'j-security-admin'

<190>1 2024-07-19T12:25:10.389Z NFX150 mgd 96096 UI_LOGIN_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec" class-name="j-security-admin" local-peer="" pid="96096" ssh-connection="" client-mode="cli"] User 'acumensec' login, class 'j-security-admin' [96096], ssh-connection '', client-mode 'cli'

  • Ability to configure the local session inactivity time before session termination or locking;

<182>1 2024-07-26T09:03:43.831Z NFX150 mgd 87372 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[system login class security-admin idle-timeout\]" delimiter="" data="unconfigured" value="1"] User 'admin' set: [system login class security-admin idle-timeout] unconfigured -- "1"

<190>1 2024-07-26T09:03:43.831Z NFX150 mgd 87372 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set system login class security-admin idle-timeout 1 "] User 'admin', command 'set system login class security-admin idle-timeout 1 '

  • Ability to configure the authentication failure parameters for FIA_AFL.1;

<182>1 2024-07-29T10:24:51.556Z NFX150 mgd 18948 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[system login retry-options tries-before-disconnect\]" delimiter="" data="unconfigured" value="3"] User 'admin' set: [system login retry-options tries-before-disconnect] unconfigured -- "3"

<190>1 2024-07-29T10:24:51.557Z NFX150 mgd 18948 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set system login retry-options tries-before-disconnect 3 "] User 'admin', command 'set system login retry-options tries-before-disconnect 3 '

<182>1 2024-07-29T10:25:05.074Z NFX150 mgd 18948 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[system login retry-options lockout-period\]" delimiter="" data="unconfigured" value="5"] User 'admin' set: [system login retry-options lockout-period] unconfigured -- "5"

<190>1 2024-07-29T10:25:05.074Z NFX150 mgd 18948 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set system login retry-options lockout-period 5 "] User 'admin', command 'set system login retry-options lockout-period 5 '

  • Ability to manage the trusted public keys database;

<182>1 2024-09-04T07:09:06.302Z NFX150 mgd 89519 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.9 username="admin" action="set" pathname="[system login user cctester authentication ssh-rsa /* SECRET-DATA */\]" delimiter="" value=""] User 'admin' set: [system login user cctester authentication ssh-rsa /* SECRET-DATA */]
FMT_SMF.1/FFW All management activities of TSF data (including creation, modification and deletion of firewall rules. None

Ability to configure firewall rules;

  • creation of firewall rules.

<182>1 2024-10-15T12:58:48.805Z NFX250_TOE mgd 8717 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[firewall family inet6 filter UDP-filter-IPv6 term allow then\]" delimiter="" data="unconfigured" value="log"] User 'admin' set: [firewall family inet6 filter UDP-filter-IPv6 term allow then] unconfigured -- "log"

<190>1 2024-10-15T12:58:48.805Z NFX250_TOE mgd 8717 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet6 filter UDP-filter-IPv6 term allow then log "] User 'admin', command 'set firewall family inet6 filter UDP-filter-IPv6 term allow then log '

  • modification of firewall rules.

<182>1 2025-02-21T10:41:17.658Z NFX250_TOE mgd 2118 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[firewall family inet filter DST_Allow term allow then discard\]" delimiter="" value=""] User 'admin' set: [firewall family inet filter DST_Allow term allow then discard]

<190>1 2025-02-21T10:41:17.659Z NFX250_TOE mgd 2118 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter DST_Allow term allow then discard "] User 'admin', command 'set firewall family inet filter DST_Allow term allow then discard '

  • deletion of firewall rules.

<190>1 2025-02-21T10:42:34.958Z NFX250_TOE mgd 2118 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="delete firewall family inet filter DST_Allow term deny then discard "] User 'admin', command 'delete firewall family inet filter DST_Allow term deny then discard '

<182>1 2025-02-21T10:42:34.959Z NFX250_TOE mgd 2118 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.5 username="admin" action="delete" pathname="[firewall family inet filter DST_Allow term deny then discard\]" delimiter="" value=""] User 'admin' delete: [firewall family inet filter DST_Allow term deny then discard]
FMT_SMR.2 None None None
FPT_APW_EXT.1 None None None
FPT_SKP_EXT.1 None None None
FPT_STM_EXT.1

Discontinuous changes to time - either Administrator actuated or changed via an automated process

(Note that no continuous changes to time need to be logged. See also application note on FPT_STM_EXT.1)

 For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (e.g., IP address).

Discontinuous changes to time - either Administrator actuated or changed via an automated process (Note that no continuous changes to time need to be logged. See also application note on FPT_STM_EXT.1)

<190>1 2024-07-17T05:22:26.3182 NFX150 mgd 86428 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="admin" command="set date 202401010808.08 "] User 'admin', command 'set date 202401010808.08

<190>1 2024-07-17T05:22:26.355Z NFX150 mgd 86428 UI_CHILD_START [junos@2636.1.1.1.4.138.9 command="/bin/date"] Starting child '/bin/date'

<37>1 2024-01-01T08:08:08.001Z NFX150 date 86525 - - date set by root

<190>1 2024-01-01T08:08:08.003Z NFX150 mgd 86428 UI_CHILD_STATUS [junos@2636.1.1.1.4.138.9 command="/bin/date" pid="86525" status-code="512"] Cleanup child '/bin/date', PID 86525, status 0x200

<29>1 2024-01-01T08:08:08.004Z NFX150 mgd 86428 UI_CHILD_EXITED [junos@2636.1.1.1.4.138.9 pid="86525" return-value="2" core-dump-status="" command="/bin/date"] Child exited: PID 86525, status 2, command '/bin/date'

<190>1 2024-01-01T08:08:08.004Z NFX150 mgd 86428 UI_COMMIT_PROGRESS [junos@2636.1.1.1.4.138.9 message="signaling 'Network security daemon', pid 16533, signal 31, status with notification errors enabled"] Commit operation in progress: signaling 'Network security daemon', pid 16533, signal 31, status 0 with notification errors enabled

<30>1 2024-01-01T08:08:08.005Z NFX150 nsd 16533 NSD_SYS_TIME_CHANGE - System time has changed.
FPT_TST_EXT.1 None None None
FPT_TUD_EXT.1 Initiation of update; result of the update attempt (success or failure) None

Initiation of update;

<190>1 2025-03-11T08:46:25.869Z NFX150 mgd 67883 UI_CHILD_START [junos@2636.1.1.1.4.138.9 command="/usr/libexec/ui/package"] Starting child '/usr/libexec/ui/package'

<29>1 2025-03-11T08:46:25.876Z NFX150 mgd 67883 - - /usr/libexec/ui/package -X update /var/public/jinstall-host-nfx-3-x86-64-23.4R1.10-secure-signed.tgz

result of the update attempt (success or failure)

  • success

** NOTE: status-code of “0”, states that the upgrade had been successful**

<190>1 2025-03-11T08:46:25.869Z NFX150 mgd 67883 UI_CHILD_START [junos@2636.1.1.1.4.138.9 command="/usr/libexec/ui/package"] Starting child '/usr/libexec/ui/package'

<29>1 2025-03-11T08:46:25.876Z NFX150 mgd 67883 - - /usr/libexec/ui/package -X update /var/public/jinstall-host-nfx-3-x86-64-23.4R1.10-secure-signed.tgz

<190>1 2025-03-11T09:06:03.372Z NFX150 mgd 67883 UI_CHILD_STATUS [junos@2636.1.1.1.4.138.9 command="/usr/libexec/ui/package" pid="68411" status-code="0"] Cleanup child '/usr/libexec/ui/package', PID 68411, status 0

  • failure

** NOTE: status-code other than “0”, states that the upgrade has failed**

<190>1 2024-12-31T12:57:30.289Z NFX150 mgd 92511 UI_CHILD_STATUS [junos@2636.1.1.1.4.138.9 command="/usr/libexec/ui/package" pid="17247" status-code="256"] Cleanup child '/usr/libexec/ui/package', PID 17247, status 0x100

<29>1 2024-12-31T12:57:30.289Z NFX150 mgd 92511 UI_CHILD_EXITED [junos@2636.1.1.1.4.138.9 pid="17247" return-value="1" core-dump-status="" command="/usr/libexec/ui/package"] Child exited: PID 17247, status 1, command '/usr/libexec/ui/package'
FTA_SSL.3 The termination of a remote session by the session locking mechanism None

The termination of a remote session by the session locking mechanism

<14>1 2024-07-26T08:11:35.478Z NFX150 -cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.4.138.9 username="acumensec"] Idle timeout for user 'acumensec' exceeded and session terminated

<190>1 2024-07-26T08:11:35.480Z NFX150 mgd 94466 UI_LOGOUT_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec"] User 'acumensec' logout
FTA_SSL.4 The termination of an interactive session None

The termination of an interactive session

<190>1 2024-07-26T05:42:38.870Z NFX150 mgd 85083 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="exit "] User 'acumensec', command 'exit '

<190>1 2024-07-26T05:42:38.886Z NFX150 mgd 85083 UI_LOGOUT_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec"] User 'acumensec' logout
FTA_SSL_EXT.1 (if “terminate the session” is selected) The termination of a local session by the session locking mechanism None

The termination of a local session by the session locking mechanism

<14>1 2024-07-29T10:30:05.398Z NFX150 -cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.4.138.9 username="admin"] Idle timeout for user 'admin' exceeded and session terminated

<190>1 2024-07-29T10:30:05.401Z NFX150 mgd 18948 UI_LOGOUT_EVENT [junos@2636.1.1.1.4.138.9 username="admin"] User 'admin' logout
FTA_TAB.1 None None None
FTP_ITC.1
  • Initiation of the trusted channel
  • Termination of the trusted channel
  • Failure of the trusted channel functions
  • None
  • None
  • Reason for failure

Initiation

<38>1 2024-07-24T14:14:32.054Z NFX150 sshd 39582 - - Accepted publickey for syslog-mon from 10.1.3.92 port 51482 ssh2: ECDSA SHA256:met/KQpWvwb2DiFQbqr5UnWKRr60iya1CZkX+G8q0kQ

<190>1 2024-07-24T14:14:32.221Z NFX150 mgd 39586 UI_AUTH_EVENT [junos@2636.1.1.1.4.138.9 username="syslog-mon" authentication-level="j-monitor"] Authenticated user 'syslog-mon' assigned to class 'j-monitor'

<190>1 2024-07-24T14:14:32.221Z NFX150 mgd 39586 UI_LOGIN_EVENT [junos@2636.1.1.1.4.138.9 username="syslog-mon" class-name="j-monitor" local-peer="" pid="39586" ssh-connection="10.1.3.92 51482 10.1.2.6 22" client-mode="cli"] User 'syslog-mon' login, class 'j-monitor' [39586], ssh-connection '10.1.3.92 51482 10.1.2.6 22', client-mode 'cli'

Failure

<38>1 2025-06-20T10:26:37.308Z NFX150 sshd 65276 - - Unable to negotiate with 10.1.2.53 port 40560: no matching MAC found. Their offer: hmac-md5 [preauth]

<38>1 2025-06-20T10:26:37.309Z NFX150 sshd 65277 - - Unable to negotiate with 10.1.2.53 port 40560: no matching MAC found. Their offer: hmac-md5

Termination

<30>1 2024-07-24T14:16:48.694Z NFX150 mgd 39585 UI_NETCONF_MONITORING_DELETE [junos@2636.1.1.1.4.138.9 message="39585"] Netconf session with pid '39585' is being deleted

<190>1 2024-07-24T14:16:48.695Z NFX150 mgd 39585 UI_LOGOUT_EVENT [junos@2636.1.1.1.4.138.9 username="syslog-mon"] User 'syslog-mon' logout
FTP_TRP.1/Admin
  • Initiation of the trusted path
  • Termination of the trusted path.
  • Failure of the trusted path functions.
  • None
  • None
  • Reason for failure
  • Initiation of the trusted path

<38>1 2024-07-19T12:46:25.042Z NFX150 sshd 97371 - - Accepted keyboard-interactive/pam for acumensec from 10.1.2.146 port 53940 ssh2

<190>1 2024-07-19T12:46:25.191Z NFX150 mgd 97382 UI_AUTH_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec" authentication-level="j-security-admin"] Authenticated user 'acumensec' assigned to class 'j-security-admin'

<190>1 2024-07-19T12:46:25.192Z NFX150 mgd 97382 UI_LOGIN_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec" class-name="j-security-admin" local-peer="" pid="97382" ssh-connection="10.1.2.146 53940 10.1.2.6 22" client-mode="cli"] User 'acumensec' login, class 'j-security-admin' [97382], ssh-connection '10.1.2.146 53940 10.1.2.6 22', client-mode 'cli'

  • Termination of the trusted path.

<190>1 2024-08-05T09:42:11.987Z NFX150 mgd 25709 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="exit "] User 'acumensec', command 'exit '

<190>1 2024-08-05T09:42:11.997Z NFX150 mgd 25709 UI_LOGOUT_EVENT [junos@2636.1.1.1.4.138.9 username="acumensec"] User 'acumensec' logout

<38>1 2024-08-05T09:42:12.013Z NFX150 sshd 25707 - - Received disconnect from 10.1.3.92 port 50968:11: disconnected by user

<38>1 2024-08-05T09:42:12.013Z NFX150 sshd 25707 - - Disconnected from user acumensec 10.1.3.92 port 50968

  • Failure of the trusted path functions.

<35>1 2024-07-19T12:41:04.793Z NFX150 sshd 97034 - - error: PAM: Authentication error for acumensec from 10.1.2.146

<37>1 2024-07-19T12:41:04.794Z NFX150 sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.4.138.9 username="acumensec" source-address="10.1.2.146"] Login failed for user 'acumensec' from host '10.1.2.146'
FAU_GEN.1/IPS

Start-up and shut-down of the IPS functions;

All IPS auditable events for the [not specified] level of audit; and

[All dissimilar IPS events;

All dissimilar IPS reactions;

Totals of similar events occurring within a specified time period; and

Totals of similar reactions occurring within a specified time period.

 None
  • Start-up and shut-down of the IPS functions;

Note: There is no manual startup/shutdown of the IPS functions, which is tied to startup/shutdown of the TOE itself, logs for which implicitly indicate the IPS functions stopping and starting as well.

TOE Shutdown:

<45>1 2024-11-13T11:27:56.011Z NFX150 eventd 24288 SYSTEM_SHUTDOWN [junos@2636.1.1.1.4.138.9 type="<unknown>" username="<unknown>" time="<unknown>" message="no message"] System <unknown> by <unknown> at <unknown>: no message

TOE Startup:

<45>1 2024-11-13T11:27:56.013Z NFX150 eventd 24288 SYSTEM_OPERATIONAL - System is operational

<38>1 2024-11-13T11:28:05.813Z NFX150 jlaunchd 24296 - - Registered PID 24289(event-processing): new process

  • All IPS auditable events for the [not specified] level of audit; and

[All dissimilar IPS events; All dissimilar IPS reactions;

<14>1 2024-12-16T10:53:22.087Z NFX150 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.4.138.9 epoch-time="1734346402" message-type="SIG" source-address="10.1.9.21" source-port="1" destination-address="10.1.3.92" destination-port="1" protocol-name="IPIP" service-name="SERVICE_IDP" application-name="NONE" rule-name="rule1" rulebase-name="IPS"policy-name="IDP_Deny_Policy" export-id="1048584" repeat-count="0" action="DROP" threat-severity="INFO" attack-name="ipv4-version" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="0.0.0.0" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="trust" source-interface-name="ge-1/0/1.0" destination-zone-name="untrust" destination-interface-name="ge-1/0/2.0" packet-log-id="0" alert="yes" username="N/A" roles="N/A" xff-header="N/A" cve-id="N/A" session-id="236223227232" message="-"] IDP: at 1734346402, SIG Attack log <10.1.9.21/1->10.1.3.92/1> for IPIP protocol and service SERVICE_IDP application NONE by rule rule of rulebase IPS in policy IDP_Deny_Policy. attack: id=1048584, repeat=0, action-DROP, threat-severity=INFO, name=ipv4-version, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed-0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:ge-1/0/1.0->untrust:ge-1/0/2.0, packet-log-id: 0, alert=yes, username=N/A, roles=N/A, xff-header-N/A, cve-id=N/A, session-id=236223227232 and misc-message

  • Totals of similar events occurring within a specified time period; and

Totals of similar reactions occurring within a specified time period.

<11>1 2024-12-10T10:19:33.670Z NFX150 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.4.138.9 attack-name="SYN flood Src-IP based!" source-address="10.1.9.21" source-port="5858" destination-address="10.1.3.92" destination-port="1001" source-zone-name="trust" interface-name="ge-1/0/1.0" action="drop"] SYN flood Src-IP based! source: 10.1.9.21:5858, destination: 10.1.3.92:1001, zone name: trust, interface name: ge-1/0/1.0, action: drop
FMT_SMF.1/IPS Modification of an IPS policy element. Identifier or name of the modified IPS policy element (e.g. which signature, baseline, or known-good/known-bad list was modified).

Modification of an IPS policy element:

<190>1 2024-11-28T12:23:35.702Z NFX150 mgd 8995 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="set security idp custom-attack IPv4_source severity info "] User 'acumensec', command 'set security idp custom-attack IPv4_source severity info '

<190>1 2024-11-28T12:23:35.930Z NFX150 mgd 8995 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="set security idp custom-attack IPv4_source attack-type signature context packet "] User 'acumensec', command 'set security idp custom-attack IPv4_source attack-type signature context packet '

<190>1 2024-11-28T12:23:36.019Z NFX150 mgd 8995 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="set security idp custom-attack IPv4_source attack-type signature direction any "] User 'acumensec', command 'set security idp custom-attack IPv4_source attack-type signature direction any '

<190>1 2024-11-28T12:23:36.107Z NFX150 mgd 8995 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="set security idp custom-attack IPv4_source attack-type signature protocol ipv4 source match equal "] User 'acumensec', command 'set security idp custom-attack IPv4_source attack-type signature protocol ipv4 source match equal '

<190>1 2024-11-28T12:23:36.177Z NFX150 mgd 8995 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="set security idp custom-attack IPv4_source attack-type signature protocol ipv4 source value 10.1.9.21 "] User 'acumensec', command 'set security idp custom-attack IPv4_source attack-type signature protocol ipv4 source value 10.1.9.21 '

<190>1 2024-11-28T12:29:01.408Z NFX150 mgd 8995 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="set security idp idp-policy IDP_Source rulebase-ips rule rule1 match from-zone any "] User 'acumensec', command 'set security idp idp-policy IDP_Source rulebase-ips rule rule1 match from-zone any '

<190>1 2024-11-28T12:29:01.469Z NFX150 mgd 8995 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="set security idp idp-policy IDP_Source rulebase-ips rule rule1 match source-address any "] User 'acumensec', command 'set security idp idp-policy IDP_Source rulebase-ips rule rule1 match source-address any '

<190>1 2024-11-28T12:29:01.565Z NFX150 mgd 8995 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="set security idp idp-policy IDP_Source rulebase-ips rule rule1 match to-zone any "] User 'acumensec', command 'set security idp idp-policy IDP_Source rulebase-ips rule rule1 match to-zone any '

<190>1 2024-11-28T12:29:01.647Z NFX150 mgd 8995 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="set security idp idp-policy IDP_Source rulebase-ips rule rule1 match destination-address any "] User 'acumensec', command 'set security idp idp-policy IDP_Source rulebase-ips rule rule1 match destination-address any '

<190>1 2024-11-28T12:29:01.735Z NFX150 mgd 8995 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="set security idp idp-policy IDP_Source rulebase-ips rule rule1 match application default "] User 'acumensec', command 'set security idp idp-policy IDP_Source rulebase-ips rule rule1 match application default '

<190>1 2024-11-28T12:29:01.824Z NFX150 mgd 8995 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="set security idp idp-policy IDP_Source rulebase-ips rule rule1 match attacks custom-attacks IPv4_source "] User 'acumensec', command 'set security idp idp-policy IDP_Source rulebase-ips rule rule1 match attacks custom-attacks IPv4_source '

<190>1 2024-11-28T12:29:01.896Z NFX150 mgd 8995 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="set security idp idp-policy IDP_Source rulebase-ips rule rule1 then action drop-connection "] User 'acumensec', command 'set security idp idp-policy IDP_Source rulebase-ips rule rule1 then action drop-connection '

<190>1 2024-11-28T12:29:02.840Z NFX150 mgd 8995 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="set security idp idp-policy IDP_Source rulebase-ips rule rule1 then notification log-attacks alert "] User 'acumensec', command 'set security idp idp-policy IDP_Source rulebase-ips rule rule1 then notification log-attacks alert '
IPS_ABD_EXT.1 Inspected traffic matches an anomaly-based IPS policy.
  • Source and destination IP addresses.
  • The content of the header fields that were determined to match the policy.
  • TOE interface that received the packet.
  • Aspect of the anomaly-based IPS policy rule that triggered the event (e.g. throughput, time of day, frequency, etc.).
  • Network-based action by the TOE (e.g. allowed, blocked, sent reset to source IP, sent blocking notification to firewall).
 <14>1 2024-12-04T10:34:55.417Z NFX150 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.4.138.9 source-address="2001:10:1:9:0:0:0:21" source-port="11" destination-address="2001:10:1:3:0:0:0:92" destination-port="1" connection-tag="0" service-name="icmpv6" protocol-id="58" icmp-type="128" policy-name="schedule" source-zone-name="trust" destination-zone-name ="untrust" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-1/0/1.0" encrypted="No" reason="Denied by policy" session-id="171798719630" application-category="N/A" source-tenant="N/A" destination-service="N/A" user-type="N/A" dst-identity-context-name="N/A" dst-identity-context-roles="NA"] session denied 2001:10:1:9:0:0:0:21/11->2001:10:1:3:0:0:0:92/1 0x0 icmpv6 58(128) schedule trust untrust UNKNOWN UNKNOWN N/A(N/A) ge-1/0/1.0 No Denied by policy 171798719630 N/A N/A -1 N/A N/A N/A N/A N/A N/A N/A N/A
IPS_IPB_EXT.1 Inspected traffic matches a list of known-good or known-bad addresses applied to an IPS policy.
  • Source and destination IP addresses (and, if applicable, indication of whether the source and/or destination address matched the list).
  • TOE interface that received the packet.
  • Network-based action by the TOE (e.g. allowed, blocked, sent reset).
<14>1 2024-11-29T14:40:28.566Z NFX150 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.4.138.9 source-address="10.1.9.21" source-port="0" destination-address="10.1.3.92" destination-port="0" connecgtion-tag="0" service-name="icmp" protocol-id="1" icmp-type="8" policy-name="known-bad-policy" source-zone-name="turst" destination-zone-name="untrust" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incomming-interface="ge-1/0/1.0" encrypted="N0" reason="Denied by policy" session-id="253403074689" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A" source-tenant="N/A" destination-service="N/A" user-type="N/A" dst-identity-context-name="N/A" dst-identity-context-roles="N/A"] session denied 10.1.9.21/0->10.1.3.92/0 0x0 icmp 1(8) known-bad-policy trust untrust UNKNOWN UNKNOWN N/A (N/A) ge-1/0/1.0 No Denied by policy 253403074689 N/A N/A -1 N/A N/A N/A N/A N/A N/A N/A N/A
IPS_NTA_EXT.1
  • Modification of which IPS policies are active on a TOE interface.
  • Enabling/disabling a TOE interface with IPS policies applied.
  • Modification of which mode(s) is/are active on a TOE interface.
  • Identification of the TOE interface.
  • The IPS policy and interface mode (if applicable).
  • Modification of which IPS policies are active on a TOE interface:

<190>1 2025-01-02T13:18:07.424Z NFX150 mgd 19252 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="set security zones security-zone trust interfaces ge-1/0/1.0 host-inbound-traffic system-services all "] User 'acumensec', command 'set security zones security-zone trust interfaces ge-1/0/1.0 host-inbound-traffic system-services all '

<190>1 2025-01-02T13:18:07.561Z NFX150 mgd 19252 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.9 username="acumensec" command="set security policies from-zone trust to-zone untrust policy vpn-bypass then permit application-services idp-policy IDP_Source "] User 'acumensec', command 'set security policies from-zone trust to-zone untrust policy vpn-bypass then permit application-services idp-policy IDP_Source '

  • Enabling/disabling a TOE interface with IPS policies applied:

<182>1 2025-01-02T13:18:07.718Z NFX150 mgd 19252 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.9 username="acumensec" action="set" pathname="[interfaces ge-1/0/1 unit 0\]" delimiter="\"" data="disable" value="disable"] User 'acumensec' set: [interfaces ge-1/0/1 unit 0] "disable -- "disable"

  • Modification of which mode(s) is/are active on a TOE interface:

<182>1 2025-01-02T13:18:08.967Z NFX150 mgd 19252 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.9 username="acumensec" action="set" pathname="[interfaces ge-1/0/1\]" delimiter="\"" data="promiscuous-mode" value="promiscuous-mode"] User 'acumensec' set: [interfaces ge-1/0/1] "promiscuous-mode -- "promiscuous-mode"
IPS_SBD_EXT.1 Inspected traffic matches a signature-based IPS rule with logging enabled.
  • Name or identifier of the matched signature.
  • Source and destination IP addresses.
  • The content of the header fields that were determined to match the signature.
  • TOE interface that received the packet.
  • Network-based action by the TOE (e.g. allowed, blocked, sent reset).
 <14>1 2024-12-03T10:24:41.064Z NFX150 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.4.138.9 epoch-time="1733221481" message-type="SIG" source-address="10.1.9.21" source-port="34688" destination-address="10.1.3.92" destination-port="25" protocol-name="TCP" service-name="SERVICE_IDP" application-name="NONE" rule-name="rule1" rulebase-name="IPS" policy-name="IDP_Deny_Policy" export-id="1048577" repeat-count="0" action="DROP" threat-severity="INFO" attack-name="check-string" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="0.0.0.0" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="trust" source-interface-name="ge-1/0/1.0" destination-zone-name="untrust" destination-interface-name="ge-1/0/2.0" packet-log-id="0" alert="yes" username="N/A" roles="N/A" xff-header="N/A" cve-id="N/A" session-id="111669162905" message="-"] IDP: at 1733221481, SIG Attack log <10.1.9.21/34688->10.1.3.92/25> for TCP protocol and service SERVICE_IDP application NONE by rule rule1 of rulebase IPS in policy IDP_Deny_Policy. attack: id=1048577, repeat=0, action=DROP, threat-severity=INFO, name=check-string, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:ge-1/0/1.0->untrust:ge-1/0/2.0, packet-log-id: 0, alert=yes, username=N/A, roles=N/A, xff-header=N/A, cve-id=N/A, session-id=111669162905 and misc-message -
FAU_GEN.1/VPN No events specified N/A None
FCS_CKM.1/IKE No events specified N/A None
FMT_SMF.1/VPN All administrative actions No additional information.
  • Definition of packet filtering rules

<182>1 2024-11-05T13:12:28.637Z NFX250_TOE mgd 6601 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[firewall family inet filter SRC_DENY term drop from source-address 10.1.3.108/32\]" delimiter="" value=""] User 'admin' set: [firewall family inet filter SRC_DENY term drop from source-address 10.1.3.108/32]

<190>1 2024-11-05T13:12:28.638Z NFX250_TOE mgd 6601 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter SRC_DENY term drop from source-address 10.1.3.108/32 "] User 'admin', command 'set firewall family inet filter SRC_DENY term drop from source-address 10.1.3.108/32 '

<182>1 2024-11-05T13:12:28.720Z NFX250_TOE mgd 6601 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[firewall family inet filter SRC_DENY term drop then\]" delimiter="" data="unconfigured" value="log"] User 'admin' set: [firewall family inet filter SRC_DENY term drop then] unconfigured -- "log"

<190>1 2024-11-05T13:12:28.721Z NFX250_TOE mgd 6601 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter SRC_DENY term drop then log "] User 'admin', command 'set firewall family inet filter SRC_DENY term drop then log '

<182>1 2024-11-05T13:12:28.758Z NFX250_TOE mgd 6601 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[firewall family inet filter SRC_DENY term drop then discard\]" delimiter="" value=""] User 'admin' set: [firewall family inet filter SRC_DENY term drop then discard]

<190>1 2024-11-05T13:12:28.759Z NFX250_TOE mgd 6601 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter SRC_DENY term drop then discard "] User 'admin', command 'set firewall family inet filter SRC_DENY term drop then discard '

  • · Association of packet filtering rules to network interfaces

<182>1 2024-11-05T13:12:28.791Z NFX250_TOE mgd 6601 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[interfaces st0 unit 0 family inet filter input\]" delimiter="" data="unconfigured" value="SRC_DENY"] User 'admin' set: [interfaces st0 unit 0 family inet filter input] unconfigured -- "SRC_DENY"

<190>1 2024-11-05T13:12:28.792Z NFX250_TOE mgd 6601 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set interfaces st0 unit 0 family inet filter input SRC_DENY "] User 'admin', command 'set interfaces st0 unit 0 family inet filter input SRC_DENY '

  • Ordering of packet filtering rules by priority

<190>1 2024-11-26T12:40:19.072Z NFX250_TOE mgd 84311 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter DST_Allow term allow from destination-address 10.1.9.40/32 "] User 'admin', command 'set firewall family inet filter DST_Allow term allow from destination-address 10.1.9.40/32 '

<182>1 2024-11-26T12:40:19.156Z NFX250_TOE mgd 84311 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[firewall family inet filter DST_Allow term allow then\]" delimiter="\"" data="log" value="log"] User 'admin' set: [firewall family inet filter DST_Allow term allow then] "log -- "log"

<190>1 2024-11-26T12:40:19.157Z NFX250_TOE mgd 84311 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter DST_Allow term allow then log "] User 'admin', command 'set firewall family inet filter DST_Allow term allow then log '

<182>1 2024-11-26T12:40:19.219Z NFX250_TOE mgd 84311 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[firewall family inet filter DST_Allow term allow then\]" delimiter="\"" data="accept" value="accept"] User 'admin' set: [firewall family inet filter DST_Allow term allow then] "accept -- "accept"

<190>1 2024-11-26T12:40:19.219Z NFX250_TOE mgd 84311 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter DST_Allow term allow then accept "] User 'admin', command 'set firewall family inet filter DST_Allow term allow then accept '

<190>1 2024-11-26T12:40:19.280Z NFX250_TOE mgd 84311 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter DST_Allow term deny from destination-address 10.1.9.40/32 "] User 'admin', command 'set firewall family inet filter DST_Allow term deny from destination-address 10.1.9.40/32 '

<182>1 2024-11-26T12:40:19.361Z NFX250_TOE mgd 84311 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.5 username="admin" action="set" pathname="[firewall family inet filter DST_Allow term deny then\]" delimiter="\"" data="log" value="log"] User 'admin' set: [firewall family inet filter DST_Allow term deny then] "log -- "log"

<190>1 2024-11-26T12:40:19.362Z NFX250_TOE mgd 84311 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter DST_Allow term deny then log "] User 'admin', command 'set firewall family inet filter DST_Allow term deny then log '

<190>1 2024-11-26T12:40:19.409Z NFX250_TOE mgd 84311 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.5 username="admin" command="set firewall family inet filter DST_Allow term deny then discard "] User 'admin', command 'set firewall family inet filter DST_Allow term deny then discard '
FPF_RUL_EXT.1 Application of rules configured with the ‘log’ operation
  • Source and destination addresses
  • Source and destination ports
  • Transport Layer Protocol
  • Application of rules configured with the ‘log’ operation

Time of Log: 2024-11-05 15:31:40 UTC, Filter: pfe, Filter action: discard, Name of interface: st0.0

Name of protocol: ICMP, Packet Length: 84, Source address: 10.1.3.108, Destination address: 10.1.9.40

ICMP type: 8, ICMP code: 0

Time of Log: 2024-11-05 15:31:30 UTC, Filter: pfe, Filter action: discard, Name of interface: st0.0

Name of protocol: ICMP, Packet Length: 84, Source address: 10.1.3.108, Destination address: 10.1.9.40

ICMP type: 8, ICMP code: 0
FPT_FLS.1/SelfTest No events specified N/A None
FPT_TST_EXT.3 No events specified N/A None
FTP_ITC.1/VPN
  • Initiation of the trusted channel
  • Termination of the trusted channel
  • Failure of the trusted channel functions
  • No additional information.
  • No additional information.
  • Identification of the initiator and target of failed trusted channel establishment attempt
  • Initiation of the trusted channel

<30>1 2025-03-11T18:42:08.470Z NFX250_TOE kmd 17722 KMD_PM_SA_ESTABLISHED [junos@2636.1.1.1.4.138.5 local-address="10.1.5.11" remote-address="10.1.5.12" local-initiator="ipv4_subnet(any:0,[0..7\]=0.0.0.0/0)" remote-responder="ipv4_subnet(any:0,[0..7\]=0.0.0.0/0)" argument1="inbound" index1="22489548 29" index2="0" mode="Tunnel" type="dynamic" traffic-selector-name="" first-forwarding-class=""] Local gateway: 10.1.5.11, Remote gateway: 10.1.5.12, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x860c53cd, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: FC Name:

<30>1 2025-03-11T18:42:08.470Z NFX250_TOE kmd 17722 KMD_PM_SA_ESTABLISHED [junos@2636.1.1.1.4.138.5 local-address="10.1.5.11" remote-address="10.1.5.12" local-initiator="ipv4_subnet(any:0,[0..7\]=0.0. 0.0/0)" remote-responder="ipv4_subnet(any:0,[0..7\]=0.0.0.0/0)" argument1="outbound" index1="1690467 735" index2="0" mode="Tunnel" type="dynamic" traffic-selector-name="" first-forwarding-class=""] Local gateway: 10.1.5.11, Remote gateway: 10.1.5.12, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x64c27d97, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: FC Name:

<30>1 2025-03-11T18:42:08.471Z NFX250_TOE kmd 17722 KMD_VPN_UP_ALARM_USER [junos@2636.1.1.1.4.138.5 vpn-name="vpn1" remote-address="10.1.5.12" local-address="10.1.5.11" gateway-name="gw1" group-name="vpn1" tunnel-id="131073" interface-name="st0.0" internal-ip="Not-Available" name=" ^A^E^K" peer-name="10.1.5.12" client-name="Not-Applicable" vrrp-group-id="0" traffic-selector-name="" traffic-selector-cfg-local-id="ipv4_subnet(any:0,[0..7\]=0.0.0.0/0)" traffic-selector-cfg-remote-id="ipv4_subnet(an y:0,[0..7\]=0.0.0.0/0)" argument1="Static"] VPN vpn1 from 10.1.5.12 is up. Local-ip: 10.1.5.11, gateway name: gw1, vpn name: vpn1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: Not-Avai lable, Local IKE-ID: ^A^E^K, Remote IKE-ID: 10.1.5.12, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static

<30>1 2025-03-11T18:42:08.471Z NFX250_TOE kmd 17722 - - IKE negotiation successfully completed. IKE Version: 2, VPN: vpn1 Gateway: gw1, Local: 10.1.5.11/500, Remote: 10.1.5.12/500, Local IKE-ID: 10.1. 5.11, Remote IKE-ID: 10.1.5.12, VR-ID: 0, Role: Initiator

  • Termination of the trusted channel

<27>1 2025-03-12T05:33:38.925Z NFX250_TOE kmd 17722 KMD_VPN_DOWN_ALARM_USER [junos@2636.1.1.1.4.138.5 vpn-name="vpn1" remote-address="10.1.5.12" local-address="10.1.5.11" gateway-name="gw1" group-name="vpn1" tunnel-id="131073" interface-name="st0.0" internal-ip="Not-Available" name=" ^A^E^K" peer-name="10.1.5.12" client-name="Not-Applicable" vrrp-group-id="0" traffic-selector-name="" traffic-selector-cfg-local-id="ipv4_subnet(any:0,[0..7\]=0.0.0.0/0)" traffic-selector-cfg-remote-id="ipv4_subnet(any:0,[0..7\]=0.0.0.0/0)" argument1="Static" tunnel-down-reason="User cleared IKE SA from CLI, corresponding IPSec SAs cleared"] VPN vpn1 from 10.1.5.12 is down. Local-ip: 10.1.5.11, gateway name: gw1, vpn name: vpn1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: Not-Available, Local IKE-ID: ^A^E^K, Remote IKE-ID: 10.1.5.12, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static, Reason: User cleared IKE SA from CLI, corresponding IPSec SAs cleared

  • Failure of the trusted channel functions

<27>1 2024-07-30T14:15:13.659Z NFX250_TOE kmd 25443 - - IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: vpn1 Gateway: gw1, Local: 10.1.5.11/500, Remote: 10.1.5.12/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator

Related Documentation