Document toolboxDocument toolbox

firewall.juniper

The tags beginning with firewall.juniper identify log events generated by the following Juniper technologies:

  • Juniper Integrated Services Gateway / Secure Services Gateway

  • Juniper SRX-series Firewalls

  • Juniper Network & Security Manager

Tag structure

The full tag must have at least three levels. The first two are fixed as firewall.juniper. The third level identifies the technology type and must be one of isgnsmsrxssgsystem or traffic. The fourth element is usually required and you are free to define it as you like. 

technology

brand

type

subtype

junos release

firewall

juniper

  • is
  • nsm
  • srx
  • ssg
  • system
  • traffic

usually required and fixed depending on type

appended to firewall.juniper.srx.traffic tag and must be one of:

  • v12 (Junos releases between 12.3 and 14)
  • v14 (Junos 14.x )
  • v15 (Junos releases between 14 and 15.1X49)
  • v16 (Junos 15.1X49-D80 and later)

Therefore, the valid tags include:

  • firewall.juniper.isg.system

  • firewall.juniper.isg.traffic

  • firewall.juniper.nsm.traffic

  • firewall.juniper.srx.idp

  • firewall.juniper.srx.probe

  • firewall.juniper.srx.system

  • firewall.juniper.srx.traffic.vXX

  • firewall.juniper.srx.utm

  • firewall.juniper.ssg.system

  • firewall.juniper.ssg.traffic

  • firewall.juniper.system

  • firewall.juniper.traffic

For more information, read more about Devo tags.

Firewall Juniper ISG / SSG

It is not possible to send system and traffic events to different ports on the same remote machine, in this case the Devo Relay. Therefore, we need to set up two relay rules to process and tag the different events received on the same port.

  1. In the first rule, we use regex in the Source Message field to identify events that should be tagged firewall.juniper.isg.traffic. In this rule we mark Stop Processing so that when an event meets the conditions of the rule and the tag is applied, the event is not subjected to any further relay rules and is forwarded directly to the Devo Cloud. 
  2. The second rule simply applies the firewall.juniper.isg.system tag to all other events received on the same port.

It is important that the first rule come before the second rule in the order of rule processing on the relay. 

Rule 1: Identify "traffic" type events

  • Source Port → 514
  • Source Message → "\\[Root]system-[^][0-9](traffic):"
  • Target Tag → firewall.juniper.isg.traffic                                                                                                        
  • Check the Stop Processing checkbox

Rule 2: Tag all other events received from the Juniper IP as "system"

    • IP → <Juniper IP address>
    • Source Port → 514
    • Target Tag → all the rest as firewall.juniper.isg.system

  

Firewall Juniper SRX Series

Below find instructions for setting up the Devo Relay rules to correctly process the SRX events, and also a note about logging dropped packets in SRX.

Devo Relay rules - SRX logging in syslog format

You need to set up new relay rules to handle the SRX events received on port 514 and tag them correctly as  firewall.juniper.srx.subtype .

Essentially, these rules identify the syslog tag contained in the inbound event so that when there's a match, the correct tag is applied to the event and the event is forwarded to the Devo Cloud without further processing on the relay. 

It is possible to change the port where the SRX log events are sent, but our examples below use the standard syslog UDP port 514.

Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"

  • Source Port  514
  • Source Tag RT_FLOW    
  • Target Tag  firewall.juniper.srx.traffic (or firewall.juniper.srx.traffic.vXX)
  • Check the Stop Processing checkbox

Rule 2: Tag events containing the syslog tag RT_UTM as "utm"

  • Source Port  514
  • Source Tag  RT_UTM    
  • Target Tag  firewall.juniper.srx.utm
  • Check the Stop Processing checkbox

          

Rule 3: Tag events containing the syslog tag RT_IDP as "idp"

  • Source Port  514
  • Source Tag  RT_IDP
  • Target Tag  firewall.juniper.srx.idp
  • Check the Stop Processing checkbox

Rule 4: Tag all other events received on port 514 as "system"

  • Source Port  514
  • Target Tag  firewall.juniper.srx.system
  • Check the Sent without syslog tag checkbox

The system log will show events from the *nix system. 

Devo Relay rules - SRX logging in structured-data format

If SRX is logging in structured-data format, the Devo Relay rules need to be defined in a different way. 

Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"

  • Source Port → 13003
  • Source Data → ^.*? RT_FLOW - .*$
  • Target Tag → firewall.juniper.srx.traffic
  • Check the Stop Processing and Sent without syslog tag checkboxes

Rule 2:  Tag events containing the syslog tag RT_UTM as "utm"

  • Source Port → 13003
  • Source Data → ^.*? RT_UTM - .*$
  • Target Tag → firewall.juniper.srx.utm
  • Check the Stop Processing and Sent without syslog tag checkboxes

 

Rule 3:  Tag events containing the syslog tag RT_IDP as "idp"

  • Source Port → 13003
  • Source Data → ^.*? RT_IDP - .*$
  • Target Tag → firewall.juniper.srx.idp
  • Check the Stop Processing and Sent without syslog tag checkboxes

 

Rule 4:  Tag all other events received on the same port as "system"

  • IP → <Juniper IP>
  • Source Port → 13003
  • Target Tag → firewall.juniper.srx.system
  • Check the Sent without syslog tag checkbox

SRX Rule Base - Add rule to log dropped packets

The SRX does not log packets dropped by default. A rule needs to be defined at the end of the rule base to drop all and to activate the logging.

Configuration for Junos release 11.4 and earlier

  1. Create a template group. Note that  <*> is a wild card character to match any security zone.

    set groups default-deny-template security policies from-zone <*> to-zone policy default-deny match source-address any
    set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny match destination-address any
    set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny match application any
    set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny then deny
    set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny then log session-init
  2. Apply the group. The following configuration statement applies the template groups between all zones that already have a policy context:

    set apply-groups default-deny-template

Configuration for Junos release 11.4 and later

set security policies global policy default-deny match source-address any
set security policies global policy default-deny match destination-address any
set security policies global policy default-deny match application any
set security policies global policy default-deny then deny
set security policies global policy default-deny then log session-ini