ON THIS PAGE
Example: Configuring Logging for a Stateless Firewall Filter Term
This example shows how to configure a standard stateless firewall filter to log packet headers.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, you use a stateless firewall filter that logs and counts ICMP packets that have 192.168.207.222 as either their source or destination.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configure the Syslog Messages File for the Firewall Facility
- Configure the Stateless Firewall Filter
- Apply the Stateless Firewall Filter to a Logical Interface
- Confirm and Commit Your Candidate Configuration
CLI Quick Configuration
To quickly configure this example, copy the following
configuration commands into a text file, remove any line breaks, and
then paste the commands into the CLI at the [edit]
hierarchy
level.
set system syslog file ICMP_filter firewall info set system syslog file ICMP_filter archive no-world-readable set firewall family inet filter icmp_syslog term icmp_match from address 192.168.207.222/32 set firewall family inet filter icmp_syslog term icmp_match from protocol icmp set firewall family inet filter icmp_syslog term icmp_match then count packets set firewall family inet filter icmp_syslog term icmp_match then syslog set firewall family inet filter icmp_syslog term icmp_match then accept set firewall family inet filter icmp_syslog term default_term then accept set interfaces ge-0/0/1 unit 0 family inet address 10.1.2.3/30 set interfaces ge-0/0/1 unit 0 family inet filter input icmp_syslog
Configure the Syslog Messages File for the Firewall Facility
Step-by-Step Procedure
To configure a syslog messages file for the firewall facility:
Configure a messages file for all syslog messages generated for the firewall facility.
user@host# set system syslog file ICMP_filter firewall info
Restrict permission to the archived firewall facility syslog files to the root user and users who have the Junos OS maintenance permission.
user@host# set system syslog file ICMP_filter archive no-world-readable
Configure the Stateless Firewall Filter
Step-by-Step Procedure
To configure the stateless firewall filter icmp_syslog that logs and counts ICMP packets that have 192.168.207.222 as either their source or destination:
Create the stateless firewall filter icmp_syslog.
[edit] user@host# edit firewall family inet filter icmp_syslog
Configure matching on the ICMP protocol and an address.
[edit firewall family inet filter icmp_syslog] user@host# set term icmp_match from address 192.168.207.222/32 user@host# set term icmp_match from protocol icmp
Count, log,, and accept matching packets.
[edit firewall family inet filter icmp_syslog] user@host# set term icmp_match then count packets user@host# set term icmp_match then syslog user@host# set term icmp_match then accept
Accept all other packets.
[edit firewall family inet filter icmp_syslog] user@host# set term default_term then accept
Apply the Stateless Firewall Filter to a Logical Interface
Step-by-Step Procedure
To apply the stateless firewall filter to a logical interface:
Configure the logical interface to which you will apply the stateless firewall filter.
[edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet
Configure the interface address for the logical interface.
[edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10.1.2.3/30
Apply the stateless firewall filter to the logical interface.
[edit interfaces ge-0/0/1 unit 0 family inet] user@host# set filter input icmp_syslog
Confirm and Commit Your Candidate Configuration
Step-by-Step Procedure
To confirm and then commit your candidate configuration:
Confirm the configuration of the syslog message file for the firewall facility by entering the
show system
configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show system syslog { file ICMP_filter { firewall info; archive no-world-readable; } }
Confirm the configuration of the stateless firewall filter by entering the
show firewall
configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show firewall family inet { filter icmp_syslog { term icmp_match { from { address { 192.168.207.222/32; } protocol icmp; } then { count packets; log; accept; } } term default_term { then accept; } } }
Confirm the configuration of the interface by entering the
show interfaces
configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show interfaces ge-0/0/1 { unit 0 { family inet { filter { input icmp_syslog; } address 10.1.2.3/30; } } }
If you are done configuring the device, commit your candidate configuration.
[edit] user@host# commit
Verification
To confirm that the configuration is working
properly, enter the show log filter
command:
user@host> show log ICMP_filter Mar 20 08:03:11 hostname feb FW: ge-0/1/0.0 A icmp 192.168.207.222 192.168.207.223 0 0 (1 packets)
This output file contains the following fields:
Date and Time—Date and time at which the packet was received (not shown in the default).
Filter action:
A—Accept (or next term)
D—Discard
R—Reject
Protocol—Packet’s protocol name or number.
Source address—Source IP address in the packet.
Destination address—Destination IP address in the packet.
Note:If the protocol is ICMP, the ICMP type and code are displayed. For all other protocols, the source and destination ports are displayed.
The last two fields (both zero) are the source and destination TCP/UDP ports, respectively, and are shown for TCP or UDP packets only. This log message indicates that only one packet for this match has been detected in about a one second interval. If packets arrive faster, the system log function compresses the information so that less output is generated, and displays an output similar to the following:
user@host> show log filename Mar 20 08:18:45 hostname feb FW: ge-0/1/0.0 A icmp 192.168.207.222 192.168.207.223 0 0 (515 packets)