ON THIS PAGE
Example: Configuring Logging for a Firewall Filter Term
This example shows how to configure a firewall filter to log packet headers.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, you use a firewall filter that logs and counts ICMP packets that have 192.168.207.222 as either their source or destination.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configure the Syslog Messages File for the Firewall Facility
- Configure the Firewall Filter
- Apply the Firewall Filter to a Logical Interface
- Confirm and Commit Your Candidate Configuration
CLI Quick Configuration
To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands
into the CLI at the [edit] hierarchy level.
set system syslog file messages_firewall_any firewall any set system syslog file messages_firewall_any archive no-world-readable set firewall family inet filter icmp_syslog term icmp_match from address 192.168.207.222/32 set firewall family inet filter icmp_syslog term icmp_match from protocol icmp set firewall family inet filter icmp_syslog term icmp_match then count packets set firewall family inet filter icmp_syslog term icmp_match then syslog set firewall family inet filter icmp_syslog term icmp_match then accept set firewall family inet filter icmp_syslog term default_term then accept set interfaces ge-0/0/1 unit 0 family inet address 10.1.2.3/30 set interfaces ge-0/0/1 unit 0 family inet filter input icmp_syslog
Configure the Syslog Messages File for the Firewall Facility
Step-by-Step Procedure
To configure a syslog messages file for the firewall facility:
Configure a messages file for all syslog messages generated for the
firewallfacility.user@host# set system syslog file messages_firewall_any firewall any
Restrict permission to the archived
firewallfacility syslog files to the root user and users who have the Junos OS maintenance permission.user@host# set system syslog file messages_firewall_any archive no-world-readable
Configure the Firewall Filter
Step-by-Step Procedure
To configure the firewall filter icmp_syslog that logs and counts ICMP packets that have 192.168.207.222 as either their
source or destination:
Create the firewall filter
icmp_syslog.[edit] user@host# edit firewall family inet filter icmp_syslog
Configure matching on the ICMP protocol and an address.
[edit firewall family inet filter icmp_syslog] user@host# set term icmp_match from address 192.168.207.222/32 user@host# set term icmp_match from protocol icmp
Count, log,, and accept matching packets.
[edit firewall family inet filter icmp_syslog] user@host# set term icmp_match then count packets user@host# set term icmp_match then syslog user@host# set term icmp_match then accept
Accept all other packets.
[edit firewall family inet filter icmp_syslog] user@host# set term default_term then accept
Apply the Firewall Filter to a Logical Interface
Step-by-Step Procedure
To apply the firewall filter to a logical interface:
Configure the logical interface to which you will apply the firewall filter.
[edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet
Configure the interface address for the logical interface.
[edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10.1.2.3/30
Apply the firewall filter to the logical interface.
[edit interfaces ge-0/0/1 unit 0 family inet] user@host# set filter input icmp_syslog
Confirm and Commit Your Candidate Configuration
Step-by-Step Procedure
To confirm and then commit your candidate configuration:
Confirm the configuration of the syslog message file for the
firewallfacility by entering theshow systemconfiguration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show system syslog { file messages_firewall_any { firewall any; archive no-world-readable; } }Confirm the configuration of the firewall filter by entering the
show firewallconfiguration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show firewall family inet { filter icmp_syslog { term icmp_match { from { address { 192.168.207.222/32; } protocol icmp; } then { count packets; syslog; accept; } } term default_term { then accept; } } }Confirm the configuration of the interface by entering the
show interfacesconfiguration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show interfaces ge-0/0/1 { unit 0 { family inet { filter { input icmp_syslog; } address 10.1.2.3/30; } } }If you are done configuring the device, commit your candidate configuration.
[edit] user@host# commit
Verification
To confirm that the configuration is working properly, enter the show log filter command:
user@host> show log messages_firewall_any Mar 20 08:03:11 hostname feb FW: so-0/1/0.0 A icmp 192.168.207.222 192.168.207.223 0 0 (1 packets)
This output file contains the following fields:
Date and Time—Date and time at which the packet was received (not shown in the default).Filter action:
A—Accept (or next term)D—DiscardR—Reject
Protocol—Packet’s protocol name or number.Source address—Source IP address in the packet.Destination address—Destination IP address in the packet.Note:If the protocol is ICMP, the ICMP type and code are displayed. For all other protocols, the source and destination ports are displayed.
The last two fields (both zero) are the source and destination TCP/UDP ports, respectively, and are shown for TCP or UDP packets only. This log message indicates that only one packet for this match has been detected in about a 1-second interval. If packets arrive faster, the system log function compresses the information so that less output is generated, and displays an output similar to the following:
user@host> show log messages_firewall_any Mar 20 08:08:45 hostname feb FW: so-0/1/0.0 A icmp 192.168.207.222 192.168.207.223 0 0 (515 packets)