Paranthropus

Juniper Junos Firewalls vs Junos Routers

Discussion created by Paranthropus on Feb 16, 2011
Latest reply on Feb 22, 2011 by RSA Admin

Hi,

I'm looking into getting Juniper SRX Firewalls as event sources.  Telling the system they're of type "junos routers" successfully parses most of the system messages, but fails to parse traffic flow (RT_FLOW) messages.  I've looked into the EDI xml and it looks like these messages are catered for, but it's looking like either Juniper has changed their log format for either new versions of JunOS, or for SRXs vs their router/switch gear.

Is RSA aware of this situation, and if so, are there any plans to do something about it, and if not, please be aware of it.  :smileyvery-happy:

 

I've modified a few of the messages to suit. Example for the DENY (arguably one of them important messages) is below.  My changed version vs the original below.

Note, I changed the table from "Firewall" to "Firewall Accounting" as the accounting table has fields for things like source and estination zones and so on. 

 

Updated

    <MESSAGE
        level="5"
        parse="1"
        parsedefvalue="1"
        tableid="12"
        id1="RT_FLOW_SESSION_DENY"
        id2="RT_FLOW_SESSION_DENY"
        eventcategory="1803000000"
        content="session &lt;action&gt; &lt;faddr&gt;/&lt;fport&gt;-&gt;&lt;laddr&gt;/&lt;lport&gt; &lt;lportname&gt; &lt;fld1&gt;(&lt;fld2&gt:smileywink: &lt;policy_id&gt; &lt;src_zone&gt; &lt;dst_zone&gt;"/>

 

Original

<MESSAGE  
        level="6"  
        parse="1"  
        parsedefvalue="1"  
        tableid="77"  
        id1="RT_FLOW_SESSION_DENY"  
        id2="RT_FLOW_SESSION_DENY"  
        eventcategory="1803010000"  
        content="&lt;@:*SYSVAL($MSGID,$ID1)&gt;&lt;@event_time:*EVNTTIME($HDR,'%W-%G-%FT%N:%U:%O',hfld32)&gt;&lt;@msg:*PARMVAL($MSG)&gt;&lt;@obj_type:smileyfrustrated:ysObjectID&gt; [junos@&lt;obj_name&gt; source-address=&quot;&lt;saddr&gt;&quot; source-port=&quot;&lt;sport&gt;&quot; destination-address=&quot;&lt;daddr&gt;&quot; destination-port=&quot;&lt;dport&gt;&quot; protocol-id=&quot;&lt;fld31&gt;&quot; icmp-type=&quot;&lt;icmptype&gt;&quot; policy-name=&quot;&lt;policyname&gt;&quot;]" />        

Outcomes