Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

The tags beginning with firewall.juniper identify log events generated by the following Juniper technologies:

  • Juniper Integrated Services Gateway / Secure Services Gateway

  • Juniper SRX-series Firewalls

  • Juniper Network & Security Manager

Tag structure

The full tag must have at least three levels. The first two are fixed as firewall.juniper. The third level identifies the technology type and must be one of isgnsmsrxssgsystem or traffic. The fourth element is usually required and you are free to define it as you like. 

technology

brand

type

subtype

junos release

firewall

juniper

  • is

  • nsm

  • srx

  • ssg

  • system

  • traffic

usually required and fixed depending on type

appended to firewall.juniper.srx.traffic tag and must be one of:

  • v12 (Junos releases between 12.3 and 14)

  • v14 (Junos 14.x )

  • v15 (Junos releases between 14 and 15.1X49)

  • v16 (Junos 15.1X49-D80 and later)

Therefore, the valid tags include:

  • firewall.juniper.isg.system

  • firewall.juniper.isg.traffic

  • firewall.juniper.nsm.traffic

  • firewall.juniper.srx.idp

  • firewall.juniper.srx.probe

  • firewall.juniper.srx.system

  • firewall.juniper.srx.traffic.vXX

  • firewall.juniper.srx.utm

  • firewall.juniper.ssg.system

  • firewall.juniper.ssg.traffic

  • firewall.juniper.system

  • firewall.juniper.traffic

For more information, read more about Devo tags.

Firewall Juniper ISG / SSG

It is not possible to send system and traffic events to different ports on the same remote machine, in this case the Devo Relay. Therefore, we need to set up two relay rules to process and tag the different events received on the same port.

  1. In the first rule, we use regex in the Source Message field to identify events that should be tagged firewall.juniper.isg.traffic. In this rule we mark Stop Processing so that when an event meets the conditions of the rule and the tag is applied, the event is not subjected to any further relay rules and is forwarded directly to the Devo Cloud. 

  2. The second rule simply applies the firewall.juniper.isg.system tag to all other events received on the same port.

It is important that the first rule come before the second rule in the order of rule processing on the relay. 

Rule 1: Identify "traffic" type events

  • Source Port → 514

  • Source Message → "\\[Root]system-[^][0-9](traffic):"

  • Target Tag → firewall.juniper.isg.traffic                                                                                                        

  • Check the Stop Processing checkbox

Rule 2: Tag all other events received from the Juniper IP as "system"

    • IP → <Juniper IP address>

    • Source Port → 514

    • Target Tag → all the rest as firewall.juniper.isg.system

  

Firewall Juniper SRX Series

Below find instructions for setting up the Devo Relay rules to correctly process the SRX events, and also a note about logging dropped packets in SRX.

Devo Relay rules - SRX logging in syslog format

You need to set up new relay rules to handle the SRX events received on port 514 and tag them correctly as  firewall.juniper.srx.subtype .

Essentially, these rules identify the syslog tag contained in the inbound event so that when there's a match, the correct tag is applied to the event and the event is forwarded to the Devo Cloud without further processing on the relay. 

It is possible to change the port where the SRX log events are sent, but our examples below use the standard syslog UDP port 514.

Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"

  • Source Port  514

  • Source Tag RT_FLOW    

  • Target Tag  firewall.juniper.srx.traffic (or firewall.juniper.srx.traffic.vXX)

  • Check the Stop Processing checkbox

Rule 2: Tag events containing the syslog tag RT_UTM as "utm"

  • Source Port  514

  • Source Tag  RT_UTM    

  • Target Tag  firewall.juniper.srx.utm

  • Check the Stop Processing checkbox

          

Rule 3: Tag events containing the syslog tag RT_IDP as "idp"

  • Source Port  514

  • Source Tag  RT_IDP

  • Target Tag  firewall.juniper.srx.idp

  • Check the Stop Processing checkbox

Rule 4: Tag all other events received on port 514 as "system"

  • Source Port  514

  • Target Tag  firewall.juniper.srx.system

  • Check the Sent without syslog tag checkbox

The system log will show events from the *nix system. 

Devo Relay rules - SRX logging in structured-data format

If SRX is logging in structured-data format, the Devo Relay rules need to be defined in a different way. 

Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"

  • Source Port → 13003

  • Source Data → ^.*? RT_FLOW - .*$

  • Target Tag → firewall.juniper.srx.traffic

  • Check the Stop Processing and Sent without syslog tag checkboxes

Rule 2:  Tag events containing the syslog tag RT_UTM as "utm"

  • Source Port → 13003

  • Source Data → ^.*? RT_UTM - .*$

  • Target Tag → firewall.juniper.srx.utm

  • Check the Stop Processing and Sent without syslog tag checkboxes

 

Rule 3:  Tag events containing the syslog tag RT_IDP as "idp"

  • Source Port → 13003

  • Source Data → ^.*? RT_IDP - .*$

  • Target Tag → firewall.juniper.srx.idp

  • Check the Stop Processing and Sent without syslog tag checkboxes

 

Rule 4:  Tag all other events received on the same port as "system"

  • IP → <Juniper IP>

  • Source Port → 13003

  • Target Tag → firewall.juniper.srx.system

  • Check the Sent without syslog tag checkbox

SRX Rule Base - Add rule to log dropped packets

The SRX does not log packets dropped by default. A rule needs to be defined at the end of the rule base to drop all and to activate the logging.

Configuration for Junos release 11.4 and earlier

  1. Create a template group. Note that  <*> is a wild card character to match any security zone.

    set groups default-deny-template security policies from-zone <*> to-zone policy default-deny match source-address any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny match destination-address any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny match application any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny then deny
set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny then log session-init


  2. Apply the group. The following configuration statement applies the template groups between all zones that already have a policy context:

    set apply-groups default-deny-template


Configuration for Junos release 11.4 and later

set security policies global policy default-deny match source-address any
set security policies global policy default-deny match destination-address any
set security policies global policy default-deny match application any
set security policies global policy default-deny then deny
set security policies global policy default-deny then log session-ini

Table structure

firewall.juniper.nsm.traffic

Field

Type

Extra Label

eventdate

timestamp

-

machine

str

-

logDayId

str

-

logRecordId

str

-

timeReceived

timestamp

-

timeGenerated

timestamp

-

deviceDomain

str

-

deviceDomainVer

str

-

deviceName

str

-

deviceIp

ip4

-

category

str

-

subCategory

str

-

srcZone

str

-

srcIface

str

-

srcIp

ip4

-

srcIp_str

str

-

srcPort

int4

-

srcXIp

ip4

-

srcXPort

int4

-

dstZone

str

-

dstIface

str

-

dstIp

ip4

-

dstPort

int4

-

dstXIp

ip4

-

dstXPort

int4

-

proto

str

-

policyDomain

str

-

policyDomainVer

str

-

policyName

str

-

rulebase

str

-

ruleNumber

str

-

ruleNumber2

str

-

action

str

-

severity

str

-

isAlert

str

-

details

str

-

user

str

-

app

str

-

uri

str

-

elapsedSecs

int4

-

bytesIn

int8

-

bytesOut

int8

-

bytesTotal

int8

-

pktsIn

int4

-

pktsOut

int4

-

pktsTotal

int4

-

repeatCount

int4

-

hasData

str

-

data

str

-

appliService

str

-

deviceFamily

str

-

hostchain

str

tag

str

rawMessage

str

firewall.juniper.srx.idp

Field

Type

Extra Label

eventdate

timestamp

-

machine

str

-

type

str

-

attack_name

str

-

source_address

ip4

-

source_port

int4

-

destination_address

ip4

-

destination_port

int4

-

protocol_id

str

-

source_zone_name

str

-

interface_name

str

-

action

str

-

hostchain

str

tag

str

rawMessage

str

 firewall.juniper.srx.probe

Field

Type

Extra Label

eventdate

timestamp

-

machine

str

-

type

str

-

interfaceName

str

-

name

str

-

testOwner

str

-

snmpInterfaceIndex

str

-

testName

str

-

message

str

-

adminStatus

str

-

operationalStatus

str

-

hostchain

str

tag

str

rawMessage

str

firewall.juniper.srx.traffic 

Field

Type

Extra Label

eventdate

timestamp

-

machine

str

-

tag

str

version

str

-

action

str

-

srcIp

ip4

-

srcIp_str

str

-

srcPort

int4

-

dstIp

ip4

-

dstPort

int4

-

service

str

-

srcXIp

ip4

-

srcXPort

int4

-

dstXIp

ip4

-

dstXPort

int4

-

natConnetionTag

str

-

srcNatRuleType

str

-

srcNatRule

str

-

dstNatRuleType

str

-

dstNatRule

str

-

srcNatIp

ip4

-

dstNatIp

ip4

-

proto

int4

-

protoStr

str

-

policy

str

-

srcZone

str

-

dstZone

str

-

session

int4

-

reason

str

-

cliPkts

int4

-

cliBytes

int8

-

srvPkts

int4

-

srvBytes

int8

-

duration

int4

-

app

str

-

app2

str

-

user

str

-

roles

str

-

iface

str

-

icmpType

int4

-

structuredData

str

-

encrypted

str

-

connectionTag

str

-

unknown

str

-

rawMessage

str

hostchain

str

firewall.juniper.srx.system

Field

Type

Extra Label

eventdate

timestamp

-

machine

str

-

serverdate

str

-

hostname

str

-

process_name

str

-

pid

str

-

log_type

str

-

platform

str

-

username

str

-

authentication_level

str

-

client_ip

ip4

-

client_port

str

-

destination_ip

ip4

-

destination_port

str

-

message

str

-

hostchain

str

tag

str

rawMessage

str

 firewall.juniper.srx.utm

Field

Type

Extra Label

eventdate

timestamp

-

machine

str

-

srcIp

ip4

-

srcIp_str

str

-

srcPort

int4

-

dstIp

ip4

-

dstPort

int4

-

name

str

-

error_message

str

-

profile_name

str

-

object_name

str

-

pathname

str

-

username

str

-

roles

str

-

hostchain

str

tag

str

rawMessage

str

firewall.juniper.system

Field

Type

Extra Label

eventdate

timestamp

-

machine

str

-

product

str

-

devModel

str

-

devId0

str

-

severity

str

-

type

int4

-

message

str

-

hostchain

str

tag

str

rawMessage

str

firewall.juniper.traffic

Field

Type

Extra Label

eventdate

timestamp

-

machine

str

-

product

str

-

devModel

str

-

devId

str

-

severity

str

-

type

int4

-

startTime

timestamp

-

duration

int4

-

policyId

int8

-

service

str

-

protocol

int4

-

protoStr

str

-

srcZone

str

-

dstZone

str

-

action

str

-

cliPkts

int4

-

bytesSend

int8

-

srvPkts

int4

-

bytesRecv

int8

-

srcIp

ip4

-

srcIp_str

str

-

dstIp

ip4

-

srcPort

int4

-

dstPort

int4

-

icmpType

int4

-

icmpCode

int4

-

sessionId

int8

-

srcXIp

ip4

-

srcXPort

int4

-

dstXIp

ip4

-

dstXPort

int4

-

reason

str

-

version

str

-

pid

str

-

natConnetionTag

str

-

srcNatRuleType

str

-

srcNatRule

str

-

dstNatRuleType

str

-

dstNatRule

str

-

srcNatIp

ip4

-

dstNatIp

ip4

-

policy

str

-

user

str

-

roles

str

-

iface

str

-

app

str

-

app2

str

-

encrypted

str

-

structuredData

str

-

unknown

str

-

rawMessage

str

hostchain

str

tag

str


  • No labels