[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Verifying Application Security Information Using Trace Options

The JUNOS Software trace function provides a tool for applications to write security debugging information to a file. The information that appears in this file is based on criteria you set. You can use this information to analyze security application issues.

The trace function operates in a distributed manner, with each thread writing to its own trace buffer. These trace buffers are then collected at one point, sorted, and written to trace files. Trace messages are delivered using the IPC (InterProcess Communications) protocol. A trace message has a lower priority than that of control protocol packets such as BGP, OSPF, and IKE and therefore delivery is not considered to be as reliable.

Setting Security Trace Options

This topic covers:

J-Web Configuration

Select Configure>CLI Tools>Point and Click CLI.
Next to Security, click Configure or Edit.
Next to Traceoptions, click Configure.
Select the No remote trace checkbox to disable remote tracing.
In the Rate limit edit box, enter parameters to limit the incoming rate of trace messages. The edit field here accepts a numeric value between 0 and 4294967295.
Select the Use local files checkbox to write trace messages to a local file. The trace file is saved in the /var/log/directory.
In the Filename edit box, enter a name for the file to which you want trace information written. This name is a text string between 1 and 1024 character and it cannot include spaces, / or % characters. If you do not create a name, the default name for this file is “security.”
In the Files edit box, enter the maximum number of trace files that can accumulate. This is a numeric value between 2 and 1000 used to limit the amount of trace files created. The default value is 3.
In the Match edit box, enter matching criteria in the for information logged to the trace file. This is a regular expression for matching against. Wildcard (*) characters are accepted.
In the Size edit box, enter size parameters to limit the maximum size to which a trace file can grow. This is a numeric value from 10240 to 1073741824. Once the file reaches that size, it is compressed and renamed to<filename>0.gz and the next one is named <filename>1.gz, and so on.
Select either the Yes or the No Word readable checkbox. If you select Yes, you are allowing any user to read the trace file.
To turn traceoptions on and to perform more than one tracing operation, click the Add new entry link beside Flag to include multiple flag commands. You can include the following flags:
- all — Trace everything
- compilation — Trace compilation events
- configuration — Trace configuration events
- routing-socket — Trace routing socket events
Click OK to return to the configuration page.
In the Advanced section, you can enter groups to which to apply these trace option settings or you can enter groups to exclude from these settings. Click the Add new entry link beside the Apply groups or Apply groups except option to enter one or more groups for inclusion or exclusion.
When finished, click one of the following buttons:
- OK — This applies your settings and returns you to the previous level in the configuration hierarchy.
- Cancel — This clears the settings you have not yet applied and returns you to the previous level in the configuration hierarchy.
- Refresh — This updates the display with any changes to the configuration made by other users.
- Commit — This verifies your entries and applies them to the current configuration file running on the routing platform.
- Discard — This removes settings applied to, or deletes existing statements or identifiers from, the configuration.

CLI Configuration

Use the following commands to set the described trace options:

Set remote tracing as disabled.
user@host # set security traceoptions no-remote-trace
Set the local writing of trace files. (The trace file is saved in the /var/log/ directory.)
user@host # set security traceoptions use-local-files
Set file name. If you do not create a name, the default name for this file is “security.”
user@host # set security traceoptions file <filename>
Set the maximum number of trace files that can accumulate. (The default is 3.)
user@host # set security traceoptions file files 3
Set matching criteria for logging data to the trace file. This criteria is a regular expression for matching against. Wildcard (*) characters are accepted.
user@host # set security traceoptions file match *thread
Set world-readable or not.
user@host # set security traceoptions file world-readable user@host # set security traceoptions file no-world-readable
Set maximum trace file size. Once the file reaches that size, it is compressed and renamed to<filename>0.gz and the next one is named <filename>1.gz, and so on.
user@host # set security traceoptions file size 10240
To turn traceoptions on and to perform more than one tracing operation, set the following flags:
user@host # set security traceoptions flag all user@host # set security traceoptions flag compilation user@host # set security traceoptions flag configuration user@host # set security traceoptions flag routing-socket
Set trace options to apply to entered groups or to exclude entered groups. You can enter groups to which to apply trace option settings or you can enter groups to exclude from trace option settings.
user@host # set security traceoptions apply-groups <value> user@host # set security traceoptions apply-groups-except <value>

Example: Show Security Traceoptions Output

The following CLI show security traceoptions command is used as follows:


            
               user@host # show security traceoptions file usp_trace
               user@host # show security traceoptions flag all
               user@host # show security traceoptions rate-limit 888

The output is as follows:


            
               Apr 11 16:06:42 21:13:15.750395:CID-906489336:FPC-01:PIC-01:THREAD_ID-01:PFE:now
                  update 0x3607edf8df8in 0x3607e8d0 
               
               Apr 11 16:06:42 21:13:15.874058:CID-1529687608:FPC-01:PIC-01:THREAD_ID-01:CTRL:Enter
                  Function[util_ssam_handler]  
               
               Apr 11 16:06:42 21:13:15.874485:CID-00:FPC-01:PIC-01:THREAD_ID-01:CTRL:default1:
                  Rate limit changed to 888
               
               Apr 11 16:06:42 21:13:15.874538:CID-00:FPC-01:PIC-01:THREAD_ID-01:CTRL:default1:
                  Destination ID set to 1
               
               Apr 11 16:06:42 21:13:15.874651:CID-00:FPC-01:PIC-01:THREAD_ID-01:CTRL:default2:
                  Rate limit changed to 888
               
               Apr 11 16:06:42 21:13:15.874832:CID-00:FPC-01:PIC-01:THREAD_ID-01:CTRL:default2:
                  Destination ID set to 1
               
               Apr 11 16:06:42 21:13:15.874942:CID-00:FPC-01:PIC-01:THREAD_ID-01:CTRL:default3:
                  Rate limit changed to 888
               
               Apr 11 16:06:42 21:13:15.874997:CID-00:FPC-01:PIC-01:THREAD_ID-01:CTRL:default3:
                  Destination ID set to 1

Verifying Application Security Flow Information

For flow trace options, you can define a packet filter using combinations of destination-port, destination-prefix, interface, protocol, source-port, and source-prefix. If the security flow trace flag for a certain module is set, the packet matching the specific packet filter triggers flow tracing and writes debugging information to the trace file.

The following example displays the options you can set by using security flow traceoptions:

For the packet filter named filter1, set the destination port “imap” for matching.
user@host # set security flow traceoptions packet-filter filter1 destination-port imap
For the packet filter named filter1, set the destination IPv4 prefix address 1.2.3.4.
user@host # set security flow traceoptions packet-filter filter1 destination-prefix 1.2.3.4
For the packet filter named filter1, set the logical interface as fxp0.
user@host # set security flow traceoptions packet-filter filter1 interface fxp0
For the packet filter named filter1, set the IP protocol for matching as TCP.
user@host # set security flow traceoptions packet-filter filter1 protocol tcp
For the packet filter named filter1, set the source port for matching as http.
user@host # set security flow traceoptions packet-filter filter1 source-port http
For the packet filter named filter1, set the source IPv4 prefix address as 5.6.7.8.
user@host # set security flow traceoptions packet-filter filter1 source-prefix 5.6.7.8

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]