traceoptions (Security Flow)

Syntax

Hierarchy Level

Description

CAUTION:

Enabling tracing can adversely impact scale and performance and may increase security risk. We strongly recommend using the trace, tracing, or traceoptions commands only under the guidance of a JTAC support engineer. After collecting the debug information, immediately disable tracing to minimize risk and restore normal system performance.

Configure flow tracing options.

Starting in Junos OS Release 24.2R1, we support local-debug-buf option to configure number of lines for the flow local trace buffer, and the maximum lines allowed is 40,000. A new flag packet-track has been introduced to get information about the packet being handled in SRX data path, The flag packet-track should be configured in root logical system. To track information about the packets in non root logical system use the option root-override along with flag packet-track.

Options

file

Configure the trace file options.

filename	Name of the file to receive the output of the tracing operation. Enclose the name within quotation marks. All files are placed in the directory `/var/log`. By default, the name of the file is the name of the process being traced.
files `number`	Maximum number of trace files. When a trace file named `trace-file` reaches its maximum size, it is renamed to `trace-file.0`, then `trace-file.1`, and so on, until the maximum number of trace files is reached. The oldest archived file is overwritten. If you specify a maximum number of files, you also must specify a maximum file size with the `size` option and a filename. Range: 2 through 1000 files Default: 10 files
match `regular-expression`	Refine the output to include lines that contain the regular expression.
size `maximum-file-size`	Maximum size of each trace file, in kilobytes (KB), megabytes (MB), or gigabytes (GB). When a trace file named `trace-file` reaches this size, it is renamed `trace-file.0`. When the `trace-file` again reaches its maximum size, `trace-file.0` is renamed `trace-file.1` and `trace-file` is renamed `trace-file.0`. This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten. If you specify a maximum file size, you also must specify a maximum number of trace files with the `files` option and a filename. Syntax: `x K` to specify KB, `x m` to specify MB, or `x g` to specify GB Range: 0 KB through 1 GB Default: 128 KB
world-readable \| no-world-readable	By default, log files can be accessed only by the user who configures the tracing operation. The `world-readable` option enables any user to read the file. To explicitly set the default behavior, use the `no-world-readable` option.

flag

Trace operation to perform. To specify more than one trace operation, include multiple flag statements.

all	Trace with all flags enabled
basic-datapath	Trace basic packet flow activity
fragmentation	Trace IP fragmentation and reassembly events
high-availability	Trace flow high-availability information
host-traffic	Trace flow host traffic information
jexec	Trace packet footprints
multicast	Trace multicast flow information
route	Trace route lookup information
session	Trace session creation and deletion events
session-scan	Trace session scan information
tcp-basic	Trace TCP packet flow information
tunnel	Trace tunnel information

local-debug-buf Configure number of lines for the flow local trace buffer. Maximum lines allowed is 40,000.

no-remote-trace

Set remote tracing as disabled.

packet-filter filter-name

Packet filter to enable during the tracing operation. Configure the filtering options.

destination-port `port-identifier`	Match TCP/UDP destination port
destination-prefix `address`	Destination IP address prefix
interface `interface-name`	Logical interface
protocol `protocol-identifier`	Match IP protocol type
source-port `port-identifier`	Match TCP/UDP source port
source-prefix `address`	Source IP address prefix

rate-limit messages-per-second

Limit the incoming rate of trace messages.

root-override

Root administrator can debug the packets flow traces from all the logical systems and tenant systems for debug by enabling the root-override option.

trace-level

Set the level for trace logging. This option is available only when the flag is set.

brief	Trace key flow information, such as message types sent between SPU and central point, policy match, and packet drop reasons.
detail	Trace extensive flow information, such as detailed information about sessions and fragments. Detail is the default level.
minimal	Trace messages including notice, warning, error, criticality, alert, and emergency.

Table 1 describes tracing of packet footprints with and without root override options.

Table 1: Logical System or Tenant System Tracing of Packet Footprints With and Without Root Override Options
Trace Configuration	With Root Override	Without Root Override
Logical systems and tenant systems with own flow trace configuration	The flow trace of logical systems and tenant systems are recorded to the root.	The flow trace of logical systems and tenant systems are recorded to the configured logical systems and tenant systems.
Logical systems and tenant systems without own flow trace configuration	The flow trace of logical systems and tenant systems are recorded to root.	The flow trace of logical systems and tenant systems are not recorded anywhere

When the packets are switched by the VPLS switch in root logical system, the jexec trace packet footprints might not be complete in logical systems and tenant systems.

If a logical system or tenant system does not configure the security flow traceoptions, and there is no root-override configured under root either, the packet traces will not be recorded.

To get complete packet footprints for logical systems and tenant systems related flow and jexec trace packet footprints, we recommend that you configure the required flow trace with root-override.

Required Privilege Level

trace—To view this in the configuration.

trace-control—To add this to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5.

Statement updated in Junos OS Release 12.1X46-D10 with the trace-level option and additional flags.

Statement updated in Junos OS Release 15.1X49-D70 with the addition of the conn-tag filter parameter.

Support at the following hierarchy levels introduced in Junos OS Release 19.4R1: [edit logical-systems logical-system-name security flow], and [edit tenants tenant-name security flow].

Statement jexec, minimal, and root-override options are introduced in Junos OS Release 20.4R1. The option error is now changed to minimal.

ON THIS PAGE