Add Logging to All Security Policies on a #Juniper #SRX

If you’re tired of typing “then log session-init” or clicking on the log button in NSM or on the web GUI there is an easy way to log every single policy.

We’ll use JUNOS groups to accomplish this.

From the CLI:

configure
set groups log-all-policies security policies from-zone <*> to-zone <*> policy <*> then log session-init
set security policies apply-groups log-all-policies
commit

There are a few easy ways to check if you’re truly logging:

  1. Check your logs! 😀
  2. show security policies from operational mode

    ben@srx> show security policies from-zone VPN to-zone LOOPBACK
    From zone: VPN, To zone: LOOPBACK
    Policy: MGMT, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
    Source addresses: All-Loopbacks
    Destination addresses: My-Loop
    Applications: junos-ssh, junos-icmp-all
    Action: permit, log

  3. show configuration with inheritance

    ben@srx> show configuration security policies from-zone VPN to-zone LOOPBACK | display inheritance
    policy MGMT {
    match {
    source-address All-Loopbacks;
    destination-address My-Loop;
    application [ junos-ssh junos-icmp-all ];
    }
    then {
    permit;
    ##
    ## ‘log’ was inherited from group ‘log-all-policies’
    ##
    log {
    ##
    ## ‘session-init’ was inherited from group ‘log-all-policies’
    ##
    session-init;
    }
    }
    }


Leave a Reply

Responses to “Add Logging to All Security Policies on a #Juniper #SRX”

  1. Hello Ben .. DO we have any such thing for Netscreen as well wherein we can enable loggin on all policies, Please let me know.. Thanks for sharing.

    • Hey Braz,
      No I haven’t seen anything like this on Netscreen. The scripting capabilities of ScreenOS were really lacking. :/

  2. Very useful article. Thank you