firewall.juniper
The tags beginning with firewall.juniper
identify log events generated by the following Juniper technologies:
Juniper Integrated Services Gateway / Secure Services Gateway
Juniper SRX-series Firewalls
Juniper Network & Security Manager
Tag structure
The full tag must have at least three levels. The first two are fixed as firewall.juniper
. The third level identifies the technology type and must be one of isg
, nsm
, srx
, ssg
, system
or traffic
. The fourth element is usually required and you are free to define it as you like.
technology | brand | type | subtype | junos release |
---|---|---|---|---|
|
|
| usually required and fixed depending on type | appended to
|
Therefore, the valid tags include:
Tags | Data tables |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
For more information, read more about Devo tags.
Firewall Juniper ISG / SSG
It is not possible to send system and traffic events to different ports on the same remote machine, in this case the Devo Relay. Therefore, we need to set up two relay rules to process and tag the different events received on the same port.
In the first rule, we use regex in the Source Message field to identify events that should be tagged firewall.juniper.isg.traffic. In this rule we mark Stop Processing so that when an event meets the conditions of the rule and the tag is applied, the event is not subjected to any further relay rules and is forwarded directly to the Devo Cloud.
The second rule simply applies the firewall.juniper.isg.system tag to all other events received on the same port.
It is important that the first rule come before the second rule in the order of rule processing on the relay.
Rule 1: Identify "traffic" type events
Source port →
514
Source message →
"\\[Root]system-[^][0-9](traffic):"
Target tag →
firewall.juniper.isg.traffic
Check the Stop processing checkbox
Rule 2: Tag all other events received from the Juniper IP as "system"
IP →
<Juniper IP address>
Source Port →
514
Target tag → all the rest as
firewall.juniper.isg.system
Firewall Juniper SRX Series
Below find instructions for setting up the Devo Relay rules to correctly process the SRX events, and also a note about logging dropped packets in SRX.
Devo Relay rules - SRX logging in syslog format
You need to set up new relay rules to handle the SRX events received on port 514 and tag them correctly as firewall.juniper.srx.<subtype>
Essentially, these rules identify the syslog tag contained in the inbound event so that when there's a match, the correct tag is applied to the event and the event is forwarded to the Devo Cloud without further processing on the relay.
It is possible to change the port where the SRX log events are sent, but our examples below use the standard syslog UDP port 514.
Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"
Source port →
514
Source tag →
RT_FLOW
Target tag →
firewall.juniper.srx.traffic
(orfirewall.juniper.srx.traffic.vXX
)Check the Stop processing checkbox
Rule 2: Tag events containing the syslog tag RT_UTM as "utm"
Source port →
514
Source tag →
RT_UTM
Target tag →
firewall.juniper.srx.utm
Check the Stop Processing checkbox
Rule 3: Tag events containing the syslog tag RT_IDP as "idp"
Source port →
514
Source tag →
RT_IDP
Target tag →
firewall.juniper.srx.idp
Check the Stop processing checkbox
Rule 4: Tag all other events received on port 514 as "system"
Source port →
514
Target tag →
firewall.juniper.srx.system
Check the Sent without syslog tag checkbox
The system log will show events from the *nix system.
Devo Relay rules - SRX logging in structured-data format
If SRX is logging in structured-data format, the Devo Relay rules need to be defined in a different way.
Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"
Source port →
13003
Source data →
^.*? RT_FLOW - .*$
Target tag →
firewall.juniper.srx.traffic
Check the Stop processing and Sent without syslog tag checkboxes
Rule 2: Tag events containing the syslog tag RT_UTM as "utm"
Source port →
13003
Source data →
^.*? RT_UTM - .*$
Target tag →
firewall.juniper.srx.utm
Check the Stop processing and Sent without syslog tag checkboxes
Rule 3: Tag events containing the syslog tag RT_IDP as "idp"
Source port →
13003
Source data →
^.*? RT_IDP - .*$
Target tag →
firewall.juniper.srx.idp
Check the Stop processing and Sent without syslog tag checkboxes
Rule 4: Tag all other events received on the same port as "system"
IP →
<Juniper IP>
Source port →
13003
Target tag →
firewall.juniper.srx.system
Check the Sent without syslog tag checkbox
SRX Rule Base - Add rule to log dropped packets
The SRX does not log packets dropped by default. A rule needs to be defined at the end of the rule base to drop all and to activate the logging.
Configuration for Junos release 11.4 and earlier
Create a template group. Note that <*> is a wild card character to match any security zone.
set groups default-deny-template security policies from-zone <*> to-zone policy default-deny match source-address any set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny match destination-address any set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny match application any set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny then deny set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny then log session-init
Apply the group. The following configuration statement applies the template groups between all zones that already have a policy context:
set apply-groups default-deny-template
Configuration for Junos release 11.4 and later
set security policies global policy default-deny match source-address any
set security policies global policy default-deny match destination-address any
set security policies global policy default-deny match application any
set security policies global policy default-deny then deny
set security policies global policy default-deny then log session-ini
Table structure
These are the fields displayed in these tables: