Hi,
These parameters depend on what you want to configure.
You can go with the ones mentioned in the example :-
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Hi sahilsha,
In the syslog server itself (SIEM) it cannot see the syslog such as change log, interactive-command n etc in mode stream. But it not have issue on session flow log. Is it the limitation of mode stream?
We need the SIEM can see what ever syslog in the SRX such as config change and etc.
Thanks and appreciate your advise.
Is there this problem on SRX running junos 12.1x44? because of cpu usage of my firewall sometimes is very high.
The logs you are looking for require a configuration under system syslog to send.
Your setup above under security log does not cover the control plane events.
The session is showing that the udp 500 traffic is properly permitted and NAT is working here.
Session ID: 316147, Policy name: VPN_PPTP/40, Timeout: 36, Valid In: 82.132.227.76/627 --> 200.200.200.202/500;udp, If: ge-0/0/5.0, Pkts: 2, Bytes: 728 Out: 10.10.10.10/500 --> 82.132.227.76/627;udp, If: vlan.40, Pkts: 2, Bytes: 524
What do the server logs show at this point? Do they see the connection attempt?
With this configuration active I would do a packet capture on the L2tp server and see what the conversation looks like. Especially the reponse packets from the server. The flow shows that both the inbound and outbound packets are present and permitted. So this is likely an application level issue.
Hi Spuluka,
Thanks for the url given. I'm already read that url given and it;s look like it some of limitation when we use mode stream right? Please corrrect me if i wrong cause my english not so good.
Appreciate your feedback .
Thanks
Yes, on the SRX in Stream mode you need to have TWO configuration stanza setup per those instructions in order to get all of the syslog messages. You appear to need to add the system syslog one from what is missing on your SEIM.
Hi Supuluka,
When u said "TWO configuration stanza setup " are u refer to which part? Below is my config. Can u advise me what need to change to make sure on SIEM can see both syslog on Control Plan such as commit, interactive command n etc. At same time SIEM also can see log RT-FLOW.
{primary:node0}
test@SRX5800> show configuration system syslog
archive size 1m files 10;
user * {
any emergency;
}
inactive: host 7.7.7.1 { ----------------------------------> If i activate this then SIEM cannot see log RT-FLOW
any any;
change-log any;
interactive-commands any;
inactive: match RT_FLOW_SESSION;
source-address x.x.x.x;
structured-data;
}
inactive: host 7.7.7.2 {
any any;
change-log any;
interactive-commands any;
source-address x.x.x.x;
structured-data;
}
file messages { ------------------------------------> This log cannot see on SIEM
any notice;
authorization info;
explicit-priority;
}
file interactive-commands { -------------------> This log cannot see on SIEM
interactive-commands any;
}
Thanks and appreciate your advise
I think you need these two stanzas:
control plane logs - remove the match for flow
host 7.7.7.1 { see log RT-FLOW
any any;
change-log any;
interactive-commands any;
source-address x.x.x.x;
structured-data;
}security logs
security log
mode stream;
format sd-syslog;
source-address 10.70.50.18;
stream TO-SIEM {
format sd-syslog;
category all;
host {
10.60.30.50;
}
}
Hi Spuluka,
If i enable the control plane log then the SIEM cannot received security log. That's a reason i deactivate the control plane logs. Your SIEM can see both log at same time?
Thanks and appreciate your feedback
Yes, at a previous company we did have all logging working to Q-radar SEIM.
I think you issue with the syslog stanza having the match condition added. This can tend to restrict what messages are sent.
I"m confused because you original message:
From Host 1 traffic can reach to Host 2 and reverse.
But with series SRX220, logical lt- interface do NOT support,
so do have any solution to connect two VRs?
But lt interfaces ARE supported on the SRX.
As are rib-groups and using physical interfaces to connect VR.
So which method is your PREFERRED way to connect the two VR?
then share the existing configuration for that method along with the problems or error messages you are getting so we can help get you a final working configuration.
Hi there!
Was Dynamic VPN bugs reintroduced in version 12.3X48-D40.5?
Running 12.3X48-D40.5 on SRX240H2.
https://kb.juniper.net/InfoCenter/index?page=content&id=TSB16860
https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1135780
root@EX-FW-01> show security dynamic-vpn client version error: abnormal communication termination with web-management daemon
Client shows:
Failed to receive HTTP response. (Error:1454)
Thanks.
Hi Folks,
12.3X48-D40.5 should have the fix for BUG 1135780. The observation seen could be due to some other trigger. I would suggest you to open a JTAC case to isolate it further.
Hi Spuluka,
But the config match RT_FLOW is deactivate. How it can restrict the syslog to SIEM?
inactive: match RT_FLOW_SESSION;
Thanks
Hi Folks,
I could find some interesting information,
The traffic events in stream mode must be sent from one of the revenue ports. Using management ports such as fxp0 (or a revenue port in functional-zone management, in case of SRX) is not supported. Additionally, do not forget to configure the routing table to send traffic events from a revenue port. Syslog packets for traffic events in stream mode look up the default routing instance (inet.0) first by default.
Also, please refer the below KB's for more details,
https://kb.juniper.net/InfoCenter/index?page=content&id=KB16509&actp=search&smlogin=true
https://kb.juniper.net/InfoCenter/index?page=content&id=KB16917&actp=search
Hi Phyton,
I'm use reth interface as source address to send log to SIEM.
Thanks
Unfortunately it works only and only if you insert your external interfaces under "system services web-management".
Otherwise you will get errors like "ERR_TOO_MANY_REDIRECTS" pointing your browser to the Dynamic VPN URL.
Thanks.
Hi Spuluka,
I managed to get it working in the end, one of the main problems was that i needed to edit the registry on my windows box
https://support.microsoft.com/
Thanks so much for taking the time to reply, i hope this thread helps anyone else who is having the same problem
hello,
I have already asked similar questions 1 year ago without getting feedback;
here it is again with other words :
1) when using routed-based VPNs, defining proxy ids can be cumbersome if you have multiple local and remote distincts subnets or hosts concerned that you cannot aggregate in 1 or 2 IP "supernets";
I guess it would be simpler if Juniper allowed to code several names or address-set in those local/remote Proxys (as CISCO does in their Crypto map) (as it is now possible to do into NAT source and dest via source-address-name for example)
2) traffic-selector method as described in :
https://www.juniper.net/documentation/en_US/junos12.1x47/topics/concept/ipsec-vpn-traffic-selector-understanding.html :
can be a good way to reduce this constrait as it is shorter to define IPSEC section, but you still need to identify and code each pair of local/remote IPs
so, if you have, let's say, 5 local and 10 remote IPs concerned, you will have to define 5*10 = 50 traffic selectors in the IPSEC section;
and, by the way, this way of coding traffic selector is not supported when using IKE V2 on a tunnel, as stated in this link, which tends to be more frequent now than a few year ago;
3) so, in some cases, either because IKEV2 is used or because the number of local and remote subnets results into an important number of local/remote pairs of addresses (even if it is simpler/shorter with traffic selector), it might be better to create a Policy-based VPN where you don't have to care about coding those pairs ;
the only question left about this Policy-based VPN is related to the fact that, if you have multiple sources or dest addresses or you uses source/dest address-sets coded in some Policy rules, the following Juniper document indicates that the resulting generated Proxy Id (Local and Remote) will be 0.0.0.0 :
see https://kb.juniper.net/InfoCenter/index?page=content&id=KB29364&actp=RSS at the last section "Policy using multi-cell address objects"
In such a case, the question is to know how will the VPN peer box (at the other side of the tunnel, which can be of any kind, not only Juniper) react ?
will it reject those 0.0.0.0 Proxy Ids if its own Proxy Ids are coded with the concerned real subnets (thanks to CISCO Crypto-map for example) or will it allow them ?
Any idea is welcome