Supported Platforms
Related Documentation
- J, LN, SRX Series
- Monitoring Overview
- Monitoring Interfaces
- Additional Information
- Junos OS Interfaces Library for Security Devices
Monitoring Security Features
This section contains the following topics:
Monitoring Policies
Purpose
Display, sort, and review policy activity for every activated policy configured on the device. Policies are grouped by Zone Context (the from and to zones of the traffic) to control the volume of data displayed at one time. From the policy list, select a policy to display statistics and current network activity.
Action
To review policy activity:
- Select Monitor>Security>Policy>Activities in the J-Web user interface. The Security Policies Monitoring page appears and lists the policies from the first Zone Context. See Table 1 for field descriptions.
- Select the Zone Context of the policy you want to monitor, and click Filter. All policies within the zone context appear in match sequence.
- Select a policy, and click one of the following functions:
- Clear Statistics—Clears all counters to zero for the selected policy.
- Deactivate—Deactivates the selected policy. When you click Deactivate, the commit window appears for you to confirm the deactivation.
- Move—Repositions the selected policy in the match sequence. You have the option to move the policy up or down one row at a time, or to the top or bottom of the sequence.
Table 1: Security Policies Monitoring Output Fields
Field | Value | Additional Information |
|---|---|---|
Zone Context (Total #) | Displays a list of all from and to zone combinations for the configured policies. The total number of active policies for each context is specified in the Total # field. By default, the policies from the first Zone Context are displayed. | To display policies for a different context, select a zone context and click Filter. Both inactive and active policies appear for each context. However, the Total # field for a context specifies the number of active policies only. |
Default Policy action | Specifies the action to take for traffic that does not match any of the policies in the context:
| – |
From Zone | Displays the source zone to be used as match criteria for the policy. | – |
To Zone | Displays the destination zone to be used as match criteria for the policy. | – |
Name | Displays the name of the policy. | – |
Source Address | Displays the source addresses to be used as match criteria for the policy. Address sets are resolved to their individual names. (In this case, only the names are given, not the IP addresses). | – |
Destination Address | Displays the destination addresses (or address sets) to be used as match criteria for the policy. Addresses are entered as specified in the destination zone’s address book. | – |
Application | Displays the name of a predefined or custom application signature to be used as match criteria for the policy. | – |
Dynamic App | Displays the dynamic application signatures to be used as match criteria if an application firewall rule set is configured for the policy. For a network firewall, a dynamic application is not defined. | The rule set appears in two lines. The first line displays the configured dynamic application signatures in the rule set. The second line displays the default dynamic application signature. If more than two dynamic application signatures are specified for the rule set, hover over the output field to display the full list in a tooltip. |
Action | Displays the action portion of the rule set if an application firewall rule set is configured for the policy.
| The action portion of the rule set appears in two lines. The first line identifies the action to be taken when the traffic matches a dynamic application signature. The second line displays the default action when traffic does not match a dynamic application signature. |
NW Services | Displays the network services permitted or denied by the policy if an application firewall rule set is configured. Network services include:
| – |
Count | Specifies whether counters for computing session, packet, and byte statistics for the policy are enabled. By default, counters are not enabled. | – |
Log | Specifies whether session logging is enabled. By default, session logging is not enabled. Session activity to log can include the following:
| – |
Policy Hit Counters Graph | Provides a representation of the value over time for a specified counter. The graph is blank if Policy Counters indicates no data. As a selected counter accumulates data, the graph is updated at each refresh interval. | To toggle a graph on and off, click the counter name below the graph. |
Policy Counters | Lists statistical counters for the selected policy if Count is enabled. The following counters are available for each policy:
| To graph or to remove a counter from the Policy Hit Counters Graph, toggle the counter name. The names of enabled counters appear below the graph. |
Checking Policies
Purpose
Enter match criteria and conduct a policy search. The search results include all policies that match the traffic criteria in the sequence in which they will be encountered.
Because policy matches are listed in the sequence in which they would be encountered, you can determine whether a specific policy is being applied correctly or not. The first policy in the list is applied to all matching traffic. Policies listed after this one remain in the “shadow” of the first policy and are never encountered by this traffic.
By manipulating the traffic criteria and policy sequence, you can tune policy application to suit your needs. During policy development, you can use this feature to establish the appropriate sequence of policies for optimum traffic matches. When troubleshooting, use this feature to determine if specific traffic is encountering the appropriate policy.
Action
- Select Monitor>Security>Policy>Check Policies in the J-Web user interface. The Check Policies page appears. Table 2 explains the content of this page.
- In the top pane, enter the From Zone and To Zone to supply the context for the search.
- Enter match criteria for the traffic, including the source address and port, the destination address and port, and the protocol of the traffic.
- Enter the number of matching policies to display.
- Click Search to find policies matching
your criteria. The lower pane displays all policies matching the criteria
up to the number of policies you specified.
- The first policy will be applied to all traffic with this match criteria.
- Remaining policies will not be encountered by any traffic with this match criteria.
- To manipulate the position and activation of a policy,
select the policy and click the appropriate button:
- Delete—Deletes the selected policy. The policy is removed from the policy configuration.
- Deactivate—Deactivates the selected policy. A deactivated policy remains in the policy configuration, but it is no longer included in policy matching until it is reactivated.
- Move—Moves the selected policy up or down to position it at a more appropriate point in the search sequence.
Table 2: Check Policies Output
Field | Function | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Check Policies Search Input Pane | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
From Zone | Name or ID of the source zone. If a From Zone is specified by name, the name is translated to its ID internally. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
To Zone | Name or ID of the destination zone. If a To Zone is specified by name, the name is translated to its ID internally. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Source Address | Address of the source in IP notation. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Source Port | Port number of the source. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Destination Address | Address of the destination in IP notation. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Destination Port | Port number of the destination. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Protocol | Name or equivalent value of the protocol to be matched.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result Count | (Optional) Number of policies to display. Default value is 1. Maximum value is 16. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Check Policies List | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
From Zone | Name of the source zone. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
To Zone | Name of the destination zone. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Total Policies | Number of policies retrieved. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Default Policy action | The action to be taken if no match occurs. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Name | Policy name | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Source Address | Name of the source address (not the IP address) of a policy. Address sets are resolved to their individual names. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Destination Address | Name of the destination address or address set. A packet’s destination address must match this value for the policy to apply to it. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Application | Name of a preconfigured or custom application of the policy match. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Action | Action taken when a match occurs as specified in the policy. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Hit Counts | Number of matches for this policy. This value is the same as the Policy Lookups in a policy statistics report. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Active Sessions | Number of active sessions matching this policy. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Alternatively, to list matching policies using the CLI, enter the show security match-policies command and include your match criteria and the number of matching policies to display.
Monitoring Screen Counters
Purpose
View screen statistics for a specified security zone.
Action
Select Monitor>Security>Screen Counters in the J-Web user interface, or enter the following CLI command:
show security screen statistics zone zone-name
Table 3 summarizes key output fields in the screen counters display.
Table 3: Summary of Key Screen Counters Output Fields
Field | Values | Additional Information |
|---|---|---|
| Zones | ||
ICMP Flood | Internet Control Message Protocol (ICMP) flood counter. | An ICMP flood typically occurs when ICMP echo requests use all resources in responding, such that valid network traffic can no longer be processed. |
UDP Flood | User Datagram Protocol (UDP) flood counter. | UDP flooding occurs when an attacker sends IP packets containing UDP datagrams with the purpose of slowing down the resources, such that valid connections can no longer be handled. |
TCP Winnuke | Number of Transport Control Protocol (TCP) WinNuke attacks. | WinNuke is a denial-of-service (DoS) attack targeting any computer on the Internet running Windows. |
TCP Port Scan | Number of TCP port scans. | The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target. |
ICMP Address Sweep | Number of ICMP address sweeps. | An IP address sweep can occur with the intent of triggering responses from active hosts. |
IP Tear Drop | Number of teardrop attacks. | Teardrop attacks exploit the reassembly of fragmented IP packets. |
TCP SYN Attack | Number of TCP SYN attacks. | – |
IP Spoofing | Number of IP spoofs. | IP spoofing occurs when an invalid source address is inserted in the packet header to make the packet appear to come from a trusted source. |
ICMP Ping of Death | ICMP ping of death counter. | Ping of death occurs when IP packets are sent that exceed the maximum legal length (65,535 bytes). |
IP Source Route | Number of IP source route attacks. | – |
TCP Land Attack | Number of land attacks. | Land attacks occur when attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address. |
TCP SYN Fragment | Number of TCP SYN fragments. | – |
TCP No Flag | Number of TCP headers without flags set. | A normal TCP segment header has at least one control flag set. |
IP Unknown Protocol | Number of unknown Internet protocols. | – |
IP Bad Options | Number of invalid options. | – |
IP Record Route Option | Number of packets with the IP record route option enabled. | This option records the IP addresses of the network devices along the path that the IP packet travels. |
IP Timestamp Option | Number of IP timestamp option attacks. | This option records the time (in Universal Time) when each network device receives the packet during its trip from the point of origin to its destination. |
IP Security Option | Number of IP security option attacks. | – |
IP Loose route Option | Number of IP loose route option attacks. | This option specifies a partial route list for a packet to take on its journey from source to destination. |
IP Strict Source Route Option | Number of IP strict source route option attacks. | This option specifies the complete route list for a packet to take on its journey from source to destination. |
IP Stream Option | Number of stream option attacks. | This option provides a way for the 16-bit SATNET stream identifier to be carried through networks that do not support streams. |
ICMP Fragment | Number of ICMP fragments. | Because ICMP packets contain very short messages, there is no legitimate reason for ICMP packets to be fragmented. If an ICMP packet is so large that it must be fragmented, something is amiss. |
ICMP Large Packet | Number of large ICMP packets. | – |
TCP SYN FIN Packet | Number of TCP SYN FIN packets. | – |
TCP FIN without ACK | Number of TCP FIN flags without the acknowledge (ACK) flag. | – |
TCP SYN-ACK-ACK Proxy | Number of TCP flags enabled with SYN-ACK-ACK. | To prevent flooding with SYN-ACK-ACK sessions, you can enable the SYN-ACK-ACK proxy protection screen option. After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, Junos OS rejects further connection requests from that IP address. |
IP Block Fragment | Number of IP block fragments. | – |
Monitoring IDP Status
Purpose
View detailed information about the IDP Status, Memory, Counters, Policy Rulebase Statistics, and Attack table statistics.
Action
To view Intrusion Detection and Prevention (IDP) table information, select Monitor>Security>IDP>Status in the J-Web user interface, or enter the following CLI commands:
- show security idp status
- show security idp memory
Table 4 summarizes key output fields in the IDP display.
Table 4: Summary of IDP Status Output Fields
Field | Values | Additional Information |
|---|---|---|
| IDP Status | ||
Status of IDP | Displays the status of the current IDP policy. | – |
Up Since | Displays the time from when the IDP policy first began running on the system. | – |
Packets/Second | Displays the number of packets received and returned per second. | – |
Peak | Displays the maximum number of packets received per second and the time when the maximum was reached. | – |
Kbits/Second | Displays the aggregated throughput (kilobits per second) for the system. | – |
Peak Kbits | Displays the maximum kilobits per second and the time when the maximum was reached. | – |
Latency (Microseconds) | Displays the delay, in microseconds, for a packet to receive and return by a node . | – |
Current Policy | Displays the name of the current installed IDP policy. | – |
| IDP Memory Status | ||
IDP Memory Statistics | Displays the status of all IDP data plane memory. | – |
PIC Name | Displays the name of the PIC. | – |
Total IDP Data Plane Memory (MB) | Displays the total memory space, in megabytes, allocated for the IDP data plane. | – |
Used (MB) | Displays the used memory space, in megabytes, for the data plane. | – |
Available (MB) | Displays the available memory space, in megabytes, for the data plane. | – |
Monitoring Flow Gate Information
Purpose
View information about temporary openings known as pinholes or gates in the security firewall.
Action
Select Monitor>Security>Flow Gate in the J-Web user interface, or enter the show security flow gate command.
Table 5 summarizes key output fields in the flow gate display.
Table 5: Summary of Key Flow Gate Output Fields
Field | Values | Additional Information |
|---|---|---|
| Flow Gate Information | ||
Hole | Range of flows permitted by the pinhole. | – |
Translated | Tuples used to create the session if it matches the pinhole:
| – |
Protocol | Application protocol, such as UDP or TCP. | – |
Application | Name of the application. | – |
Age | Idle timeout for the pinhole. | – |
Flags | Internal debug flags for pinhole. | – |
Zone | Incoming zone. | – |
Reference count | Number of resource manager references to the pinhole. | – |
Resource | Resource manager information about the pinhole. | – |
Monitoring Firewall Authentication Table
Purpose
View information about the authentication table, which divides firewall authentication user information into multiple parts.
Action
Select Monitor>Security>Firewall Authentication>Authentication Table in the J-Web user interface. To view detailed information about the user with a particular identifier, select the ID on the Authentication Table page. To view detailed information about the user at a particular source IP address, select the Source IP on the Authentication Table page.
Alternatively, enter the following CLI show commands:
- show security firewall-authentication users
- show security firewall-authentication users address ip-address
- show security firewall-authentication users identifier identifier
Table 6 summarizes key output fields in firewall authentication table display.
Table 6: Summary of Key Firewall Authentication Table Output Fields
Field | Values | Additional Information |
|---|---|---|
| Firewall authentication users | ||
Total users in table | Number of users in the authentication table. | – |
| Authentication table | ||
ID | Authentication identification number. | – |
Source Ip | IP address of the authentication source. | – |
Age | Idle timeout for the user. | – |
Status | Status of authentication (success or failure). | – |
user | Name of the user. | – |
| Detailed report per ID selected: ID | ||
Source Zone | Name of the source zone. | – |
Destination Zone | Name of the destination zone. | – |
profile | Name of the profile. | Users information. |
Authentication method | Path chosen for authentication. | – |
Policy Id | Policy Identifier. | – |
Interface name | Name of the interface. | – |
Bytes sent by this user | Number of packets in bytes sent by this user. | – |
Bytes received by this user | Number of packets in bytes received by this user. | – |
Client-groups | Name of the client group. | – |
| Detailed report per Source Ip selected | ||
Entries from Source IP | IP address of the authentication source. | – |
Source Zone | Name of the source zone. | – |
Destination Zone | Name of the destination zone. | – |
profile | Name of the profile. | – |
Age | Idle timeout for the user. | – |
Status | Status of authentication (success or failure). | – |
user | Name of the user. | – |
Authentication method | Path chosen for authentication. | – |
Policy Id | Policy Identifier. | – |
Interface name | Name of the interface. | – |
Bytes sent by this user | Number of packets in bytes sent by this user. | – |
Bytes received by this user | Number of packets in bytes received by this user. | – |
Client-groups | Name of the client group. | – |
Monitoring Firewall Authentication History
Purpose
View information about the authentication history, which is divided into multiple parts.
Action
Select Monitor>Security>Firewall Authentication>Authentication History in the J-Web user interface. To view the detailed history of the authentication with this identifier, select the ID on the Firewall Authentication History page. To view a detailed authentication history of this source IP address, select the Source IP on the Firewall Authentication History page.
Alternatively, enter the following CLI show commands:
- show security firewall-authentication history
- show security firewall-authentication history address ip-address
- show security firewall-authentication history identifier identifier
Table 7 summarizes key output fields in firewall authentication history display.
Table 7: Summary of Key Firewall Authentication History Output Fields
Field | Values | Additional Information |
|---|---|---|
| History of Firewall Authentication Data | ||
Total authentications | Number of authentication. | – |
| History Table | ||
ID | Identification number. | – |
Source Ip | IP address of the authentication source. | – |
Start Date | Authentication date. | – |
Start Time | Authentication time. | – |
Duration | Authentication duration. | – |
Status | Status of authentication (success or failure). | – |
User | Name of the user. | – |
| Detail history of selected Id: ID | ||
Authentication method | Path chosen for authentication. | – |
Policy Id | Security policy identifier. | – |
Source zone | Name of the source zone. | – |
Destination Zone | Name of the destination zone. | – |
Interface name | Name of the interface. | – |
Bytes sent by this user | Number of packets in bytes sent by this user. | – |
Bytes received by this user | Number of packets in bytes received by this user. | – |
Client-groups | Name of the client group. | – |
| Detail history of selected Source Ip:Source Ip | ||
User | Name of the user. | – |
Start Date | Authentication date. | – |
Start Time | Authentication time. | – |
Duration | Authentication duration. | – |
Status | Status of authentication (success or failure). | – |
Profile | Name of the profile. | – |
Authentication method | Path chosen for authentication. | – |
Policy Id | Security policy identifier. | – |
Source zone | Name of the source zone. | – |
Destination Zone | Name of the destination zone. | – |
Interface name | Name of the interface. | – |
Bytes sent by this user | Number of packets in bytes sent by this user. | – |
Bytes received by this user | Number of packets in bytes received by this user. | – |
Client-groups | Name of the client group. | – |
Monitoring 802.1x
Purpose
View information about 802.1X properties.
Action
Select Monitor>Security>802.1x in the J-Web user interface, or enter the following CLI commands:
- show dot1x interfaces interface-name
- show dot1x authentication-failed-users
Table 8 summarizes the Dot1X output fields.
Table 8: Summary of Dot1X Output Fields
Field | Values | Additional Information |
|---|---|---|
Select Port | List of ports for selection. | – |
Number of connected hosts | Total number of hosts connected to the port. | – |
Number of authentication bypassed hosts | Total number of authentication-bypassed hosts with respect to the port. | – |
| Authenticated Users Summary | ||
MAC Address | MAC address of the connected host. | – |
User Name | Name of the user. | – |
Status | Information about the host connection status. | – |
Authentication Due | Information about host authentication. | – |
| Authentication Failed Users Summary | ||
MAC Address | MAC address of the authentication-failed host. | – |
User Name | Name of the authentication-failed user. | – |
Related Documentation
- J, LN, SRX Series
- Monitoring Overview
- Monitoring Interfaces
- Additional Information
- Junos OS Interfaces Library for Security Devices
Published: 2014-12-07
Supported Platforms
Related Documentation
- J, LN, SRX Series
- Monitoring Overview
- Monitoring Interfaces
- Additional Information
- Junos OS Interfaces Library for Security Devices
