?
Solved

Juniper SSG 520 domain names

Posted on 2011-10-27
19
Medium Priority
?
592 Views
Last Modified: 2012-05-12
is it possible to see and save domain names on a mysql server that called from the juniper trusted network
0
Comment
Question by:3XLcom
  • 7
  • 7
  • 3
17 Comments
 
LVL 18

Expert Comment

by:deimark
ID: 37043260
If the traffic is traversing the firewall and if you are logging this traffic to a syslog server, then yes, you can see the sources of access attempts to the server.

Sadly, screenos cannot import these logs directly to a mysql database, you will need send thesse logs to a server via syslog then import them from there, but that is outwith the abilities of the firewall sadly
0
 

Author Comment

by:3XLcom
ID: 37043305
but as i know syslog just record the ip addresses how should i get domain names also do you advice me any good syslog program that records to mysql i use kiwi for my cisco but it does not save in to mysql
0
 
LVL 18

Expert Comment

by:deimark
ID: 37043331
Sorry bud. Can't help you there I'm afraid but I would start at using a Linux server running either syslog or syslog-  thus should give you a baseline for importing the logs into MySQL using scripts

Sorry I can't be more help for now but I would suggest you ask the question again in another zone to attract the right experts.

HTH
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:3XLcom
ID: 37043392
ok forget about the mysql
just help me to get domain names list that request come from untrusted to trusted with success i mean correctly pointed domain names
0
 
LVL 18

Assisted Solution

by:deimark
deimark earned 1000 total points
ID: 37043574
I am afraid that the logs on screenos only record the ip addresses.

Does your firewall rule specify the addresses as domain names or ip addresses ?  If it's ip addresses then try to specify another rule  with a domain name just to see if te logs show anything different.
0
 

Author Comment

by:3XLcom
ID: 37043980
Does your firewall rule specify the addresses as domain names or ip addresses ?  
I am not sure if it is possible with ssg 520

If it's ip addresses then try to specify another rule  with a domain name just to see if te logs show anything different.

I do not know how to get different logs if you show me one i would be glad
0
 
LVL 18

Expert Comment

by:deimark
ID: 37044084
Yes, its possible to use a FQDN as an address object but you must have a working DNS server configured.

Simply add a new address object for the domain names that you want to monitor and use these objects in a firewall rule.

Note, that the logs may still only refer to the actual IP in the connection but its worth trying.
0
 

Author Comment

by:3XLcom
ID: 37044239
in my juniper's web ui under objects part there are only this options :

 Objects
 Users
 Local
 Local Groups
 External Groups
 IP Pools
 Certificates

i should find what to do in there ?
0
 
LVL 18

Expert Comment

by:deimark
ID: 37044441
Under       Policy > Policy Elements > Addresses > List, add the new address object there in the correct zone and then use this object in a policy
0
 

Author Comment

by:3XLcom
ID: 37044762
You mis understand me that is not what i ask. I do not know domain names in my network we have nearly 100 server rented. and we want to see what our customers do. so we do not know domain names and want to find out from juniper
0
 
LVL 18

Expert Comment

by:deimark
ID: 37044815
then we cant do this on the firewall I'm afraid

If you want to obtain that type of information then buy a proper proxy to do this
0
 

Author Comment

by:3XLcom
ID: 37045427
I've talked to the sonic wall team before they told this we should do it with only a firewall because it reads  packages .

please note that i am not searching for outgoing connections i am looking for incoming connections so proxy should not work in my opinion
0
 
LVL 18

Expert Comment

by:deimark
ID: 37045443
The get a sonicawall firewall, screenos does not do what you want
0
 
LVL 71

Accepted Solution

by:
Qlemo earned 1000 total points
ID: 37062686
With ScreenOS, the only way I can think of is to transfer the traffic log via the (telnet/ssh) CLI to a TFTP server, and then process it with a script resolving the IP addresses into DNS names. Feasible, but requires
* telnet scripting
* tftp server
* Linux or Windows machine for running the DNS script.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 37242416
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 

Author Comment

by:3XLcom
ID: 37232861
Qelmo what if an ip has more then one web site. your solution seems like it is works only if reverse dns address only web site with fqdn that exist on the ip
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 37233579
You are demanding too much. The firewall knows only of the IP address. Else you have to record every URL (or at least the root part) used, and that cannot be done by the firewall itself. Only proxy services are able to do that, e.g. a Web Proxy, WebSense or the like. And that would only work for HTTP traffic anyway, because HTTPS is encrypted, and other protocols are using different addressing.

I have started accepting comments because they answer your question. Q: "Is it possible", A: "No". The comments provide workarounds for resolving domain names according to the simple task to reverse-resolve domain names.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question