Quick background. I'm a network engineer which has mostly for the last 15 years worked with Cisco stuff. Recently within the last 2 years started working with some Juniper SRX gear. Obviously have picked it up but will admit there are some gaps in my knowledge at times. All events/connections passing through the SRX are sent to a Splunk server.
Yesterday our system had a weird outage where some communications were allowed and some were not. Almost as though the firewall decided to start blocking some traffic due to being saturated by that traffic type/source (a DOS). I've never seen it on an SRX before. Have seen similar events with Cisco ASA's if connections have been denied due to a saturation limitation it will very clearly have the word SHUN in the syslog entry which is very easy for just about anybody with syslog access to search for if you can do a keywork/term search. On top of that I also know that Cisco devices generally will unSHUN the blocked connection after an hour and you would see this also in the syslog entries.
What would the be the equivalent SRX behavor if it were to 'block traffic due to a threshold being exceeded' similar to the example I gave with the ASA above? Would it automatically unshun after X amount of time? What keywords and terms would appear via syslog that I could help point my guys toward?
I'm not even 100% sure this is what happened but it definately behaved like a SHUNed connection. If this did happen I imagine I would be able to find this just by manually surfing through the logs myself given I've manually surfed the logs for a SRX and know what does and doesn't look normal. Unfortunately I'm out of the office currently due to having a major surgery thus don't even have the ability to look at any of the syslog entries myself to even look for an indication of such an event. I was about to drive myself in and my wife basically threatened to call my doctor and taddle on me LOL. So if you guys have some helpful pointers that I can give the guys back in the office to look for that would be great because they haven't seen anything that jumped out at them either. Thanks for the help guys.