Solved

Viewing SSG 550 logs

Posted on 2009-05-05
5
2,332 Views
Last Modified: 2012-05-06
hi there.

I usually work with Checkpoint Firewalls, but i have been asked to check the logs on a Juniper SSG 550 to find out what user is accessing a certain website.

Does the Juniper have something similar to the SmartView Tracker in Checkpoint?

Thanks!
0
Comment
Question by:imagitastech
5 Comments
 
LVL 5

Accepted Solution

by:
ccreamer_22 earned 84 total points
Comment Utility
Juniper has several ways to view and take a log. Locally on the device, you need to set up logging on the policy for which the traffic you want to view will be seen. These logs don't stay in memory long because of limited space for logs on the device, so either an NSM server, a WebTrends program, or a syslog program needs to be configured to caprure this data. The logs will look like the example:

If you want to see who is going there at the moment or over a short period of time, a quicker way is to set a filter and print out the log. Running the filter over a long period of time will use up the firewall's resources and could potentially lock the firewall up, but usually will not happen unless you keep it running for hours. If it does happen and the firewall becomes unresponsive, reboot it and it will come back up. To avoid this situation from happening, I would set up the home page in the WebUI of the firewall, set it to refresh every 10 seconds so you can see the system usage of the firewall to make sure that you are not sending the firewall into the red and dropping packets while you run the filter. The next thing you should do is open up the CLI interface either through telnet or ssh.
Then set the filter:

set ffilter dst-ip (ip of the site you wish to monitor)

This will set up your filter for everything going to the ip address of the web site.

dbug flow basic

This will run the filter and create a log for just this traffic. Press esc to break the operation.

get db str

This will print out all the traffic for your filter.

clear db

This will clean out the log for your filter

unset ff

This will clear out your filter

I hope this helps. Let me know if you need anything else.
=========================================================================================================================

Traffic Log for Policy:
 

   (Src = "DMZ/Any", Dst = "Trust/Any", Service = "ANY")
 

    Current system time is Tue,  5 May 2009 16:29:47

=========================================================================================================================
 

Time Stamp          Action  Source                Destination           Translated Source     Translated Dest       Duration     Bytes Sent Bytes Received Application
 

2009-05-05 16:29:18 Permit  172.20.1.26:3984      10.74.32.22:445                                                   16 sec             4935           8464 TCP PORT 445

2009-05-05 16:29:10 Permit  172.20.1.21:3054      10.64.32.22:135                                                   93 sec              710            546 MSRPC ENDPOINT MAPPER(TCP)

2009-05-05 16:29:10 Permit  172.20.1.21:3055      10.64.32.22:1025                                                  93 sec             1393           3080 TCP PORT 1025

2009-05-05 16:29:06 Permit  172.20.1.26:51758     10.74.32.22:512                                                   4 sec                78             78 ICMP

2009-05-05 16:29:06 Permit  172.20.1.26:51502     10.74.32.22:512                                                   4 sec                78             78 ICMP

2009-05-05 16:29:02 Permit  172.20.1.26:51758     10.74.32.22:512                                                   0 sec                 0              0 ICMP

2009-05-05 16:29:02 Permit  172.20.1.26:3984      10.74.32.22:445                                                   0 sec                 0              0 TCP PORT 445

2009-05-05 16:29:02 Permit  172.20.1.26:51502     10.74.32.22:512                                                   0 sec                 0              0 ICMP

2009-05-05 16:27:37 Permit  172.20.1.21:3055      10.64.32.22:1025                                                  0 sec                 0              0 TCP PORT 1025

2009-05-05 16:27:37 Permit  172.20.1.21:3054      10.64.32.22:135                                                   0 sec                 0              0 MSRPC ENDPOINT MAPPER(TCP)
 

=========================================================================================================================

   End of Traffic Log 

=========================================================================================================================

Open in new window

0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 83 total points
Comment Utility
Try NSSA, I have written already about it, visit the link;

http://www.rsivanandan.com/2008/02/17/juniper-firewall-session-analyzer/

Cheers,
Rajesh
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 83 total points
Comment Utility
You can also perform a online profile (as a snapshot) by using the fprofile command. It allows for collection session statistics over timespan, which can be analyzed about packet distribution per dst-port or dst-addr or src-port or ...
That command is undocumented, so if you like to use it, I will have to elaborate more on this.

0
 

Author Closing Comment

by:imagitastech
Comment Utility
All answers were very helpful. thanks all!  
0
 

Expert Comment

by:raafetsabah
Comment Utility
please i need to view log file of my ssg 550 firewall after reboot it, I appreciate your help so much.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco ASA Access List Questions 11 55
Sonicwall - user objects - usage 2 27
ASA 5510 PAT question 1 20
Firewall port opening 2 17
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now