Logging the Traffic on an Interface
Problem
You want to keep a log of the traffic passing through an interface.
Solution
In the then clause, include the log option to capture information about filter activity:
[edit firewall filter incoming-to-me] aviva@RouterF# set term final-accept then log aviva@RouterF# set term final-accept then accept
Use the show firewall log command to display the firewall logs:
aviva@RouterF> show firewall log Log : Time Filter Action Interface Protocol Src Addr Dest Addr 04:59:13 pfe A t1-0/0/3.0 TCP 10.0.31.1 10.0.31.2 04:59:11 pfe A t1-0/0/3.0 TCP 10.0.31.1 10.0.31.2 04:58:43 pfe A t1-0/0/3.0 TCP 10.0.31.1 10.0.31.2 04:58:41 pfe A t1-0/0/3.0 TCP 10.0.31.1 10.0.31.2
You can also save the activity records to a standard system logfile:
[edit firewall filter incoming-to-me] aviva@RouterF# set term final-accept then syslog aviva@RouterF# set term final-accept then accept
Then configure a system logfile to accept the log messages:
[edit system syslog] aviva@RouterF# set file messages firewall any
Discussion
You can log the activity of a term in a firewall filter using the log facility that is built into the firewall filter software itself. Configure this with a set then log command. You can log accepted and rejected packets but not discarded ones. This configuration stores all the activity in real time on the router, not in a file, so use it when you want to actively watch traffic or debug a problem.
The show firewall log command displays the firewall logs. The detail option of this command shows an expanded version of the same information:
aviva@RouterF> show firewall log detail Time of Log: 2005-09-07 05:00:13 UTC, Filter: pfe, Filter action: accept, Name of interface: t1-0/0/3.0 Name of protocol: TCP, Packet Length: 71, Source address: 10.0.31.1:1390, Destination address: 10.0.31.2:179 Time of Log: 2005-09-07 05:00:11 UTC, Filter: pfe, Filter action: accept, Name of interface: t1-0/0/3.0 Name of protocol: TCP, Packet Length: 52, Source address: 10.0.31.1:1390, Destination address: 10.0.31.2:179 Time of Log: 2005-09-07 04:59:43 UTC, Filter: pfe, Filter action: accept, Name of interface: t1-0/0/3.0 Name of protocol: TCP, Packet Length: 71, Source address: 10.0.31.1:1390, Destination address: 10.0.31.2:179 Time of Log: 2005-09-07 04:59:41 UTC, Filter: pfe, Filter action: accept, Name of interface: t1-0/0/3.0 Name of protocol: TCP, Packet Length: 52, Source address: 10.0.31.1:1390, Destination address: 10.0.31.2:179
In the output, the first field shows when the packet was received. Looking at the times in this output, you see that the firewall log facility places the latest messages at the beginning of the output. This is the opposite of system logfiles, which have the newest entries at the end. The Filter field shows pfe, which means that the packet was handled by the JUNOS PFE. The Action and Filter action fields show the fate of the packet. In this output, all packets were accepted (in the standard output, this shows as an A). Packets can also be Discard (D) or Reject (R).
The next two files show the interface on which the filter is configured and the protocol type of the packet. The last two fields show the packet's source and destination addresses. In the detail output, the address also includes the port number being used.
You can also save the activity records to a standard system logfile with a set then syslog command. Then configure a system logfile to accept the log messages. This recipe places all firewall logging messages in the messages file. The firewall facility captures firewall-related messages. Use the show log command to view the messages:
aviva@RouterF> show log messages Sep 7 04:59:13 RouterF fwdd[2498]: PFE_FW_SYSLOG_IP: FW: t1-0/0/3.0 A tcp 172.19.121.114 172.17.28.108 5888 18695 (1 packets) Sep 7 04:59:13 RouterF last message repeated 5 times Sep 7 04:59:13 RouterF fwdd[2498]: PFE_FW_SYSLOG_IP: FW: t1-0/0/3.0 A tcp 192.168.14.1 192.168.18.1 54532 45824 (1 packets)
The fwdd after the router name means that the message was generated by the JUNOS forwarding process (daemon). The message code for firewall logs is PFE_FW_SYSLOG_IP, and the FW: indicates that the message is present in the logs as the result of a firewall configuration. Some of the remaining information in the system log message is similar to what is displayed by the show firewall log command. First is the interface name, followed by an A to report that the packet was accepted, and tcp, which is the type of packet. The two IP addresses are the packet's source and destination addresses, respectively, and the last two numbers are the source and destination ports.
See Also
Recipe 5.1