Configure Logging in Juniper Firewall Filter
Juniper firewall filters are made up of
terms and match conditions. A filter can contain numerous terms. A term
can contain various match conditions and actions. An example of firewall
rule is shown below. The rule has two terms, T1 and T2. T1 matches
traffic from any source address and destination port of 22 or 443 and
has the action of accept. T2 has the action of reject. So only traffic
matching destination port 22 or 443 will accepted by the interface
fe-0/0/2, all other traffic will be dropped. Both terms have action of
syslog. Syslog command logs all the packets of the corresponding terms.
[edit firewall]root@SRX240# show filter TEST { term T1 { from { source-address { 192.168.1.1/32; } destination-port [ 22 443 ]; } then { syslog; accept; } }
term T2 { then { syslog; reject; } } }
The filter is applied to the interface,
[edit interfaces fe-0/0/2]root@SRX240# show
description “CONNECTED TO INTERNET”;
unit 0 { family inet { filter { input TEST; } address 2.2.2.2/30; } }
There are also other match conditions
and actions. You can match traffic based on source and destination IP
address, mac address, port numbers, protocol numbers, dscp number, dot1q
tag, icmp type, and many other. Remember, Juniper firewall filters are
stateless and unidirectional. The filters won’t track states of the
connection. Similarly, it also doesn’t care about return traffic. So you
have option to apply firewall filters on both inbound (input) and
outbound (output) traffic of an interface. To permit or deny transient
traffic, you can apply firewall filters in transient interfaces.
Likewise, to permit or deny traffic to Juniper device’s routing engine,
you can apply firewall filter in loopback 0 interface. For example, to block SSG login attack you can create and apply firewall filter in loopback interface.
To view the log of firewall filter, create a custom syslog of firewall facility. Here is how you do that,
Không có nhận xét nào:
Đăng nhận xét