Solved

Viewing SSG 550 logs

Posted on 2009-05-05
5
2,408 Views
Last Modified: 2012-05-06
hi there.

I usually work with Checkpoint Firewalls, but i have been asked to check the logs on a Juniper SSG 550 to find out what user is accessing a certain website.

Does the Juniper have something similar to the SmartView Tracker in Checkpoint?

Thanks!
0
Comment
Question by:imagitastech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 5

Accepted Solution

by:
ccreamer_22 earned 84 total points
ID: 24309049
Juniper has several ways to view and take a log. Locally on the device, you need to set up logging on the policy for which the traffic you want to view will be seen. These logs don't stay in memory long because of limited space for logs on the device, so either an NSM server, a WebTrends program, or a syslog program needs to be configured to caprure this data. The logs will look like the example:

If you want to see who is going there at the moment or over a short period of time, a quicker way is to set a filter and print out the log. Running the filter over a long period of time will use up the firewall's resources and could potentially lock the firewall up, but usually will not happen unless you keep it running for hours. If it does happen and the firewall becomes unresponsive, reboot it and it will come back up. To avoid this situation from happening, I would set up the home page in the WebUI of the firewall, set it to refresh every 10 seconds so you can see the system usage of the firewall to make sure that you are not sending the firewall into the red and dropping packets while you run the filter. The next thing you should do is open up the CLI interface either through telnet or ssh.
Then set the filter:

set ffilter dst-ip (ip of the site you wish to monitor)

This will set up your filter for everything going to the ip address of the web site.

dbug flow basic

This will run the filter and create a log for just this traffic. Press esc to break the operation.

get db str

This will print out all the traffic for your filter.

clear db

This will clean out the log for your filter

unset ff

This will clear out your filter

I hope this helps. Let me know if you need anything else.
=========================================================================================================================
Traffic Log for Policy:
 
   (Src = "DMZ/Any", Dst = "Trust/Any", Service = "ANY")
 
    Current system time is Tue,  5 May 2009 16:29:47
=========================================================================================================================
 
Time Stamp          Action  Source                Destination           Translated Source     Translated Dest       Duration     Bytes Sent Bytes Received Application
 
2009-05-05 16:29:18 Permit  172.20.1.26:3984      10.74.32.22:445                                                   16 sec             4935           8464 TCP PORT 445
2009-05-05 16:29:10 Permit  172.20.1.21:3054      10.64.32.22:135                                                   93 sec              710            546 MSRPC ENDPOINT MAPPER(TCP)
2009-05-05 16:29:10 Permit  172.20.1.21:3055      10.64.32.22:1025                                                  93 sec             1393           3080 TCP PORT 1025
2009-05-05 16:29:06 Permit  172.20.1.26:51758     10.74.32.22:512                                                   4 sec                78             78 ICMP
2009-05-05 16:29:06 Permit  172.20.1.26:51502     10.74.32.22:512                                                   4 sec                78             78 ICMP
2009-05-05 16:29:02 Permit  172.20.1.26:51758     10.74.32.22:512                                                   0 sec                 0              0 ICMP
2009-05-05 16:29:02 Permit  172.20.1.26:3984      10.74.32.22:445                                                   0 sec                 0              0 TCP PORT 445
2009-05-05 16:29:02 Permit  172.20.1.26:51502     10.74.32.22:512                                                   0 sec                 0              0 ICMP
2009-05-05 16:27:37 Permit  172.20.1.21:3055      10.64.32.22:1025                                                  0 sec                 0              0 TCP PORT 1025
2009-05-05 16:27:37 Permit  172.20.1.21:3054      10.64.32.22:135                                                   0 sec                 0              0 MSRPC ENDPOINT MAPPER(TCP)
 
=========================================================================================================================
   End of Traffic Log 
=========================================================================================================================

Open in new window

0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 83 total points
ID: 24310588
Try NSSA, I have written already about it, visit the link;

http://www.rsivanandan.com/2008/02/17/juniper-firewall-session-analyzer/

Cheers,
Rajesh
0
 
LVL 70

Assisted Solution

by:Qlemo
Qlemo earned 83 total points
ID: 24318317
You can also perform a online profile (as a snapshot) by using the fprofile command. It allows for collection session statistics over timespan, which can be analyzed about packet distribution per dst-port or dst-addr or src-port or ...
That command is undocumented, so if you like to use it, I will have to elaborate more on this.

0
 

Author Closing Comment

by:imagitastech
ID: 31578190
All answers were very helpful. thanks all!  
0
 

Expert Comment

by:raafetsabah
ID: 37056176
please i need to view log file of my ssg 550 firewall after reboot it, I appreciate your help so much.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Migrate Cisco ASA 5510 and 5515 K9? 12 116
Fortigate 100D NTP Issue 4 210
How to configure this IP Address to my firewall 15 150
network error 8 65
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question