[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]
Verifying Application Security Information Using Trace Options
The JUNOS Software trace function provides a tool for applications
to write security debugging information to a file. The information
that appears in this file is based on criteria you set. You can use
this information to analyze security application issues.
The trace function operates in a distributed manner, with each
thread writing to its own trace buffer. These trace buffers are then
collected at one point, sorted, and written to trace files. Trace
messages are delivered using the IPC (InterProcess Communications)
protocol. A trace message has a lower priority than that of control
protocol packets such as BGP, OSPF, and IKE and therefore delivery
is not considered to be as reliable.
Setting Security Trace Options
This topic covers:
J-Web Configuration
- Select Configure>CLI Tools>Point and Click
CLI.
- Next to Security, click Configure or Edit.
- Next to Traceoptions, click Configure.
- Select the No remote trace checkbox to
disable remote tracing.
- In the Rate limit edit box, enter parameters
to limit the incoming rate of trace messages. The edit field here
accepts a numeric value between 0 and 4294967295.
- Select the Use local files checkbox to
write trace messages to a local file. The trace file is saved in the
/var/log/
directory.
- In the Filename edit box, enter a name
for the file to which you want trace information written. This name
is a text string between 1 and 1024 character and it cannot include
spaces, / or % characters. If you do not create a name, the default
name for this file is “security.”
- In the Files edit box, enter the maximum
number of trace files that can accumulate. This is a numeric value
between 2 and 1000 used to limit the amount of trace files created.
The default value is 3.
- In the Match edit box, enter matching
criteria in the for information logged to the trace file. This is
a regular expression for matching against. Wildcard (*) characters
are accepted.
- In the Size edit box, enter size parameters
to limit the maximum size to which a trace file can grow. This is
a numeric value from 10240 to 1073741824. Once the file reaches that
size, it is compressed and renamed to<filename>0.gz and the next
one is named <filename>1.gz, and so on.
- Select either the Yes or the No Word readable checkbox. If you select Yes, you are allowing
any user to read the trace file.
- To turn traceoptions on and to perform more than
one tracing operation, click the Add new entry link beside Flag to include multiple flag commands. You can include the
following flags:
- all — Trace everything
- compilation — Trace compilation events
- configuration — Trace configuration events
- routing-socket — Trace routing socket events
- Click OK to return to the configuration
page.
- In the Advanced section, you can enter
groups to which to apply these trace option settings or you can enter
groups to exclude from these settings. Click the Add new entry link beside the Apply groups or Apply groups except option to enter one or more groups for inclusion or exclusion.
- When finished, click one of the following buttons:
- OK — This applies your settings and returns
you to the previous level in the configuration hierarchy.
- Cancel — This clears the settings you have
not yet applied and returns you to the previous level in the configuration
hierarchy.
- Refresh — This updates the display with
any changes to the configuration made by other users.
- Commit — This verifies your entries and
applies them to the current configuration file running on the routing
platform.
- Discard — This removes settings applied
to, or deletes existing statements or identifiers from, the configuration.
CLI Configuration
Use the following commands to set the described trace options:
- Set remote tracing as disabled.
- user@host # set security traceoptions no-remote-trace
- Set the local writing of trace files. (The trace file
is saved in the
/var/log/
directory.)
- user@host # set security traceoptions use-local-files
- Set file name. If you do not create a name, the default
name for this file is “security.”
- user@host # set security traceoptions file <filename>
- Set the maximum number of trace files that can accumulate.
(The default is 3.)
- user@host # set security traceoptions file files 3
- Set matching criteria for logging data to the trace file.
This criteria is a regular expression for matching against. Wildcard
(*) characters are accepted.
- user@host # set security traceoptions file match *thread
- Set world-readable or not.
- user@host # set security traceoptions file world-readable
- user@host # set security traceoptions file no-world-readable
- Set maximum trace file size. Once the file reaches that
size, it is compressed and renamed to<filename>0.gz and the next
one is named <filename>1.gz, and so on.
- user@host # set security traceoptions file size 10240
- To turn traceoptions on and to perform more than one tracing
operation, set the following flags:
- user@host # set security traceoptions flag all
- user@host # set security traceoptions flag compilation
- user@host # set security traceoptions flag configuration
- user@host # set security traceoptions flag routing-socket
- Set trace options to apply to entered groups or to exclude
entered groups. You can enter groups to which to apply trace option
settings or you can enter groups to exclude from trace option settings.
- user@host # set security traceoptions apply-groups
<value>
- user@host # set security traceoptions apply-groups-except
<value>
Example:
Show Security Traceoptions Output
The following CLI show security traceoptions
command is used as follows:
- user@host # show security traceoptions file usp_trace
- user@host # show security traceoptions flag all
- user@host # show security traceoptions rate-limit 888
The output is as follows:
- Apr 11 16:06:42 21:13:15.750395:CID-906489336:FPC-01:PIC-01:THREAD_ID-01:PFE:now
update 0x3607edf8df8in 0x3607e8d0
- Apr 11 16:06:42 21:13:15.874058:CID-1529687608:FPC-01:PIC-01:THREAD_ID-01:CTRL:Enter
Function[util_ssam_handler]
- Apr 11 16:06:42 21:13:15.874485:CID-00:FPC-01:PIC-01:THREAD_ID-01:CTRL:default1:
Rate limit changed to 888
- Apr 11 16:06:42 21:13:15.874538:CID-00:FPC-01:PIC-01:THREAD_ID-01:CTRL:default1:
Destination ID set to 1
- Apr 11 16:06:42 21:13:15.874651:CID-00:FPC-01:PIC-01:THREAD_ID-01:CTRL:default2:
Rate limit changed to 888
- Apr 11 16:06:42 21:13:15.874832:CID-00:FPC-01:PIC-01:THREAD_ID-01:CTRL:default2:
Destination ID set to 1
- Apr 11 16:06:42 21:13:15.874942:CID-00:FPC-01:PIC-01:THREAD_ID-01:CTRL:default3:
Rate limit changed to 888
- Apr 11 16:06:42 21:13:15.874997:CID-00:FPC-01:PIC-01:THREAD_ID-01:CTRL:default3:
Destination ID set to 1
Verifying Application Security Flow Information
For flow trace options, you can define a packet filter using
combinations of destination-port, destination-prefix, interface, protocol,
source-port, and source-prefix. If the security flow trace flag for
a certain module is set, the packet matching the specific packet filter
triggers flow tracing and writes debugging information to the trace
file.
The following example displays the options you can set by using security flow traceoptions
:
- For the packet filter named filter1, set the destination
port “imap” for matching.
- user@host # set security flow traceoptions packet-filter
filter1 destination-port imap
- For the packet filter named filter1, set the destination
IPv4 prefix address 1.2.3.4.
- user@host # set security flow traceoptions packet-filter
filter1 destination-prefix 1.2.3.4
- For the packet filter named filter1, set the logical interface
as fxp0.
- user@host # set security flow traceoptions packet-filter
filter1 interface fxp0
- For the packet filter named filter1, set the IP protocol
for matching as TCP.
- user@host # set security flow traceoptions packet-filter
filter1 protocol tcp
- For the packet filter named filter1, set the source port
for matching as http.
- user@host # set security flow traceoptions packet-filter
filter1 source-port http
- For the packet filter named filter1, set the source IPv4
prefix address as 5.6.7.8.
- user@host # set security flow traceoptions packet-filter
filter1 source-prefix 5.6.7.8
[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]