Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configuring Logging for a Firewall Filter Term

This example shows how to configure a firewall filter to log packet headers.

Requirements

No special configuration beyond device initialization is required before configuring this example.

Overview

In this example, you use a firewall filter that logs and counts ICMP packets that have 192.168.207.222 as either their source or destination.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

Configure the Syslog Messages File for the Firewall Facility

Step-by-Step Procedure

To configure a syslog messages file for the firewall facility:

  1. Configure a messages file for all syslog messages generated for the firewall facility.

  2. Restrict permission to the archived firewall facility syslog files to the root user and users who have the Junos OS maintenance permission.

Configure the Firewall Filter

Step-by-Step Procedure

To configure the firewall filter icmp_syslog that logs and counts ICMP packets that have 192.168.207.222 as either their source or destination:

  1. Create the firewall filter icmp_syslog.

  2. Configure matching on the ICMP protocol and an address.

  3. Count, log,, and accept matching packets.

  4. Accept all other packets.

Apply the Firewall Filter to a Logical Interface

Step-by-Step Procedure

To apply the firewall filter to a logical interface:

  1. Configure the logical interface to which you will apply the firewall filter.

  2. Configure the interface address for the logical interface.

  3. Apply the firewall filter to the logical interface.

Confirm and Commit Your Candidate Configuration

Step-by-Step Procedure

To confirm and then commit your candidate configuration:

  1. Confirm the configuration of the syslog message file for the firewall facility by entering the show system configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

  2. Confirm the configuration of the firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

  3. Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

  4. If you are done configuring the device, commit your candidate configuration.

Verification

To confirm that the configuration is working properly, enter the show log filter command:

This output file contains the following fields:

  • Date and Time—Date and time at which the packet was received (not shown in the default).

  • Filter action:

    • A—Accept (or next term)

    • D—Discard

    • R—Reject

  • Protocol—Packet’s protocol name or number.

  • Source address—Source IP address in the packet.

  • Destination address—Destination IP address in the packet.

    Note:

    If the protocol is ICMP, the ICMP type and code are displayed. For all other protocols, the source and destination ports are displayed.

The last two fields (both zero) are the source and destination TCP/UDP ports, respectively, and are shown for TCP or UDP packets only. This log message indicates that only one packet for this match has been detected in about a 1-second interval. If packets arrive faster, the system log function compresses the information so that less output is generated, and displays an output similar to the following: