So it turns out that the Juniper SRX logs every traffic flow through it, which is pretty handy if are just about to utter the words “I blame the firewall” – so rather the prosecute without evidence, hold off judgement for a for short cli commands..
This little tit-bit is aimed around SRX’s with Logical System’s configured – but it probably works just as well without them.
Firstly, drop down into the Linux shell at the command line:
jim@my-juniper02> start shell
All the traffic logs for a logical system are located in /var/logical-systems/<name of lsys>/log
% cd /var/logical-systems/my-lsys/log/
The traffic flows are stored in plain text and the logs are rotated and compressed over the period of a few days. That said, it’s easy to grep the entire collection for what you’re looking for, in this case we’ve got a little DNS problem:
% grep “/53” traffic | grep “DENY”
Aug 20 20:00:57 my-juniper02 RT_FLOW: %-RT_FLOW_SESSION_DENY_LS: Lsys my-lsys: session denied 192.168.63.6/50627->192.168.16.11/53 junos-dns-udp 17(0) rule-global-deny(global) zone-ad-clients zone-ad-servers UNKNOWN UNKNOWN N/A(N/A) reth1.63
Aug 20 20:01:02 my-juniper02 RT_FLOW: %-RT_FLOW_SESSION_DENY_LS: Lsys my-lsys: session denied 192.168.63.6/44644->192.168.16.10/53 junos-dns-udp 17(0) rule-global-deny(global) zone-ad-clients zone-ad-servers UNKNOWN UNKNOWN N/A(N/A) reth1.63
So there you have it. Before allowing someone utter that all-too-commonly used phrase again, try this simple bit of detective work.