Hi Mahmoud,

Please familiarize yourself with "primary" and "preferred" option that can be configured to an interface.

If you have multiple IP addresses of the different subnet, use "primary" option as suggested by Alex in the earlier post. 

If you have multiple IP addresses of the same subnet, use "preferred" option.

Good Day!!!

Hello,

I believe you are facing the connectivity issue due to SSL/TLS version. For more information, please check the following KB article - https://kb.juniper.net/InfoCenter/index?page=content&id=KB32401

If you are not affected by the SSL/TLS issue, please check whether you are using the recommended Pulse secure version as specified in the following TSB - https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17441&act=login

A long post...  I figure it out that there are a problem on the way route back. On the next router didn't shown the route back to the translated source IP address well. Thanks people.

Hi

I am having issues with the reverse proxy functionality.

Model: SRX5400
Junos: 18.3R2.7

The SSL certificate was requested via CSR generated on Digicert tool, this was exported, with the key and imported onto SRX, this certificate imported fine :

We have a load balancer on the back end, but regardless of wheter the NAT is to the LB VIP (pass through) or one of the back end servers directly (servers have a local domain certificate installed) we ge the same issues.

initially we received the error "certificate error: authority and issuer serial number mismatch":

But after removing certificate / re-adding, removing config etc, the only error we seem to getting is "non ssl session ignored":

And then we are served with the internal domian certificate to the browser from the server directly when testing externally.

The configuration is:

As above, the certificate looks fine and the key checks out, parity in SSL cert/key/csr is proven in openSSL and other methods.

I have followed all the configuration information :
https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/task/configuration/sky-atp-reverse-proxy.html

And as I understand it, this should be working in this manner:

"Terminates client SSL on the SRX Series device and initiates a new SSL connection with a server. Decrypts SSL traffic from the client/server and encrypts again (after inspection) before sending to the server/client."

I have done the following in order to try and make this work:

- Added internal CA root certificate to ca-profile.
- tried configuring an SSL initiation profile using the internal CA profile in case the issue is the SRX not trusting the certificate on the back end servers.

- Tried adding the Digicert Root CA as a seperate profile to the exiting one (Jweb_40)
- removed, re-added certificate and key (local-certificate certificate id) , proxy profile, all config, re-adding numerous times.

It just seems the proxy profile is completey ignored and the traffic just NAT'd to the back end and the back end serves the internal certificate which is not ideal.

Any help on this matter would be much apprecitated. Am I missing something fundamental here? Am I missing a pre-requisite that isn't documented anywhere? Are there firewall functions that we maybe using that cannot work in conjuntion with SSL Reverse proxy, and if so what are they?

Regards and thanks in advance

DJC

Hi DJ,

Can you send us the entire device configuration for verification?

At the moment, the issue which you are seeing is SSL profile is being ignored in the policy and you are seeing SSL_PROXY_SESSION_IGNORE log message. Isn't it?

I will give you some pointers in order to identify the issue.

1. Setup a security flow trace options in order to determine what is happening in the flow.
2. Provide us the output of security flow session - show security flow session source-prefix <x.x.x.x> destination-prefix <y.y.y.y>
3. Outputs of  "show security pki local-certificate detail" and "show security ssl proxy statistics"(this particular output has to be taken around 3 times while initiating the connection)
4. Provide us with the SSL trace options while initiating the connection:

                    set services ssl traceoptions file filename SSL-TRACE files 5 size 50m
                    set services ssl traceoptions level extensive

It would be better to configure the flow trace and ssl trace together.

Note: Do check the RE CPU values before configuring the above trace and if the Idle value is below 40, don't configure the trace.

Hi,

You're correct on both of your statements.  I did attach the configurations in the orginial post, but as a hyperlink.  My configurations can be found by visiting https://pastebin.com/bmKjdc1S.  I've configured the dynamic VPN using https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dynamic-vpns-with-pulse-secure-clients.html and when connected I see AES-128/SHA1.  When transfering a file, I do not see any messages stating high utilization.  I know the message you're speaking of, because I see it early in the morning when sending backups to my Google Drive.  My configuration allows one dynamic VPN user.  Thanks for your reply!

Hello,

If it is showing AES-128/SHA1 then you are using proposal-set with standard option. So, for the purpose of testing is it possible to make the below change?

set security ike policy ike-dyn-vpn-policy proposal-set basic
set security ipsec policy ipsec-dyn-vpn-policy proposal-set basic

This change is only for the purpose of testing. If the issue persists even after making this change, then rollback to previous one.

basic—Includes a basic set of two IKE proposals:

• Proposal 1—Preshared key, Data Encryption Standard (DES) encryption, and Diffie-Hellman (DH) group 1 and Secure Hash Algorithm 1 (SHA-1) authentication.

• Proposal 2—Preshared key, DES encryption, and DH group 1 and Message Digest 5 (MD5) authentication.

To resolve problems with ssh sessions being expired prematurely by the SRX, I created my own ssh application like this;

# show applications application my-ssh

application-protocol ssh;
protocol tcp;
destination-port 22;
inactivity-timeout 43200;

However when I use this and not junos-ssh, I find that ssh sessions are removed from the session table when I do a "commit". How do I know they are removed from the session table? The ssh into the firewall locks up. The same also happens to all other ssh sessions.

Two questions.

1) How can I change the idle timeout for junos-ssh?

2) How do I get sessions for my-ssh to persist in the session table across a commit?

SRX320, JunOS 15.1DX49-220.

Hi,

I tried your suggested change, but it had to positive impact. I failed to mention something that may be important.  The speed is only slow when transfering a file to the server.  When downloading a file from the server to the client, the speed is roughly 160Mbps, which is more than acceptable.  

Juniper-SRX300> show security ipsec security-associations
Total active tunnels: 1 Total Ipsec sas: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<67108868 ESP:des/sha1 666c2613 3398/ 483950 - root 13858 *REMOVED*
>67108868 ESP:des/sha1 529d6757 3398/ 483950 - root 13858 *REMOVED*

Hi Baldwizard,

First, I would like to say your username is much more awesome than mine 

Second, I don't think any changes to the SSH will actually clear the existing the SSH session because the changes which you are doing is applicable only for the new traffic and not for the existing traffic. It looks like a BUG!!!

I have a couple of questions for you.

1. How did you determined that sessions are being removed?
2. By default, TCP sessions will be active for 30 minutes in SRX if there is no activity across the firewall. I think it is more than enough for management sessions. Is there a reason for increasing the SSH timeout?
3. Can you make the below change and let me know the behaviour
   • Open SSH, set the connection-limit to 2 using the following command - set system services ssh connection-limit 2
   • Open another SSH session, change the connection-limit to 1 using the following command - set system services ssh connection-limit 1.
   • Delete the application SSH which you've created and leave it with default junos-ssh. 
   • Now make the connection limit, back to 1 and let me know the behaviour - set system services ssh connection-limit
   • Check whether both the SSH sessions closes or not. Ideally, it shouldn't close. Even if you remove the entire SSH hierarchy the SSH session should exist in the session table and should be removed only when the session times out.
4. When you do a commit, does your putty session closed abruptly or session is going inactive? 

Answering your questions:

1) How can I change the idle timeout for junos-ssh?

NB> The method which you have followed is correct and please double check once with the following KB article - https://kb.juniper.net/InfoCenter/index?page=content&id=KB28630&actp=METADATA

2) How do I get sessions for my-ssh to persist in the session table across a commit?

NB> There is no special configuration required and it seems like a buggy behaviour. Because SSH session should be cleared only when the session timeout expires and while performing a commit it shouldn't clear the session.

Hi,

Thank you for the input.

1. Can you please try the recommended Pulse secure version from the following article - https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17441&act=login
2. Even after installing the above Pulse version if you face the slowness, please collect the below command outputs while transferring the files to the server.
   • user@host> show security flow session summary
   • user@host> show chassis routing-engine
   • user@host> show security monitoring performance spu
   • user@host> show security monitoring performance session
   • user@host> show interfaces <wan-interface> extensive
   • user@host> request pfe execute target fwdd command "show arena"

I will perform these commands tomorrow and post the outputs.

Hi, first I have to say that Juniper has made this whole thing nearly impossible. "Cant access there, have no permission here, cant create account etc, etc..." I finally managed to create account with my 4th email address...

My question is that is it possible to have access to one time software update for my SRX300 that I purchased second hand from ebay? I bought this to myself so I could learn JUNOS configurations and create some setups in my home lab. I know that normally some support contract would be needed for software updates but is Juniper really like this towards all those students and homelab builders??!

You should check Sophos for example, they have made their enterprise firewall easily available for every single individual for free to be used in homes / lab setups.

Hi there,
A request to the forum here.
If possible, i would need the most important process modules such as RT_FLOW, RT_UTM, RT_IDP (IPS), RT_ATP etc. briefly structured anonymized syslog messages.
Example:

<14>1 2012-11-18T09:56:58.806-07:00 INTERNET-ROUTER RT_FLOW – RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.41 source-address=”192.168.1.102″ source-port=”58662″ destination-address=”8.8.8.8″ destination-port=”53″ service-name=”junos-dns-udp” nat-source-address=”68.144.56.81″ nat-source-port=”55893″ nat-destination-address=”8.8.8.8″ nat-destination-port=”53″ src-nat-rule-name=”TRUST-INET-ACCESS” dst-nat-rule-name=”None” protocol-id=”17″ policy-name=”OUTBOUND-INTERNET-ACCESS” source-zone-name=”TRUST” destination-zone-name=”INTERNET” session-id-32=”6316″ username=”N/A” roles=”N/A” packet-incoming-interface=”vlan.192″] session created 192.168.1.102/58662->8.8.8.8/53 junos-dns-udp 68.144.56.81/55893->8.8.8.8/53 TRUST-INET-ACCESS None 17 OUTBOUND-INTERNET-ACCESS TRUST INTERNET 6316 N/A(N/A) vlan.192

The background is as follows.
These syslog messages are used to create a new module for srx / junos for filebeat (elasticsearch). You can use the SIEM from Kibana (elastic) to carry out a very precise analysis of the data. Quite similar to the existing firewall modules from Cisco, PanOS, Fortinet, Ceckpoint and soon also SophosXG.
It would be great if some of you would send me appropriate syslog messages.
I would like to thank you in advance for this.

Best regards
StefanS

Okay, I FINALLY got this (seemingly simple) thing working after a very long time of working on it, I hope this helps someone.

I still don't know how to set the preference for ISP1 vs ISP2, anyone know? RPM maybe?

Anyway, if you have a Juniper SRX and you want to connect ISP1 to ge-0/0/0 and ISP2 to ge-0/0/1 and have your LAN traffic failover automatically, this is how you do it.

I have three LAN zones, one for point-of-sale machines (pos), one for general office use, and one for public wifi that doesn't touch the other two. This would be typical for a small office probably. This config is barebones and not guaranteed to do anything in particular, but it does work.

Let me know if you see anything I should fix. I think I don't need the

set firewall filter F2 term 1 from source-address 192.168.20.100/32

line, for example. Anyway, here it is:

set version 12.1X46-D40.2
set system host-name router
set system root-authentication encrypted-password ""
set system services dhcp pool 192.168.8.0/24 address-range low 192.168.8.150
set system services dhcp pool 192.168.8.0/24 address-range high 192.168.8.254
set system services dhcp pool 192.168.8.0/24 name-server 1.1.1.1
set system services dhcp pool 192.168.8.0/24 router 192.168.8.1
set system services dhcp pool 192.168.20.0/24 address-range low 192.168.20.150
set system services dhcp pool 192.168.20.0/24 address-range high 192.168.20.254
set system services dhcp pool 192.168.20.0/24 name-server 1.1.1.1
set system services dhcp pool 192.168.20.0/24 router 192.168.20.1
set system services dhcp pool 172.16.30.0/24 address-range low 172.16.30.150
set system services dhcp pool 172.16.30.0/24 address-range high 172.16.30.254
set system services dhcp pool 172.16.30.0/24 name-server 1.1.1.1
set system services dhcp pool 172.16.30.0/24 router 172.16.30.1
set interfaces ge-0/0/0 unit 0 description isp1
set interfaces ge-0/0/0 unit 0 family inet address 1.2.3.29/29
set interfaces ge-0/0/1 unit 0 description isp2
set interfaces ge-0/0/1 unit 0 family inet address 5.6.7.8/24
set interfaces ge-0/0/2 unit 0 description pos
set interfaces ge-0/0/2 unit 0 family inet filter input F1
set interfaces ge-0/0/2 unit 0 family inet address 192.168.8.1/24
set interfaces ge-0/0/3 unit 0 description office
set interfaces ge-0/0/3 unit 0 family inet filter input F2
set interfaces ge-0/0/3 unit 0 family inet address 192.168.20.1/24
set interfaces ge-0/0/4 unit 0 description publicwifi
set interfaces ge-0/0/4 unit 0 family inet filter input F3
set interfaces ge-0/0/4 unit 0 family inet address 172.16.30.1/24
set routing-options interface-routes rib-group inet IMPORT-PHY
set routing-options static route 0.0.0.0/0 next-hop 1.2.3.25
set routing-options static route 0.0.0.0/0 next-hop 5.6.7.1
set routing-options static route 0.0.0.0/0 metric 10
set routing-options rib-groups IMPORT-PHY import-rib inet.0
set routing-options rib-groups IMPORT-PHY import-rib FBF-1.inet.0
set routing-options rib-groups IMPORT-PHY import-rib FBF-2.inet.0
set security nat source rule-set interface-nat from zone office
set security nat source rule-set interface-nat to zone untrustisp1
set security nat source rule-set interface-nat rule rule1 match source-address 0.0.0.0/0
set security nat source rule-set interface-nat rule rule1 match destination-address 0.0.0.0/0
set security nat source rule-set interface-nat rule rule1 then source-nat interface
set security nat source rule-set pos-nat from zone pos
set security nat source rule-set pos-nat to zone untrustisp1
set security nat source rule-set pos-nat rule rule0 match source-address 0.0.0.0/0
set security nat source rule-set pos-nat rule rule0 match destination-address 0.0.0.0/0
set security nat source rule-set pos-nat rule rule0 then source-nat interface
set security nat source rule-set office-isp2-nat from zone office
set security nat source rule-set office-isp2-nat to zone untrustisp2
set security nat source rule-set office-isp2-nat rule isp2nat match source-address 0.0.0.0/0
set security nat source rule-set office-isp2-nat rule isp2nat match destination-address 0.0.0.0/0
set security nat source rule-set office-isp2-nat rule isp2nat then source-nat interface
set security nat source rule-set pos-isp2-nat from zone pos
set security nat source rule-set pos-isp2-nat to zone untrustisp2
set security nat source rule-set pos-isp2-nat rule posisp2nat match source-address 0.0.0.0/0
set security nat source rule-set pos-isp2-nat rule posisp2nat match destination-address 0.0.0.0/0
set security nat source rule-set pos-isp2-nat rule posisp2nat then source-nat interface
set security nat source rule-set wifi-nat-isp1 from zone publicwifi
set security nat source rule-set wifi-nat-isp1 to zone untrustisp1
set security nat source rule-set wifi-nat-isp1 rule wifi-nat-isp1 match source-address 0.0.0.0/0
set security nat source rule-set wifi-nat-isp1 rule wifi-nat-isp1 match destination-address 0.0.0.0/0
set security nat source rule-set wifi-nat-isp1 rule wifi-nat-isp1 then source-nat interface
set security nat source rule-set wifi-nat-isp2 from zone publicwifi
set security nat source rule-set wifi-nat-isp2 to zone untrustisp2
set security nat source rule-set wifi-nat-isp2 rule wifi-nat-isp2 match source-address 0.0.0.0/0
set security nat source rule-set wifi-nat-isp2 rule wifi-nat-isp2 match destination-address 0.0.0.0/0
set security nat source rule-set wifi-nat-isp2 rule wifi-nat-isp2 then source-nat interface
set security policies from-zone pos to-zone untrustisp1 policy policy-name match source-address any
set security policies from-zone pos to-zone untrustisp1 policy policy-name match destination-address any
set security policies from-zone pos to-zone untrustisp1 policy policy-name match application any
set security policies from-zone pos to-zone untrustisp1 policy policy-name then permit
set security policies from-zone office to-zone untrustisp1 policy policy-name match source-address any
set security policies from-zone office to-zone untrustisp1 policy policy-name match destination-address any
set security policies from-zone office to-zone untrustisp1 policy policy-name match application any
set security policies from-zone office to-zone untrustisp1 policy policy-name then permit
set security policies from-zone publicwifi to-zone untrustisp1 policy policy-name match source-address any
set security policies from-zone publicwifi to-zone untrustisp1 policy policy-name match destination-address any
set security policies from-zone publicwifi to-zone untrustisp1 policy policy-name match application any
set security policies from-zone publicwifi to-zone untrustisp1 policy policy-name then permit
set security policies from-zone pos to-zone untrustisp2 policy policy-name match source-address any
set security policies from-zone pos to-zone untrustisp2 policy policy-name match destination-address any
set security policies from-zone pos to-zone untrustisp2 policy policy-name match application any
set security policies from-zone pos to-zone untrustisp2 policy policy-name then permit
set security policies from-zone office to-zone untrustisp2 policy policy-name match source-address any
set security policies from-zone office to-zone untrustisp2 policy policy-name match destination-address any
set security policies from-zone office to-zone untrustisp2 policy policy-name match application any
set security policies from-zone office to-zone untrustisp2 policy policy-name then permit
set security policies from-zone publicwifi to-zone untrustisp2 policy policy-name match source-address any
set security policies from-zone publicwifi to-zone untrustisp2 policy policy-name match destination-address any
set security policies from-zone publicwifi to-zone untrustisp2 policy policy-name match application any
set security policies from-zone publicwifi to-zone untrustisp2 policy policy-name then permit
set security zones security-zone untrustisp1 interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrustisp2 interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone pos interfaces ge-0/0/2.0 host-inbound-traffic system-services dhcp
set security zones security-zone pos interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone pos interfaces ge-0/0/2.0 host-inbound-traffic system-services http
set security zones security-zone pos interfaces ge-0/0/2.0 host-inbound-traffic system-services https
set security zones security-zone office interfaces ge-0/0/3.0 host-inbound-traffic system-services dhcp
set security zones security-zone office interfaces ge-0/0/3.0 host-inbound-traffic system-services ping
set security zones security-zone office interfaces ge-0/0/3.0 host-inbound-traffic system-services rpm
set security zones security-zone publicwifi interfaces ge-0/0/4.0 host-inbound-traffic system-services dhcp
set security zones security-zone publicwifi interfaces ge-0/0/4.0 host-inbound-traffic system-services ping
set security zones security-zone publicwifi interfaces ge-0/0/4.0 host-inbound-traffic system-services rpm
set firewall filter F1 term 1 from source-address 192.168.8.100/32
set firewall filter F1 term 2 from source-address 0.0.0.0/0
set firewall filter F2 term 1 from source-address 192.168.20.100/32
set firewall filter F2 term 2 from source-address 0.0.0.0/0
set firewall filter F3 term 1 from source-address 172.16.30.100/32
set firewall filter F3 term 2 from source-address 0.0.0.0/0
set services rpm probe Probe-Server test testsvr target address 1.2.3.25
set services rpm probe Probe-Server test testsvr probe-count 10
set services rpm probe Probe-Server test testsvr probe-interval 5
set services rpm probe Probe-Server test testsvr test-interval 10
set services rpm probe Probe-Server test testsvr thresholds successive-loss 10
set services rpm probe Probe-Server test testsvr thresholds total-loss 5
set services rpm probe Probe-Server test testsvr destination-interface ge-0/0/0.0
set services rpm probe Probe-Server test testsvr next-hop 1.2.3.25
set services rpm probe Probe-Server1 test testsvr target address 5.6.7.1
set services rpm probe Probe-Server1 test testsvr probe-count 10
set services rpm probe Probe-Server1 test testsvr probe-interval 5
set services rpm probe Probe-Server1 test testsvr test-interval 10
set services rpm probe Probe-Server1 test testsvr thresholds successive-loss 10
set services rpm probe Probe-Server1 test testsvr thresholds total-loss 5
set services rpm probe Probe-Server1 test testsvr destination-interface ge-0/0/1.0
set services rpm probe Probe-Server1 test testsvr next-hop 5.6.7.1
set services rpm probe Probe-pos test testpos target address 1.2.3.25
set services rpm probe Probe-pos test testpos probe-count 10
set services rpm probe Probe-pos test testpos probe-interval 5
set services rpm probe Probe-pos test testpos test-interval 10
set services rpm probe Probe-pos test testpos thresholds successive-loss 10
set services rpm probe Probe-pos test testpos thresholds total-loss 5
set services rpm probe Probe-pos test testpos destination-interface ge-0/0/0.0
set services rpm probe Probe-pos test testpos next-hop 1.2.3.25
set services rpm probe Probe-pos1 test testsvr target address 5.6.7.1
set services rpm probe Probe-pos1 test testsvr probe-count 10
set services rpm probe Probe-pos1 test testsvr probe-interval 5
set services rpm probe Probe-pos1 test testsvr test-interval 10
set services rpm probe Probe-pos1 test testsvr thresholds successive-loss 10
set services rpm probe Probe-pos1 test testsvr thresholds total-loss 5
set services rpm probe Probe-pos1 test testsvr destination-interface ge-0/0/1.0
set services rpm probe Probe-pos1 test testsvr next-hop 5.6.7.1
set services rpm probe Probe-wifi test testwifi target address 1.2.3.25
set services rpm probe Probe-wifi test testwifi probe-count 10
set services rpm probe Probe-wifi test testwifi probe-interval 5
set services rpm probe Probe-wifi test testwifi test-interval 10
set services rpm probe Probe-wifi test testwifi thresholds successive-loss 10
set services rpm probe Probe-wifi test testwifi thresholds total-loss 5
set services rpm probe Probe-wifi test testwifi destination-interface ge-0/0/0.0
set services rpm probe Probe-wifi test testwifi next-hop 1.2.3.25
set services rpm probe Probe-wifi1 test testsvr target address 5.6.7.1
set services rpm probe Probe-wifi1 test testsvr probe-count 10
set services rpm probe Probe-wifi1 test testsvr probe-interval 5
set services rpm probe Probe-wifi1 test testsvr test-interval 10
set services rpm probe Probe-wifi1 test testsvr thresholds successive-loss 10
set services rpm probe Probe-wifi1 test testsvr thresholds total-loss 5
set services rpm probe Probe-wifi1 test testsvr destination-interface ge-0/0/1.0
set services rpm probe Probe-wifi1 test testsvr next-hop 5.6.7.1
set services ip-monitoring policy Server-Tracking match rpm-probe Probe-Server
set services ip-monitoring policy Server-Tracking then preferred-route route 0.0.0.0/0 next-hop 5.6.7.1
set services ip-monitoring policy Server-Tracking1 match rpm-probe Probe-Server1
set services ip-monitoring policy Server-Tracking1 then preferred-route route 0.0.0.0/0 next-hop 1.2.3.25
set services ip-monitoring policy Server-trkpos match rpm-probe Probe-pos
set services ip-monitoring policy Server-trkpos then preferred-route route 0.0.0.0/0 next-hop 5.6.7.1
set services ip-monitoring policy Server-trkpos1 match rpm-probe Probe-pos1
set services ip-monitoring policy Server-trkpos1 then preferred-route route 0.0.0.0/0 next-hop 1.2.3.2
set services ip-monitoring policy Server-trkwifi match rpm-probe Probe-wifi
set services ip-monitoring policy Server-trkwifi then preferred-route route 0.0.0.0/0 next-hop 5.6.7.1
set services ip-monitoring policy Server-trkwifi1 match rpm-probe Probe-wifi1
set services ip-monitoring policy Server-trkwifi1 then preferred-route route 0.0.0.0/0 next-hop 1.2.3.2

Hi Stefan,

I don't understand what you meant by "structured anonymized Syslog messages". Do you mean you would like to send the Syslog in structured format?

The example which you've mentioned is the security log a.k.a traffic logs for the session creation.

For more information with regards to security log configuration, please refer the below documents.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16224&actp=METADATA

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16509&actp=METADATA

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28508&cat=SRX_SERIES&actp=LIST

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-edit-format-logging-format-2.html

It would be great if some of you would send me appropriate Syslog messages. ---> I'm not sure what do you meant by this either because Syslog is something which the device will be generating upon certain traffic creation in the SRX.

Please feel free to let me know your exact query.

Hello,

I'm afraid for Junos software download you require Juniper account and the required software can be downloaded at support.juniper.net.

But I think software support contract is not required for downloading the Junos software. All you need is the Juniper account to login to the portal. If you need further clarifications, please contact Juniper Customer Care and they will guide you.

I understand things from your perspective but if you would like to get hands-on on Junos, please take a look at Juniper vLabs. This solution contains pre-built topologies to explore the products and solutions—all for free!

Hi noobmaster, sorry for the confusion.
I don't own an SRX / Junos device myself.
However, in order to create the module for filebeat, i need some syslog messages in this specific format.
I thought of this forum, maybe someone is willing to give me such examples of syslog messages.
Ideally from the most important process modules, gladly also from DDOS, screen and other attacks on the SRX device.
The more example i get, the better the quality of the module for filebeat will be.

Thanks for any help
StefanS

Hi Stefan,

Thank you for the clarity.

If you require a format for Syslog messages, please check from syslog explorer - https://apps.juniper.net/syslog-explorer/#sw=Junos%20OS&rel=20.2R1

You can find all the Syslog supported on the SRX and its format. But if you need sample output, I guess that's difficult because not everyone uses all features to generate that specific Syslog.

Please let me know if you need anything.

Thanks for the tip,
i already know the syslog Explorer.
However, it is difficult to find the right one with the amount, especially since i do not see directly which process belongs to which tag.
Example RT_FLOW - RT_FLOW_SESSION_DENY or RT_FLOW APPTRACK_SESSION_CLOSE.I am currently trying to solve the problem via vSRX, but integrating it into our network so that i get many such messages is difficult for me at least.
Maybe someone from Juniper is reading along and can provide some sample logs. It would be fine
if you could use the power of elastic to analyze the flows of junos / srx.