Solved

Viewing SSG 550 logs

Posted on 2009-05-05
5
2,350 Views
Last Modified: 2012-05-06
hi there.

I usually work with Checkpoint Firewalls, but i have been asked to check the logs on a Juniper SSG 550 to find out what user is accessing a certain website.

Does the Juniper have something similar to the SmartView Tracker in Checkpoint?

Thanks!
0
Comment
Question by:imagitastech
5 Comments
 
LVL 5

Accepted Solution

by:
ccreamer_22 earned 84 total points
ID: 24309049
Juniper has several ways to view and take a log. Locally on the device, you need to set up logging on the policy for which the traffic you want to view will be seen. These logs don't stay in memory long because of limited space for logs on the device, so either an NSM server, a WebTrends program, or a syslog program needs to be configured to caprure this data. The logs will look like the example:

If you want to see who is going there at the moment or over a short period of time, a quicker way is to set a filter and print out the log. Running the filter over a long period of time will use up the firewall's resources and could potentially lock the firewall up, but usually will not happen unless you keep it running for hours. If it does happen and the firewall becomes unresponsive, reboot it and it will come back up. To avoid this situation from happening, I would set up the home page in the WebUI of the firewall, set it to refresh every 10 seconds so you can see the system usage of the firewall to make sure that you are not sending the firewall into the red and dropping packets while you run the filter. The next thing you should do is open up the CLI interface either through telnet or ssh.
Then set the filter:

set ffilter dst-ip (ip of the site you wish to monitor)

This will set up your filter for everything going to the ip address of the web site.

dbug flow basic

This will run the filter and create a log for just this traffic. Press esc to break the operation.

get db str

This will print out all the traffic for your filter.

clear db

This will clean out the log for your filter

unset ff

This will clear out your filter

I hope this helps. Let me know if you need anything else.
=========================================================================================================================

Traffic Log for Policy:
 

   (Src = "DMZ/Any", Dst = "Trust/Any", Service = "ANY")
 

    Current system time is Tue,  5 May 2009 16:29:47

=========================================================================================================================
 

Time Stamp          Action  Source                Destination           Translated Source     Translated Dest       Duration     Bytes Sent Bytes Received Application
 

2009-05-05 16:29:18 Permit  172.20.1.26:3984      10.74.32.22:445                                                   16 sec             4935           8464 TCP PORT 445

2009-05-05 16:29:10 Permit  172.20.1.21:3054      10.64.32.22:135                                                   93 sec              710            546 MSRPC ENDPOINT MAPPER(TCP)

2009-05-05 16:29:10 Permit  172.20.1.21:3055      10.64.32.22:1025                                                  93 sec             1393           3080 TCP PORT 1025

2009-05-05 16:29:06 Permit  172.20.1.26:51758     10.74.32.22:512                                                   4 sec                78             78 ICMP

2009-05-05 16:29:06 Permit  172.20.1.26:51502     10.74.32.22:512                                                   4 sec                78             78 ICMP

2009-05-05 16:29:02 Permit  172.20.1.26:51758     10.74.32.22:512                                                   0 sec                 0              0 ICMP

2009-05-05 16:29:02 Permit  172.20.1.26:3984      10.74.32.22:445                                                   0 sec                 0              0 TCP PORT 445

2009-05-05 16:29:02 Permit  172.20.1.26:51502     10.74.32.22:512                                                   0 sec                 0              0 ICMP

2009-05-05 16:27:37 Permit  172.20.1.21:3055      10.64.32.22:1025                                                  0 sec                 0              0 TCP PORT 1025

2009-05-05 16:27:37 Permit  172.20.1.21:3054      10.64.32.22:135                                                   0 sec                 0              0 MSRPC ENDPOINT MAPPER(TCP)
 

=========================================================================================================================

   End of Traffic Log 

=========================================================================================================================

Open in new window

0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 83 total points
ID: 24310588
Try NSSA, I have written already about it, visit the link;

http://www.rsivanandan.com/2008/02/17/juniper-firewall-session-analyzer/

Cheers,
Rajesh
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 83 total points
ID: 24318317
You can also perform a online profile (as a snapshot) by using the fprofile command. It allows for collection session statistics over timespan, which can be analyzed about packet distribution per dst-port or dst-addr or src-port or ...
That command is undocumented, so if you like to use it, I will have to elaborate more on this.

0
 

Author Closing Comment

by:imagitastech
ID: 31578190
All answers were very helpful. thanks all!  
0
 

Expert Comment

by:raafetsabah
ID: 37056176
please i need to view log file of my ssg 550 firewall after reboot it, I appreciate your help so much.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PfSense and Hardware Firewall blocking Dropbox.com using pfBlockerNG. 10 274
Host to host VPN issue 1 53
ASE reports it as spam 2 124
Sonicwall routing between VPNs 5 45
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now