Solved

Viewing SSG 550 logs

Posted on 2009-05-05
5
2,418 Views
Last Modified: 2012-05-06
hi there.

I usually work with Checkpoint Firewalls, but i have been asked to check the logs on a Juniper SSG 550 to find out what user is accessing a certain website.

Does the Juniper have something similar to the SmartView Tracker in Checkpoint?

Thanks!
0
Comment
Question by:imagitastech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 5

Accepted Solution

by:
ccreamer_22 earned 84 total points
ID: 24309049
Juniper has several ways to view and take a log. Locally on the device, you need to set up logging on the policy for which the traffic you want to view will be seen. These logs don't stay in memory long because of limited space for logs on the device, so either an NSM server, a WebTrends program, or a syslog program needs to be configured to caprure this data. The logs will look like the example:

If you want to see who is going there at the moment or over a short period of time, a quicker way is to set a filter and print out the log. Running the filter over a long period of time will use up the firewall's resources and could potentially lock the firewall up, but usually will not happen unless you keep it running for hours. If it does happen and the firewall becomes unresponsive, reboot it and it will come back up. To avoid this situation from happening, I would set up the home page in the WebUI of the firewall, set it to refresh every 10 seconds so you can see the system usage of the firewall to make sure that you are not sending the firewall into the red and dropping packets while you run the filter. The next thing you should do is open up the CLI interface either through telnet or ssh.
Then set the filter:

set ffilter dst-ip (ip of the site you wish to monitor)

This will set up your filter for everything going to the ip address of the web site.

dbug flow basic

This will run the filter and create a log for just this traffic. Press esc to break the operation.

get db str

This will print out all the traffic for your filter.

clear db

This will clean out the log for your filter

unset ff

This will clear out your filter

I hope this helps. Let me know if you need anything else.
=========================================================================================================================
Traffic Log for Policy:
 
   (Src = "DMZ/Any", Dst = "Trust/Any", Service = "ANY")
 
    Current system time is Tue,  5 May 2009 16:29:47
=========================================================================================================================
 
Time Stamp          Action  Source                Destination           Translated Source     Translated Dest       Duration     Bytes Sent Bytes Received Application
 
2009-05-05 16:29:18 Permit  172.20.1.26:3984      10.74.32.22:445                                                   16 sec             4935           8464 TCP PORT 445
2009-05-05 16:29:10 Permit  172.20.1.21:3054      10.64.32.22:135                                                   93 sec              710            546 MSRPC ENDPOINT MAPPER(TCP)
2009-05-05 16:29:10 Permit  172.20.1.21:3055      10.64.32.22:1025                                                  93 sec             1393           3080 TCP PORT 1025
2009-05-05 16:29:06 Permit  172.20.1.26:51758     10.74.32.22:512                                                   4 sec                78             78 ICMP
2009-05-05 16:29:06 Permit  172.20.1.26:51502     10.74.32.22:512                                                   4 sec                78             78 ICMP
2009-05-05 16:29:02 Permit  172.20.1.26:51758     10.74.32.22:512                                                   0 sec                 0              0 ICMP
2009-05-05 16:29:02 Permit  172.20.1.26:3984      10.74.32.22:445                                                   0 sec                 0              0 TCP PORT 445
2009-05-05 16:29:02 Permit  172.20.1.26:51502     10.74.32.22:512                                                   0 sec                 0              0 ICMP
2009-05-05 16:27:37 Permit  172.20.1.21:3055      10.64.32.22:1025                                                  0 sec                 0              0 TCP PORT 1025
2009-05-05 16:27:37 Permit  172.20.1.21:3054      10.64.32.22:135                                                   0 sec                 0              0 MSRPC ENDPOINT MAPPER(TCP)
 
=========================================================================================================================
   End of Traffic Log 
=========================================================================================================================

Open in new window

0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 83 total points
ID: 24310588
Try NSSA, I have written already about it, visit the link;

http://www.rsivanandan.com/2008/02/17/juniper-firewall-session-analyzer/

Cheers,
Rajesh
0
 
LVL 70

Assisted Solution

by:Qlemo
Qlemo earned 83 total points
ID: 24318317
You can also perform a online profile (as a snapshot) by using the fprofile command. It allows for collection session statistics over timespan, which can be analyzed about packet distribution per dst-port or dst-addr or src-port or ...
That command is undocumented, so if you like to use it, I will have to elaborate more on this.

0
 

Author Closing Comment

by:imagitastech
ID: 31578190
All answers were very helpful. thanks all!  
0
 

Expert Comment

by:raafetsabah
ID: 37056176
please i need to view log file of my ssg 550 firewall after reboot it, I appreciate your help so much.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question