Logging the Traffic on an Interface

Problem

You want to keep a log of the traffic passing through an interface.

Solution

In the then clause, include the log option to capture information about filter activity:

	[edit firewall filter incoming-to-me]
	aviva@RouterF# set term final-accept then log
	aviva@RouterF# set term final-accept then accept

Use the show firewall log command to display the firewall logs:

	aviva@RouterF> show firewall log
	Log :
	Time Filter Action Interface Protocol Src Addr
	 Dest Addr
	04:59:13 pfe A t1-0/0/3.0 TCP 10.0.31.1
	 10.0.31.2
	04:59:11 pfe A t1-0/0/3.0 TCP 10.0.31.1
	 10.0.31.2
	04:58:43 pfe A t1-0/0/3.0 TCP 10.0.31.1
	 10.0.31.2
	04:58:41 pfe A t1-0/0/3.0 TCP 10.0.31.1
	 10.0.31.2

You can also save the activity records to a standard system logfile:

	[edit firewall filter incoming-to-me] 
	aviva@RouterF# set term final-accept then syslog 
	aviva@RouterF# set term final-accept then accept 

Then configure a system logfile to accept the log messages:

	[edit system syslog]
	aviva@RouterF# set file messages firewall any

 

Discussion

You can log the activity of a term in a firewall filter using the log facility that is built into the firewall filter software itself. Configure this with a set then log command. You can log accepted and rejected packets but not discarded ones. This configuration stores all the activity in real time on the router, not in a file, so use it when you want to actively watch traffic or debug a problem.

The show firewall log command displays the firewall logs. The detail option of this command shows an expanded version of the same information:

	aviva@RouterF> show firewall log detail
	Time of Log: 2005-09-07 05:00:13 UTC, Filter: pfe, Filter action: accept, Name of
	interface: t1-0/0/3.0
	Name of protocol: TCP, Packet Length: 71, Source address: 10.0.31.1:1390, Destination
	address: 10.0.31.2:179
	Time of Log: 2005-09-07 05:00:11 UTC, Filter: pfe, Filter action: accept, Name of
	interface: t1-0/0/3.0
	Name of protocol: TCP, Packet Length: 52, Source address: 10.0.31.1:1390, Destination
	address: 10.0.31.2:179
	Time of Log: 2005-09-07 04:59:43 UTC, Filter: pfe, Filter action: accept, Name of
	interface: t1-0/0/3.0
	Name of protocol: TCP, Packet Length: 71, Source address: 10.0.31.1:1390, Destination
	address: 10.0.31.2:179
	Time of Log: 2005-09-07 04:59:41 UTC, Filter: pfe, Filter action: accept, Name of
	interface: t1-0/0/3.0
	Name of protocol: TCP, Packet Length: 52, Source address: 10.0.31.1:1390, Destination
	address: 10.0.31.2:179

In the output, the first field shows when the packet was received. Looking at the times in this output, you see that the firewall log facility places the latest messages at the beginning of the output. This is the opposite of system logfiles, which have the newest entries at the end. The Filter field shows pfe, which means that the packet was handled by the JUNOS PFE. The Action and Filter action fields show the fate of the packet. In this output, all packets were accepted (in the standard output, this shows as an A). Packets can also be Discard (D) or Reject (R).

The next two files show the interface on which the filter is configured and the protocol type of the packet. The last two fields show the packet's source and destination addresses. In the detail output, the address also includes the port number being used.

You can also save the activity records to a standard system logfile with a set then syslog command. Then configure a system logfile to accept the log messages. This recipe places all firewall logging messages in the messages file. The firewall facility captures firewall-related messages. Use the show log command to view the messages:

	aviva@RouterF> show log messages
	Sep 7 04:59:13 RouterF 
fwdd[2498]: 
PFE_FW_SYSLOG_IP: FW: t1-0/0/3.0 A tcp
	 172.19.121.114 172.17.28.108 5888 18695 (1 packets)
	Sep 7 04:59:13 RouterF last message repeated 5 times
	Sep 7 04:59:13 RouterF fwdd[2498]: PFE_FW_SYSLOG_IP: FW: t1-0/0/3.0 A tcp
	 192.168.14.1 192.168.18.1 54532 45824 (1 packets)

The fwdd after the router name means that the message was generated by the JUNOS forwarding process (daemon). The message code for firewall logs is PFE_FW_SYSLOG_IP, and the FW: indicates that the message is present in the logs as the result of a firewall configuration. Some of the remaining information in the system log message is similar to what is displayed by the show firewall log command. First is the interface name, followed by an A to report that the packet was accepted, and tcp, which is the type of packet. The two IP addresses are the packet's source and destination addresses, respectively, and the last two numbers are the source and destination ports.

See Also

Recipe 5.1


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net