1. Configure Screen.
root@iLab.SRX# show security screen
ids-option Test-01 {
icmp {
ip-sweep;
fragment;
large;
flood;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
spoofing;
source-route-option;
loose-source-route-option;
strict-source-route-option;
unknown-protocol;
block-frag;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan;
syn-ack-ack-proxy;
syn-flood;
land;
winnuke;
tcp-sweep;
}
udp {
flood;
udp-sweep;
port-scan;
}
}
- Add Screen to Zones
root@iLab.SRX# set security zones security-zone Internet screen Test-01
2. Configure sending security logs to remote syslog server
root@iLab.SRX# show security log
mode stream;
format sd-syslog;
source-address 192.168.221.11;
stream ilab-logs {
format sd-syslog;
category all;
host {
192.168.221.135;
port 5014;
}
}
3. Test by using Kali to attack to capture logs
Reference:
1. How to forward traffic logs from an SRX device to STRM (https://kb.juniper.net)
- Set the security log mode:
root@iLab.SRX#
set security log mode stream
-
Set the security log format to sd-sylog, which is for structured syslog format:
root@iLab.SRX#
set security log format sd-syslog
- Set the security log source-address, which is the SRX IP address expected by the STRM device. Here we are using the IP address of an egress interface ge-0/0/0 on the SRX:
root@iLab.SRX#
root@iLab.SRX#
set security log source-address 192.168.221.11
-Give the security log stream a name and category. In this case, the name is 'securitylog', and the 'all' category is specified.
root@iLab.SRX#
root@iLab.SRX#
set security log stream securitylog category all
-Set the host IP address of the STRM or Syslog server device that will receive the traffic logs.
root@iLab.SRX#set security log stream securitylog host 192.168.221.135
-Also, set the host port of the STRM device that will collect the traffic logs. This is the port the STRM device is configured to listen on. The default syslog port is 5014.
root@iLab.SRX#
set security log stream securitylog host port 5014
2. Understanding Screens options on SRX Series devices (https://www.juniper.net)
https://www.juniper.net/documentation/en_US/junos/topics/concept/understanding-screen-options-srx-series.html
No comments:
Post a Comment