Don’t blame the firewall – JunOS tip

So it turns out that the Juniper SRX logs every traffic flow through it, which is pretty handy if are just about to utter the words “I blame the firewall” – so rather the prosecute without evidence, hold off judgement for a for short cli commands..

This little tit-bit is aimed around SRX’s with Logical System’s configured – but it probably works just as well without them.

Firstly, drop down into the Linux shell at the command line:

{primary:node0}
jim@my-juniper02> start shell

All the traffic logs for a logical system are located in /var/logical-systems/<name of lsys>/log

% cd /var/logical-systems/my-lsys/log/

The traffic flows are stored in plain text and the logs are rotated and compressed over the period of a few days. ┬áThat said, it’s easy to grep the entire collection for what you’re looking for, in this case we’ve got a little DNS problem:

% grep “/53” traffic | grep “DENY”
Aug 20 20:00:57 my-juniper02 RT_FLOW: %-RT_FLOW_SESSION_DENY_LS: Lsys my-lsys: session denied 192.168.63.6/50627->192.168.16.11/53 junos-dns-udp 17(0) rule-global-deny(global) zone-ad-clients zone-ad-servers UNKNOWN UNKNOWN N/A(N/A) reth1.63
Aug 20 20:01:02  my-juniper02 RT_FLOW: %-RT_FLOW_SESSION_DENY_LS: Lsys my-lsys: session denied 192.168.63.6/44644->192.168.16.10/53 junos-dns-udp 17(0) rule-global-deny(global) zone-ad-clients zone-ad-servers UNKNOWN UNKNOWN N/A(N/A) reth1.63

So there you have it. Before allowing someone utter that all-too-commonly used phrase again, try this simple bit of detective work.