Solved

Viewing SSG 550 logs

Posted on 2009-05-05
5
2,375 Views
Last Modified: 2012-05-06
hi there.

I usually work with Checkpoint Firewalls, but i have been asked to check the logs on a Juniper SSG 550 to find out what user is accessing a certain website.

Does the Juniper have something similar to the SmartView Tracker in Checkpoint?

Thanks!
0
Comment
Question by:imagitastech
5 Comments
 
LVL 5

Accepted Solution

by:
ccreamer_22 earned 84 total points
ID: 24309049
Juniper has several ways to view and take a log. Locally on the device, you need to set up logging on the policy for which the traffic you want to view will be seen. These logs don't stay in memory long because of limited space for logs on the device, so either an NSM server, a WebTrends program, or a syslog program needs to be configured to caprure this data. The logs will look like the example:

If you want to see who is going there at the moment or over a short period of time, a quicker way is to set a filter and print out the log. Running the filter over a long period of time will use up the firewall's resources and could potentially lock the firewall up, but usually will not happen unless you keep it running for hours. If it does happen and the firewall becomes unresponsive, reboot it and it will come back up. To avoid this situation from happening, I would set up the home page in the WebUI of the firewall, set it to refresh every 10 seconds so you can see the system usage of the firewall to make sure that you are not sending the firewall into the red and dropping packets while you run the filter. The next thing you should do is open up the CLI interface either through telnet or ssh.
Then set the filter:

set ffilter dst-ip (ip of the site you wish to monitor)

This will set up your filter for everything going to the ip address of the web site.

dbug flow basic

This will run the filter and create a log for just this traffic. Press esc to break the operation.

get db str

This will print out all the traffic for your filter.

clear db

This will clean out the log for your filter

unset ff

This will clear out your filter

I hope this helps. Let me know if you need anything else.
=========================================================================================================================
Traffic Log for Policy:
 
   (Src = "DMZ/Any", Dst = "Trust/Any", Service = "ANY")
 
    Current system time is Tue,  5 May 2009 16:29:47
=========================================================================================================================
 
Time Stamp          Action  Source                Destination           Translated Source     Translated Dest       Duration     Bytes Sent Bytes Received Application
 
2009-05-05 16:29:18 Permit  172.20.1.26:3984      10.74.32.22:445                                                   16 sec             4935           8464 TCP PORT 445
2009-05-05 16:29:10 Permit  172.20.1.21:3054      10.64.32.22:135                                                   93 sec              710            546 MSRPC ENDPOINT MAPPER(TCP)
2009-05-05 16:29:10 Permit  172.20.1.21:3055      10.64.32.22:1025                                                  93 sec             1393           3080 TCP PORT 1025
2009-05-05 16:29:06 Permit  172.20.1.26:51758     10.74.32.22:512                                                   4 sec                78             78 ICMP
2009-05-05 16:29:06 Permit  172.20.1.26:51502     10.74.32.22:512                                                   4 sec                78             78 ICMP
2009-05-05 16:29:02 Permit  172.20.1.26:51758     10.74.32.22:512                                                   0 sec                 0              0 ICMP
2009-05-05 16:29:02 Permit  172.20.1.26:3984      10.74.32.22:445                                                   0 sec                 0              0 TCP PORT 445
2009-05-05 16:29:02 Permit  172.20.1.26:51502     10.74.32.22:512                                                   0 sec                 0              0 ICMP
2009-05-05 16:27:37 Permit  172.20.1.21:3055      10.64.32.22:1025                                                  0 sec                 0              0 TCP PORT 1025
2009-05-05 16:27:37 Permit  172.20.1.21:3054      10.64.32.22:135                                                   0 sec                 0              0 MSRPC ENDPOINT MAPPER(TCP)
 
=========================================================================================================================
   End of Traffic Log 
=========================================================================================================================

Open in new window

0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 83 total points
ID: 24310588
Try NSSA, I have written already about it, visit the link;

http://www.rsivanandan.com/2008/02/17/juniper-firewall-session-analyzer/

Cheers,
Rajesh
0
 
LVL 69

Assisted Solution

by:Qlemo
Qlemo earned 83 total points
ID: 24318317
You can also perform a online profile (as a snapshot) by using the fprofile command. It allows for collection session statistics over timespan, which can be analyzed about packet distribution per dst-port or dst-addr or src-port or ...
That command is undocumented, so if you like to use it, I will have to elaborate more on this.

0
 

Author Closing Comment

by:imagitastech
ID: 31578190
All answers were very helpful. thanks all!  
0
 

Expert Comment

by:raafetsabah
ID: 37056176
please i need to view log file of my ssg 550 firewall after reboot it, I appreciate your help so much.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question