Add session-close to the global policy. As best practice, always try to add session-close option at the end of a deny policy. Session-init would only show traffic for session initiated but won't show a log for a denied traffic, it is good for logging permitted traffic
}
global {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-close;
}
}
In my lab, I recreated your scenario as follows:
I created a HTTP deny policy then log session-close
[edit security policies from-zone lab to-zone outside]
+ policy HTTP {
+ match {
+ source-address any;
+ destination-address any;
+ application junos-http;
+ }
+ then {
+ deny;
+ }
+ }
[edit]
root@homefwsrx210# run show log traffic-log | last 15
Aug 21 08:23:00 homefwsrx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.0.0.17/58694->54.246.163.116/80 junos-http 6(0) HTTP lab outside UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN policy deny
Aug 21 08:23:00 homefwsrx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.0.0.17/58695->54.246.163.116/80 junos-http 6(0) HTTP lab outside UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN policy deny
Aug 21 08:23:00 homefwsrx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.0.0.17/58696->149.202.232.186/80 junos-http 6(0) HTTP lab outside UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN policy deny
Aug 21 08:23:00 homefwsrx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.0.0.17/58697->149.202.232.186/80 junos-http 6(0) HTTP lab outside UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN policy deny
Aug 21 08:23:00 homefwsrx210 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.0.0.17/58698->149.202.232.186/80 junos-http 6(0) HTTP lab outside UNKNOWN UNKNOWN N/A(N/A) vlan.0 UNKNOWN policy deny
**Kindly give Kudos if this works for you...