Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Monitor Threats

You are here: Monitor > Logs > Threats.

Use the monitoring functionality to view the security threats. Threats are defined as any IPS, screen, security intelligence, antivirus, content filtering, or antispam.

Note:

Threat page is available on all the SRX Series Firewalls except the SRX5000 line of devices.

Table 1 describes the fields on the Threats page.

Table 1: Fields on the Threats Page

Field

Description

Last

Select the time from the list to view the activity that you are most interested in. Once the time is selected, all of the data presented in your view is refreshed automatically.

You can also use Customize to set a custom date and click Apply to view the specified threats.

Refresh

Click the refresh icon to get the latest threat information.

Show Hide Columns

This icon is represented by three vertical dots.

Enables you to show or hide a column in the grid.

Export to CSV

You can export the threats data to a comma-separated value (.csv) file.

Select the three vertical dots on the right-side of the page and click Export to CSV. The CSV file is downloaded to your local machine. You can download only maximum of 100 sessions data.

Filter Criteria

Use the filter text box present above the table grid. The search includes the logical operators as part of the filter string.

Note:

Starting in Junos OS 23.1R1 Release, J-Web supports the following operators:

  • = (equal to)

  • AND

  • != (not equal to)

  • >= (greater than or equal to)

  • <= (less than or equal to)

  • Nested and/or

J-web also supports Netmask when searching for IP addresses.

In the filter text box, when you hover over the icon, it displays an example filter condition. When you start entering the search string, the icon indicates whether the filter string is valid or not.

The following filters are available:

  • Source IP

  • Destination IP

  • Session ID

  • Log type

  • User

  • Application

  • Source Zone

  • Destination Zone

  • Source Country

  • Destination Country

  • Source Port

  • Destination Port

  • Protocol

X

Click X to clear your search filter.

Save Filter

Click Save Filter to save filters after you specify the filtering criteria.

To save a filter:

  1. Enter the filter criteria you are looking for in the advanced search box.

  2. Click Save Filter.

  3. Enter a name for the filter and click the tick icon to save it.

Load Filter

Displays the saved filters list.

Hover over the saved filter name to view the query expression. You can delete the saved filter using the delete icon.

View Details

When you hover over the PCAP file, a Detailed View icon appears before the PCAP file. Click the icon to view the log details on the Detailed Log View page.

Click on the download icon on the Detailed Log View page to download the packet capture file. If the files are not available, the download fails and you will receive an error message.

Note:

The download icon will only be available for the IPS attack logs.

To view the packet capture data on the Threats page, ensure that attack logging notification is enabled. If not:

  1. Go to Security Services > IPS > Policy.

  2. Click the add icon (+) on the upper right side of the Policy page.

    The Add IDP Policy page appears.

  3. Enter the name of the IPS policy and then click +.

    The Add IPS Rule page appears.

  4. Click Advanced and select the check box to configure Enable Attack Logging under Notification.

PCAP

Click on the download icon to download the packet capture (PCAP) file of IPS attacks.

Note:

The download icon appears only for the IPS attack logs.

The PCAP file will be downloaded to your system from the /var/log/pcap/ folder. If the files are not available, the download fails and you will receive an error message.

Time

Displays the time when the threats log was received.

Log Type

Displays the threats log type. For example, IPS, Antivirus, Antispam, and so on.

Name

Displays the name of the event.

Severity

Displays the severity of the threat.

Source Zone

Displays the source zone of the threats.

Source IP

Displays the source IP address from where the threats log occurred.

Source Port

Displays the port number of the source.

User

Displays the username from whom the threat log is generated.

Destination Zone

Displays the destination zone of the threats.

Destination IP

Displays the destination IP of the threats occurred.

Destination Port

Displays the port number of the destination.

Application

Displays the nested application or application name from which the threats are generated.

Action

Displays the action taken from the threats.

Session ID

Displays the traffic session ID of the threats.

Closure Reason

Displays the reason for the session closure.

Profile

Displays the threat profile name.

Category

Displays the threat category.

URL

Displays the accessed URL name that triggered the event.

Object

Displays the object name of the threats.

Destination Interface

Displays the interface name of the destination.

Source Interface

Displays the interface name of the source.

Policy

Displays the policy name that triggered the threats log.

Rule

Displays the rule name of the threats log.

Protocol

Displays the protocol ID in the threats log.

CVE-ID

Displays the Common Vulnerabilities and Exposures (CVE) identifiers information for the threat.

Elapsed Time

Displays the time elapsed since the last time interval began.

Packet Log ID

Displays the packets ID received before and after the attack for further offline analysis of attacker behavior.

XFF

Displays X-Forwarded-For (XFF) header added to packets by a proxy server that includes the real IP address of the client making the request.

File Name

Displays the filename of the threats log.

Argument

Displays the arguments that are passed to an event when it is invoked from the threats log.

Source Name

Displays the name of the source from where threat is originated.

Feed Name

Displays the feed name of the threat detected.

Count

Displays the number of threats count.

Message Type

Displays the message type for the threat detected.

HTTP Host

Displays the host URL for the threat.