Configure Network Device - Juniper Firewall

This article will walk through the steps required to enable syslog forwarding on a Juniper Firewall

Enable syslog server reporting

  1. On the Juniper Firewall, ssh into configuration CLI.
  2. Enter the configure menu
         > configure
  3. Select security log hierarchy
        > edit security log
        > set mode stream
  4. Assign the address of remote syslog server (rocketagent server).
        For demonstration 10.5.5.100 is used.
        > set stream remote-logging host 10.5.5.100 any any
  5. Assign a location where a local syslog is stored.
        > set stream local-logging file name local-logs
  6. Configuration may be reviewed.
        > show
        mode stream:
        stream remote-logging {
                                          host{
                                                    10.5.5.100;
                                                   }
       }
       stream local-logging {
                                         file {
                                                 name local-logs;
                                          }
       }

Enable Logging of Events

Rocket Agent monitors the following event types; Internet Traffic, Intrusion Detection, and Failed Login authorization attempts. Each system policy must be defined, enabled, and configured to allow syslog reporting.

  1. Internet Traffic. (Inet-access policy)
    The firewall has a default Inet-access policy. To view and modify the policy:
    >edit security policies from-zone Users to-zone Internet policy Inet-access
    show
        match {
                      source-address any;
                     destination-address any;
                     application any;
        }
        then {
                   permit
       }

    Enable Inet-access events to syslog
        >set then log session-init
        >commit
  2. Intrusion Detection (IDP policy rule base)
    A default policy exists which allows an admin to customize by specifying which intrusion events will be detected. We recommend the following configuration of events:  
      >set security screen ids-option internet-screen-options icmp ip-sweep
      >set security screen ids-option internet-screen-options icmp ping-death
      >set security screen ids-option internet-screen-options ip bad-option
      >set security screen ids-option internet-screen-options ip spoofing
      >set security screen ids-option internet-screen-options ip tear-drop
      >set security screen ids-option internet-screen-options tcp syn-fin
      >set security screen ids-option internet-screen-options tcp tcp-no-flag
      >set security screen ids-option internet-screen-options tcp syn-frag
      >set security screen ids-option internet-screen-options tcp port-scan. 
      >set security screen ids-option internet-screen-options tcp syn-ack-ack-proxy
      >set security screen ids-option internet-screen-options tcp land
      >set security screen ids-option internet-screen-options tcp winnuke
      >set security screen ids-option internet-screen-options tcp tcp-sweep
      >set security screen ids-option internet-screen-options udp flood
      >set security screen ids-option internet-screen-options udp udp-sweep
      >set security screen ids-option internet-screen-options udp port-scan
      >set security screen ids-option internet-screen-options limit-session source-ip-based 1000
     >set security screen ids-option internet-screen-options limit-session destination-ip-based  1000

    The IDP policy can be reviewed using the following command.
        >show security idp active-policy
         active-policy Recommended;
         then {
                       action {
                             recommended;
                      }
                      notification {
                                    log-attacks;
                     }
       }

    Ensure IDP policy is enabled.
        >set security policy from-zone sec-zone-source to-zone sec-zone-destination policy name-of-sec-policy then permit application-services idp
    Form a routing rule to forward IDP/IDS events to syslog
      >set system syslog host 10.5.5.100 match "RT_IDP|RT_IDS"
      >commit
  3. Failed Login Authorization Attempts This is accomplished monitoring interactive commands interface. To route these
    messages to the syslog;
      >set system syslog host 10.5.5.100 interactive-commands any
      >commit

Syslog Log Formats

IDS Event: <19>Feb 3 03:30:05 SRX-2 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! ource:172.xxx.xxx.213, destination: 185.xxx.xx.76, zone name: manage, interface name: ge-0/0/0.0

IDP Event: <19>Dec 28 15:09:30 ankara RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1325084969, TRAFFIC Attack log <192.xxx.xxx.2/37731->212.xxx.xxx.78/443> for TCP protocol and service SERVICE_NONE application NONE by rule 1 of rulebase IPS in policy My_Policy. attack: repeat=0, action=TRAFFIC_IPACTION_DROP, threat-severity=INFO, name=_, NAT <172.xxx.xxx.219:42029->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:lan:fe-0/0/1.0->wan:fe-0/0/0.0, packet-log-id: 0 and misc-message -

IP Traffic Event: <19>Dec 17 08:04:45 srx-firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created xx.xx.xx.xx/53836->xx.xx.xx.xx/22 junos-ssh xx.xx.xx.xx/53836->10.10.10.1/22 None None 6 log-host-traffic untrust junos-host 5 N/A(N/A) ge-0/0/1.0

Authorization Event: <19>Jun 15 02:46:39 srx-firewall mgd[8265]: FWAUTH_TELNET_USER_AUTH_FAIL: User 'tsmith' at 'xx.xx.xx.123' is rejected.