Pages

Configure Screen and sending traffic logs from SRX to Remote Syslog Server

POSTED BY :
ON
/

 1. Configure Screen.
root@iLab.SRX# show security screen 
ids-option Test-01 {
    icmp {
        ip-sweep;
        fragment;
        large;
        flood;
        ping-death;
    }
    ip {
        bad-option;
        record-route-option;
        timestamp-option;
        security-option;
        stream-option;
        spoofing;
        source-route-option;
        loose-source-route-option;
        strict-source-route-option;
        unknown-protocol;
        block-frag;
        tear-drop;
    }
    tcp {
        syn-fin;
        fin-no-ack;
        tcp-no-flag;
        syn-frag;
        port-scan;
        syn-ack-ack-proxy;
        syn-flood; 
        land;
        winnuke;
        tcp-sweep;
    }
    udp {
        flood;
        udp-sweep;
        port-scan;
    }
}
- Add Screen to Zones
root@iLab.SRX# set security zones security-zone Internet screen Test-01 

 2. Configure sending security logs to remote syslog server
root@iLab.SRX# show security log                          
mode stream;
format sd-syslog;
source-address 192.168.221.11;
stream ilab-logs {
    format sd-syslog;
    category all;
    host {
        192.168.221.135;
        port 5014;
    }
}


3. Test  by using Kali to attack to capture logs

Reference: 
1. How to forward traffic logs from an SRX device to STRM (https://kb.juniper.net)
- Set the security log mode:
root@iLab.SRX# set security log mode stream

 -Set the security log format to sd-sylog, which is for structured syslog format:

root@iLab.SRX# set security log format sd-syslog

- Set the security log source-address, which is the SRX IP address expected by the STRM device. Here we are using the IP address of an egress interface ge-0/0/0 on the SRX:
root@iLab.SRX#set security log source-address 192.168.221.11

-Give the security log stream a name and category. In this case, the name is 'securitylog', and the 'all' category is specified.
root@iLab.SRX#set security log stream securitylog category all

-Set the host IP address of the STRM or Syslog server device that will receive the traffic logs. 
root@iLab.SRX#set security log stream securitylog host 192.168.221.135

-Also, set the host port of the STRM device that will collect the traffic logs.  This is the port the STRM device is configured to listen on.  The default syslog port is 5014.
root@iLab.SRX# set security log stream securitylog host port 5014

2. Understanding Screens options on SRX Series devices (https://www.juniper.net)
https://www.juniper.net/documentation/en_US/junos/topics/concept/understanding-screen-options-srx-series.html

thudinh Network and Security

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Adsense

Translate

Copyright © THU DINH. Created By