Page Comparison

The tags beginning with firewall.juniper juniper identify log events generated by the following Juniper technologies:

...

The full tag must have at least three levels. The first two are fixed as firewall.juniper. The third level identifies the technology type and must be one of isg, nsm, srx, ssg, system or traffic. The fourth element is usually required and you are free to define it as you like. 

Therefore, the valid tags include:

...

...

...

...

...

...

...

...

...

...

...

...

...

For more information, read more about Devo tags.

Firewall Juniper ISG / SSG

It is not possible to send system and traffic events to different ports on the same remote machine, in this case the Devo Relay. Therefore, we need to set up two relay rules to process and tag the different events received on the same port.

1. In the first rule, we use regex in the Source Message field to identify events that should be tagged firewall.juniper.isg.traffic. In this rule we mark Stop Processing so that when an event meets the conditions of the rule and the tag is applied, the event is not subjected to any further relay rules and is forwarded directly to the Devo Cloud. 

2. The second rule simply applies the firewall.juniper.isg.system tag to all other events received on the same port.

It is important that the first rule come before the second rule in the order of rule processing on the relay. 

Rule 1: Identify "traffic" type events

• Source Port → 514

• Source Message → "\\[Root]system-[^][0-9](traffic):"

• Target Tag → firewall.juniper.isg.traffic                                                                                                        

• Check the Stop Processing checkbox

...

Rule 2: Tag all other events received from the Juniper IP as "system"

• IP → <Juniper IP address>

• Source Port → 514

• Target Tag → all the rest as firewall.juniper.isg.system

  Image Removed

Firewall Juniper SRX Series

Below find instructions for setting up the Devo Relay rules to correctly process the SRX events, and also a note about logging dropped packets in SRX.

Devo Relay rules - SRX logging in syslog format

...

Essentially, these rules identify the syslog tag contained in the inbound event so that when there's a match, the correct tag is applied to the event and the event is forwarded to the Devo Cloud without further processing on the relay. 

Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"

• Source Port → 514

• Source Tag → RT_FLOW    

• Target Tag → firewall.juniper.srx.traffic (or firewall.juniper.srx.traffic.vXX)

• Check the Stop Processing checkbox

• Image Removed

Rule 2: Tag events containing the syslog tag RT_UTM as "utm"

• Source Port → 514

• Source Tag → RT_UTM    

• Target Tag → firewall.juniper.srx.utm

• Check the Stop Processing checkbox

          Image Removed

Rule 3: Tag events containing the syslog tag RT_IDP as "idp"

• Source Port → 514

• Source Tag → RT_IDP

• Target Tag → firewall.juniper.srx.idp

• Check the Stop Processing checkbox

...

Rule 4: Tag all other events received on port 514 as "system"

• Source Port → 514

• Target Tag → firewall.juniper.srx.system

• Check the Sent without syslog tag checkbox

...

Devo Relay rules - SRX logging in structured-data format

If SRX is logging in structured-data format, the Devo Relay rules need to be defined in a different way. 

...

For more information, read more about Devo tags.

Firewall Juniper ISG / SSG

It is not possible to send system and traffic events to different ports on the same remote machine, in this case the Devo Relay. Therefore, we need to set up two relay rules to process and tag the different events received on the same port.

1. In the first rule, we use regex in the Source Message field to identify events that should be tagged firewall.juniper.isg.traffic. In this rule we mark Stop Processing so that when an event meets the conditions of the rule and the tag is applied, the event is not subjected to any further relay rules and is forwarded directly to the Devo Cloud. 

2. The second rule simply applies the firewall.juniper.isg.system tag to all other events received on the same port.

It is important that the first rule come before the second rule in the order of rule processing on the relay. 

Rule 1: Identify "traffic" type events

• Source port → 514

• Source message → "\\[Root]system-[^][0-9](traffic):"

• Target tag → firewall.juniper.isg.traffic                                                                                            

• Check the Stop processing checkbox

Rule 2: Tag all other events received from the Juniper IP as "system"

• IP → <Juniper IP address>

• Source Port → 514

• Target tag → all the rest as firewall.juniper.isg.system

Firewall Juniper SRX Series

Below find instructions for setting up the Devo Relay rules to correctly process the SRX events, and also a note about logging dropped packets in SRX.

Devo Relay rules - SRX logging in syslog format

You need to set up new relay rules to handle the SRX events received on port 514 and tag them correctly as firewall.juniper.srx.<subtype>

Essentially, these rules identify the syslog tag contained in the inbound event so that when there's a match, the correct tag is applied to the event and the event is forwarded to the Devo Cloud without further processing on the relay. 

Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"

• Source Port → 13003 port → 514

• Source Data → ^.*? tag → RT_FLOW - .*$    

• Target Tag → firewalltag → firewall.juniper.srx.traffic
  

• Check the Stop Processing and Sent without syslog tag checkboxes

...

• (or firewall.juniper.srx.traffic.vXX)

• Check the Stop processing checkbox

Rule 2:

...

Tag events containing the syslog tag RT_UTM as "utm"

• Source Port → 13003Source Data → ^.*? port → 514

• Source tag → RT_UTM - .*$    

• Target Tag → firewalltag → firewall.juniper.srx.utm

• Check the Stop Processing and Sent without syslog tag checkboxes

Image Removed 

•  checkbox

Rule 3:

...

 Tag events containing the syslog tag RT_IDP as "idp"

• Source Port → 13003Source Data → ^.*? port → 514

• Source tag → RT_IDP - .*$

• Target Tag → firewalltag → firewall.juniper.srx.idp

• Check the Stop Processing and Sent without syslog tag checkboxes

Image Removed 

• processing checkbox

Rule 4:

...

Tag all other events received on

...

port 514 as "system"

• IP → <Juniper IP>

• Source Port → 13003

• Target Tag → firewallSource port → 514

• Target tag → firewall.juniper.srx.system

• Check the the Sent without syslog tag checkbox checkbox

...

SRX Rule Base - Add rule to log dropped packets

The SRX does not log packets dropped by default. A rule needs to be defined at the end of the rule base to drop all and to activate the logging.

Configuration for Junos release 11.4 and earlier

Create a template group. Note that  <*> is a wild card character to match any security zone.

...

Devo Relay rules - SRX logging in structured-data format

If SRX is logging in structured-data format, the Devo Relay rules need to be defined in a different way. 

Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"

• Source port → 13003

• Source data → ^.*? RT_FLOW - .*$

• Target tag → firewall.juniper.srx.traffic

• Check the Stop processing and Sent without syslog tag checkboxes

Rule 2:  Tag events containing the syslog tag RT_UTM as "utm"

• Source port → 13003

• Source data → ^.*? RT_UTM - .*$

• Target tag → firewall.juniper.srx.utm

• Check the Stop processing and Sent without syslog tag checkboxes 

Rule 3:  Tag events containing the syslog tag RT_IDP as "idp"

• Source port → 13003

• Source data → ^.*? RT_IDP - .*$

• Target tag → firewall.juniper.srx.idp

• Check the Stop processing and Sent without syslog tag checkboxes

Rule 4:  Tag all other events received on the same port as "system"

• IP → <Juniper IP>

• Source port → 13003

• Target tag → firewall.juniper.srx.system

• Check the Sent without syslog tag checkbox

SRX Rule Base - Add rule to log dropped packets

The SRX does not log packets dropped by default. A rule needs to be defined at the end of the rule base to drop all and to activate the logging.

Configuration for Junos release 11.4 and earlier

1. Create a template group. Note that  <*> is a wild card character to match any security zone.

   Code Block

   set groups default-deny-template security policies from-zone <*> to-zone policy default-deny match source-address any set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny match destination-address any set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny match application any set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny then deny set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny then log session-init

2. Apply the group. The following configuration statement applies the template groups between all zones that already have a policy context:

   Code Block
   set apply-groups default-deny-template

...

set security policies global policy default-deny match source-address any
set security policies global policy default-deny match destination-address any
set security policies global policy default-deny match application any
set security policies global policy default-deny then deny
set security policies global policy default-deny then log session-ini

Table structure

firewall.juniper.srx.idp

 firewall.juniper.srx.probe

firewall.juniper.srx.traffic 

Field

Type

Extra Label

eventdate

timestamp

-

machine

str

-

serverdate

str

-

hostname

str

-

process_name

str

-

pid

str

-

log_type

str

-

platform

str

-

username

str

-

authentication_level

str

-

client_ip

ip4

-

client_port

str

-

destination_ip

ip4

-

destination_port

str

-

message

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

 firewall.juniper.srx.utm

Field

Type

Extra Label

eventdate

timestamp

-

machine

str

-

srcIp

ip4

-

srcIp_str

str

-

srcPort

int4

-

dstIp

ip4

-

dstPort

int4

-

name

str

-

error_message

str

-

profile_name

str

-

object_name

str

-

pathname

str

-

username

str

-

roles

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

firewall.juniper.system

Field

Type

Extra Label

eventdate

timestamp

-

machine

str

-

product

str

-

devModel

str

-

devId0

str

-

severity

str

-

type

int4

-

message

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

firewall.juniper.traffic

Field

Type

Extra Label

eventdate

timestamp

-

machine

str

-

product

str

-

devModel

str

-

devId

str

-

severity

str

-

type

int4

-

startTime

timestamp

-

duration

int4

-

policyId

int8

-

service

str

-

protocol

int4

-

protoStr

str

-

srcZone

str

-

dstZone

str

-

action

str

-

cliPkts

int4

-

bytesSend

int8

-

srvPkts

int4

-

bytesRecv

int8

-

srcIp

ip4

-

srcIp_str

str

-

dstIp

ip4

-

srcPort

int4

-

dstPort

int4

-

icmpType

int4

-

icmpCode

int4

-

sessionId

int8

-

srcXIp

ip4

-

srcXPort

int4

-

dstXIp

ip4

-

dstXPort

int4

-

reason

str

-

version

str

-

pid

str

-

natConnetionTag

str

-

srcNatRuleType

str

-

srcNatRule

str

-

dstNatRuleType

str

-

dstNatRule

str

-

srcNatIp

ip4

-

dstNatIp

ip4

-

policy

str

-

user

str

-

roles

str

-

iface

str

-

app

str

-

app2

str

-

encrypted

str

-

structuredData

str

-

unknown

str

-

rawMessage

-ini

Table structure

These are the fields displayed in these tables:

isnotnull(duration_tmp) ? duration_tmp : duration_aux

isnotnull(service_tmp) ? service_tmp : service_aux

isnotnull(proto_tmp) ? proto_tmp : proto_aux

(protocol = 6) ? "TCP" : (protocol = 17) ? "UDP" : (protocol = 1) ? "ICMP" : null("")

isnotnull(srcZone_tmp) ? srcZone_tmp : srcZone_aux

isnotnull(dstZone_tmp) ? dstZone_tmp : dstZone_aux

isnotnull(cliBytes_tmp) ? cliBytes_tmp : cliBytes_aux

isnotnull(srvBytes_tmp) ? srvBytes_tmp : srvBytes_aux

isnotnull(srcIp_tmp) ? srcIp_tmp : srcIp_aux

isnotnull(srcIp_tmp_str) ? srcIp_tmp_str : srcIp_aux_str

isnotnull(dstIp_tmp) ? dstIp_tmp : dstIp_aux

isnotnull(dstIp_tmp_str) ? dstIp_tmp_str : dstIp_aux_str

isnotnull(srcPort_tmp) ? srcPort_tmp : srcPort_aux

isnotnull(dstPort_tmp) ? dstPort_tmp : dstPort_aux

isnotnull(icmpType_tmp) ? icmpType_tmp : icmpType_aux

isnotnull(session_tmp) ? session_tmp : session_aux

isnotnull(reason_tmp) ? reason_tmp : reason_aux

action_prefix + action

isnotnull(srcIp_tmp) ? srcIp_tmp : srcIp_aux

isnotnull(srcIp_tmp_str) ? srcIp_tmp_str : srcIp_aux_str

isnotnull(srcPort_tmp) ? srcPort_tmp : srcPort_aux

isnotnull(dstIp_tmp) ? dstIp_tmp : dstIp_aux

isnotnull(dstIp_tmp_str) ? dstIp_tmp_str : dstIp_aux_str

isnotnull(dstPort_tmp) ? dstPort_tmp : dstPort_aux

isnotnull(service_tmp) ? service_tmp : service_aux

isnotnull(srcNatRuleType_tmp) ? srcNatRuleType_tmp : srcNatRuleType_aux

isnotnull(srcNatRule_tmp) ? srcNatRule_tmp : srcNatRule_aux

isnotnull(dstNatRuleType_tmp) ? dstNatRuleType_tmp : dstNatRuleType_aux

isnotnull(dstNatRule_tmp) ? dstNatRule_tmp : dstNatRule_aux

isnotnull(proto_tmp) ? proto_tmp : proto_aux

(proto = 6) ? "TCP" : (proto = 17) ? "UDP" : (proto = 1) ? "ICMP" : null("")

isnotnull(policy_tmp) ? policy_tmp : policy_aux

isnotnull(srcZone_tmp) ? srcZone_tmp : srcZone_aux

isnotnull(dstZone_tmp) ? dstZone_tmp : dstZone_aux

isnotnull(session_tmp) ? session_tmp : session_aux

isnotnull(reason_tmp) ? reason_tmp : reason_aux

isnotnull(cliPkts_tmp) ? cliPkts_tmp : cliPkts_aux

isnotnull(cliBytes_tmp) ? cliBytes_tmp : cliBytes_aux

isnotnull(srvPkts_tmp) ? srvPkts_tmp : srvPkts_aux

isnotnull(srvBytes_tmp) ? srvBytes_tmp : srvBytes_aux

isnotnull(duration_tmp) ? duration_tmp : duration_aux

isnotnull(app_tmp) ? app_tmp : app_aux

isnotnull(app2_tmp) ? app2_tmp : app2_aux

isnotnull(user_tmp) ? user_tmp : user_aux

isnotnull(roles_tmp) ? roles_tmp : roles_aux

isnotnull(iface_tmp) ? iface_tmp : iface_aux

isnotnull(icmpType_tmp) ? icmpType_tmp : icmpType_aux

isnotnull(encrypted_tmp) ? encrypted_tmp : encrypted_aux