Sample Code Audits of Configuration Changes

FAU_GEN.1

None

None

FAU_STG.1

None

None

FAU_STG_EXT.1

None

None

FCS_CKM.1

None

None

FCS_CKM.2

None

None

FCS_CKM.4

None

None

FCS_COP.1/DataEncryption

None

None

FCS_COP.1/SigGen

None

None

FCS_COP.1/Hash

None

None

FCS_COP.1/KeyedHash

None

None

FCS_IPSEC_EXT.1

Failure to establish an IPsec SA.

Reason for failure.

<27>1 2022-07-25T07:40:00.019Z Proliant_Node0 kmd 20805 - - IKE negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: ike-vpn-devices Gateway: gw-b, Local: 10.1.5.129/500, Remote: 10.1.5.29/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator

<27>1 2022-07-25T07:40:00.020Z Proliant_Node0 kmd 20805 - - IPSec negotiation failed with error: No proposal chosen. IKE Version: 2, VPN: ike-vpn-devices Gateway: gw-b, Local: 10.1.5.129/500, Remote: 10.1.5.29/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

FCS_NTP_EXT.1

Configuration of a new time server

Removal of configured time server

Identity of new/removed

time server

<182>1 2023-02-22T14:23:37.828Z Proliant_Node0 mgd 12129 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[system ntp server 10.1.1.160\]" delimiter="" value=""] User 'acumensec' set: [system ntp server 10.1.1.160]

<182>1 2023-02-22T14:24:54.508Z Proliant_Node0 mgd 12129 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="delete" pathname="[system ntp server 10.1.1.160\]" delimiter="" value=""] User 'acumensec' delete: [system ntp server 10.1.1.160]

FCS_RBG_EXT.1

None

None

FCS_SSHS_EXT.1

Failure to establish an SSH session

Reason for failure

<35>1 2021-09-27T09:41:37.763Z VSRX_TOE sshd 70783 - - error: PAM: Authentication error for acumensec from 10.1.2.146

<37>1 2021-09-27T09:41:37.763Z VSRX_TOE sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.129 username="acumensec" source-address="10.1.2.146"] Login failed for user 'acumensec' from host '10.1.2.146'

FDP_RIP.2

None

FFW_RUL_EXT.1

Application of rules configured with the ‘log’ operation

Source and destination addresses

Source and destination ports

Transport Layer Protocol

TOE Interface

Time of Log: 2022-11-29 10:25:35 UTC, Filter: pfe, Filter action: discard, Name of interface: reth1.0

Name of protocol: TCP, Packet Length: 40, Source address: 10.1.1.146:20, Destination address: 10.1.3.161:1035

FFW_RUL_EXT.2

Dynamical definition of rule

Establishment of a session

None

Dynamical definition of rule <182>1 2023-02-22T07:12:41.900Z Proliant_Node0 mgd 13150 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter TCP-ports term allow from protocol tcp\]" delimiter="" value=""] User 'acumensec' set: [firewall filter TCP-ports term allow from protocol tcp]

<182>1 2023-02-22T07:12:41.901Z Proliant_Node0 mgd 13150 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter TCP-ports term allow from port 0-1024\]" delimiter="" value=""] User 'acumensec' set: [firewall filter TCP-ports term allow from port 0-1024]

<182>1 2023-02-22T07:12:49.599Z Proliant_Node0 mgd 13150 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter TCP-ports term allow then\]" delimiter="" data="unconfigured" value="accept"] User 'acumensec' set: [firewall filter TCP-ports term allow then] unconfigured -- "accept"

<182>1 2023-02-22T07:12:49.600Z Proliant_Node0 mgd 13150 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter TCP-ports term allow then\]" delimiter="" data="unconfigured" value="log"] User 'acumensec' set: [firewall filter TCP-ports term allow then] unconfigured -- "log"

<182>1 2023-02-22T07:13:26.841Z Proliant_Node0 mgd 13150 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter TCP-ports term deny from protocol tcp\]" delimiter="" value=""] User 'acumensec' set: [firewall filter TCP-ports term deny from protocol tcp]

<182>1 2023-02-22T07:13:26.841Z Proliant_Node0 mgd 13150 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter TCP-ports term deny from port 1025-65535\]" delimiter="" value=""] User 'acumensec' set: [firewall filter TCP-ports term deny from port 1025-65535]

<182>1 2023-02-22T07:13:33.651Z Proliant_Node0 mgd 13150 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter TCP-ports term deny then discard\]" delimiter="" value=""] User 'acumensec' set: [firewall filter TCP-ports term deny then discard]

<182>1 2023-02-22T07:13:36.999Z Proliant_Node0 mgd 13150 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter TCP-ports term deny then\]" delimiter="" data="unconfigured" value="log"] User 'acumensec' set: [firewall filter TCP-ports term deny then] unconfigured -- "log"

Establishment of a session

Time of Log: 2022-09-14 06:03:10 UTC, Filter: pfe, Filter action: accept, Name of interface: reth1.0

Name of protocol: TCP, Packet Length: 52, Source address: 10.1.1. 146:38452, Destination address: 10.1.3.161:1023

Time of Log: 2022-09-14 06:11:57 UTC, Filter: pfe, Filter action : discard, Name of interface: reth1.0

Name of protocol: TCP, Packet Length: 60, Source address: 10.1.1 .146:58594, Destination address: 10.1.3.161:1025

FIA_AFL.1

Unsuccessful login attempts limit is met or exceeded

Origin of the attempt (e.g., IP address)

<37>1 2021-09-29T10:45:55.798Z VSRX_TOE sshd 14027 LIBJNX_LOGIN_ACCOUNT_LOCKED [junos@2636.1.1.1.2.129 username="acumensec"] Account for user 'acumensec' has been locked out from logins

<38>1 2021-09-29T10:45:55.799Z VSRX_TOE sshd 14027 - - Failed password for acumensec from 10.1.2.146 port 33362 ssh2

<37>1 2021-09-29T10:46:20.818Z VSRX_TOE sshd - SSHD_LOGIN_ATTEMPTS_THRESHOLD [junos@2636.1.1.1.2.129 limit="5" username="acumensec"] Threshold for unsuccessful authentication attempts (5) reached by user 'acumensec'

<38>1 2021-09-29T10:46:20.818Z VSRX_TOE sshd 14028 - - Disconnecting authenticating user acumensec 10.1.2.146 port 33362: Too many password failures for acumensec

FIA_PMG_EXT.1

None

None

FIA_UIA_EXT.1

Local Successful Login

<37>1 2021-09-29T12:39:25.733Z VSRX_TOE login 20829 - - Login attempt for user acumensec from host [unknown]

<38>1 2021-09-29T12:39:31.884Z VSRX_TOE login 20829 LOGIN_INFORMATION [junos@2636.1.1.1.2.129 username="acumensec" hostname="[unknown\]" tty-name="ttyv0"] User acumensec logged in from host [unknown] on device ttyv0

<190>1 2021-09-29T12:39:32.226Z VSRX_TOE mgd 20847 UI_AUTH_EVENT [junos@2636.1.1.1.2.129 username="acumensec" authentication-level="j-super-user"] Authenticated user 'acumensec' assigned to class 'j-super-user'

<190>1 2021-09-29T12:39:32.226Z VSRX_TOE mgd 20847 UI_LOGIN_EVENT [junos@2636.1.1.1.2.129 username="acumensec" class-name="j-super-user" local-peer="" pid="20847" ssh-connection="" client-mode="cli"] User 'acumensec' login, class 'j-super-user' [20847], ssh-connection '', client-mode 'cli'

Local Unsuccessful Login

<37>1 2021-09-29T12:33:50.765Z VSRX_TOE login 20513 - - Login attempt for user acumensec from host [unknown]

<35>1 2021-09-29T12:33:56.858Z VSRX_TOE login 20513 LOGIN_PAM_AUTHENTICATION_ERROR [junos@2636.1.1.1.2.129 username="acumensec"] Failed password for user acumensec

<37>1 2021-09-29T12:33:56.859Z VSRX_TOE login 20513 LOGIN_FAILED [junos@2636.1.1.1.2.129 username="acumensec" source-address="ttyv0"] Login failed for user acumensec from host ttyv0

Remote Successful Password-Based Login

<38>1 2021-09-29T12:45:01.580Z VSRX_TOE sshd 21135 - - Accepted keyboard-interactive/pam for acumensec from 10.1.2.146 port 33504 ssh2

<190>1 2021-09-29T12:45:01.915Z VSRX_TOE mgd 21148 UI_AUTH_EVENT [junos@2636.1.1.1.2.129 username="acumensec" authentication-level="j-super-user"] Authenticated user 'acumensec' assigned to class 'j-super-user'

<190>1 2021-09-29T12:45:01.915Z VSRX_TOE mgd 21148 UI_LOGIN_EVENT [junos@2636.1.1.1.2.129 username="acumensec" class-name="j-super-user" local-peer="" pid="21148" ssh-connection="10.1.2.146 33504 10.1.2.129 22" client-mode="cli"] User 'acumensec' login, class 'j-super-user' [21148], ssh-connection '10.1.2.146 33504 10.1.2.129 22', client-mode 'cli'

Remote Unsuccessful Password-Based Login

<35>1 2021-09-29T12:43:19.559Z VSRX_TOE sshd 21040 - - error: PAM: Authentication error for acumensec from 10.1.2.146

<37>1 2021-09-29T12:43:19.559Z VSRX_TOE sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.129 username="acumensec" source-address="10.1.2.146"] Login failed for user 'acumensec' from host '10.1.2.146'

Remote Successful Public Key-Based Login

<38>1 2021-10-07T11:03:56.574Z VSRX_TOE sshd 35243 - - Accepted publickey for tester from 10.1.2.146 port 60712 ssh2: ECDSA SHA256:i2HeKO8gDAEyR1gz0JRv4Pqi/OCoXLzcj8calZLBxW4

<190>1 2021-10-07T11:03:56.931Z VSRX_TOE mgd 35247 UI_AUTH_EVENT [junos@2636.1.1.1.2.129 username="tester" authentication-level="j-super-user"] Authenticated user 'tester' assigned to class 'j-super-user'

<190>1 2021-10-07T11:03:56.931Z VSRX_TOE mgd 35247 UI_LOGIN_EVENT [junos@2636.1.1.1.2.129 username="tester" class-name="j-super-user" local-peer="" pid="35247" ssh-connection="10.1.2.146 60712 10.1.2.129 22" client-mode="cli"] User 'tester' login, class 'j-super-user' [35247], ssh-connection '10.1.2.146 60712 10.1.2.129 22', client-mode 'cli'

Remote Unsuccessful Public Key-Based Login

<35>1 2021-10-07T10:59:02.307Z VSRX_TOE sshd 34503 - - error: PAM: Authentication error for tester from 10.1.2.146

<37>1 2021-10-07T10:59:02.308Z VSRX_TOE sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.129 username="tester" source-address="10.1.2.146"] Login failed for user 'tester' from host '10.1.2.146'

FIA_UAU_EXT.2

All use of identification and authentication mechanism

Origin of the attempt (e.g., IP address)

Local Successful Login

<37>1 2021-09-29T12:39:25.733Z VSRX_TOE login 20829 - - Login attempt for user acumensec from host [unknown]

<38>1 2021-09-29T12:39:31.884Z VSRX_TOE login 20829 LOGIN_INFORMATION [junos@2636.1.1.1.2.129 username="acumensec" hostname="[unknown\]" tty-name="ttyv0"] User acumensec logged in from host [unknown] on device ttyv0

<190>1 2021-09-29T12:39:32.226Z VSRX_TOE mgd 20847 UI_AUTH_EVENT [junos@2636.1.1.1.2.129 username="acumensec" authentication-level="j-super-user"] Authenticated user 'acumensec' assigned to class 'j-super-user'

<190>1 2021-09-29T12:39:32.226Z VSRX_TOE mgd 20847 UI_LOGIN_EVENT [junos@2636.1.1.1.2.129 username="acumensec" class-name="j-super-user" local-peer="" pid="20847" ssh-connection="" client-mode="cli"] User 'acumensec' login, class 'j-super-user' [20847], ssh-connection '', client-mode 'cli'

Local Unsuccessful Login

<37>1 2021-09-29T12:33:50.765Z VSRX_TOE login 20513 - - Login attempt for user acumensec from host [unknown]

<35>1 2021-09-29T12:33:56.858Z VSRX_TOE login 20513 LOGIN_PAM_AUTHENTICATION_ERROR [junos@2636.1.1.1.2.129 username="acumensec"] Failed password for user acumensec

<37>1 2021-09-29T12:33:56.859Z VSRX_TOE login 20513 LOGIN_FAILED [junos@2636.1.1.1.2.129 username="acumensec" source-address="ttyv0"] Login failed for user acumensec from host ttyv0

Remote Successful Login

<38>1 2021-09-29T12:45:01.580Z VSRX_TOE sshd 21135 - - Accepted keyboard-interactive/pam for acumensec from 10.1.2.146 port 33504 ssh2

<190>1 2021-09-29T12:45:01.915Z VSRX_TOE mgd 21148 UI_AUTH_EVENT [junos@2636.1.1.1.2.129 username="acumensec" authentication-level="j-super-user"] Authenticated user 'acumensec' assigned to class 'j-super-user'

<190>1 2021-09-29T12:45:01.915Z VSRX_TOE mgd 21148 UI_LOGIN_EVENT [junos@2636.1.1.1.2.129 username="acumensec" class-name="j-super-user" local-peer="" pid="21148" ssh-connection="10.1.2.146 33504 10.1.2.129 22" client-mode="cli"] User 'acumensec' login, class 'j-super-user' [21148], ssh-connection '10.1.2.146 33504 10.1.2.129 22', client-mode 'cli'

Remote Unsuccessful Login

<35>1 2021-09-29T12:43:19.559Z VSRX_TOE sshd 21040 - - error: PAM: Authentication error for acumensec from 10.1.2.146

<37>1 2021-09-29T12:43:19.559Z VSRX_TOE sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.129 username="acumensec" source-address="10.1.2.146"] Login failed for user 'acumensec' from host '10.1.2.146'

Remote Successful Public Key-Based Login

<38>1 2021-10-07T11:03:56.574Z VSRX_TOE sshd 35243 - - Accepted publickey for tester from 10.1.2.146 port 60712 ssh2: ECDSA SHA256:i2HeKO8gDAEyR1gz0JRv4Pqi/OCoXLzcj8calZLBxW4

<190>1 2021-10-07T11:03:56.931Z VSRX_TOE mgd 35247 UI_AUTH_EVENT [junos@2636.1.1.1.2.129 username="tester" authentication-level="j-super-user"] Authenticated user 'tester' assigned to class 'j-super-user'

<190>1 2021-10-07T11:03:56.931Z VSRX_TOE mgd 35247 UI_LOGIN_EVENT [junos@2636.1.1.1.2.129 username="tester" class-name="j-super-user" local-peer="" pid="35247" ssh-connection="10.1.2.146 60712 10.1.2.129 22" client-mode="cli"] User 'tester' login, class 'j-super-user' [35247], ssh-connection '10.1.2.146 60712 10.1.2.129 22', client-mode 'cli'

Remote Unsuccessful Public Key-Based Login

<35>1 2021-10-07T10:59:02.307Z VSRX_TOE sshd 34503 - - error: PAM: Authentication error for tester from 10.1.2.146

<37>1 2021-10-07T10:59:02.308Z VSRX_TOE sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.129 username="tester" source-address="10.1.2.146"] Login failed for user 'tester' from host '10.1.2.146'

FIA_UAU.7

None

None

FIA_X509_EXT.1/Rev

Unsuccessful attempt to validate a certificate

Any addition, replacement, or removal of trust anchors in the TOE's trust store

Reason for failure of certificate validation

Identification of certificates added, replaced or removed as trust anchor in the TOE's trust store

Unsuccessful attempt to validate a certificate

<27>1 2022-12-07T07:13:12.436Z Proliant_Node0 pkid 20720 PKID_CRL_CERTIFICATE_REVOKED [junos@2636.1.1.1.2.129 argument1="/C=US/O=Acumen/OU=CC/CN=AcumenICA" argument2="6b92a1eaeb70ca59"] Certificate /C=US/O=Acumen/OU=CC/CN=AcumenICA with serial number 0x6b92a1eaeb70ca59 is revoked

<27>1 2022-12-07T07:13:12.437Z Proliant_Node0 kmd 85673 KMD_PEER_CERT_VERIFY_FAILED [junos@2636.1.1.1.2.129 gateway-name="gw-b" local-address="10.1.5.129" local-port="500" remote-address="10.1.5.251" remote-port="500" name="10.1.5.129" peer-name="10.1.5.251" vrrp-group-id="0"] Failed peer certificate verification for Gateway: gw-b, Local: 10.1.5.129/500, Remote: 10.1.5.251/500, Local IKE-ID: 10.1.5.129, Remote IKE-ID: 10.1.5.251, VR id: 0

Addition of trust anchor

<182>1 2023-02-22T07:21:57.600Z Proliant_Node0 mgd 13150 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security pki ca-profile AcumenCA ca-identity\]" delimiter="" data="unconfigured" value="AcumenCA"] User 'acumensec' set: [security pki ca-profile AcumenCA ca-identity] unconfigured -- "AcumenCA"

<29>1 2023-02-22T07:22:24.769Z Proliant_Node0 pkid 11250 PKID_PV_CERT_LOAD [junos@2636.1.1.1.2.129 type-string="AcumenCA"] Certificate AcumenCA has been successfully loaded

Removal of trust anchor

<182>1 2023-02-22T07:24:47.471Z Proliant_Node0 mgd 13150 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="delete" pathname="[security pki ca-profile AcumenCA\]" delimiter="" value=""] User 'acumensec' delete: [security pki ca-profile AcumenCA]

<29>1 2023-02-22T07:24:56.433Z Proliant_Node0 pkid 11250 PKID_PV_CERT_DEL [junos@2636.1.1.1.2.129 type-string="AcumenCA"] Certificate deletion has occurred for AcumenCA

FIA_X509_EXT.2

None

None

FIA_X509_EXT.3

None

None

FMT_MOF.1/Functions

None

None

FMT_MOF.1/ManualUpdate

Any attempt to initiate a manual update

None

<190>1 2023-02-17T11:08:28.481Z Proliant_Node0 mgd 5002 UI_CHILD_START [junos@2636.1.1.1.2.129 command=”/usr/libexec/ui/package”] Starting child ‘/usr/libexec/ui/package'

<29>1 2023-02-17T11:08:28.484Z Proliant Node0 mgd 9302 - - /usr/libexec/ui/package -X update -reboot /var/home/acumensec/junos-install-vsrx3-x86-64-22.2R1.9.tgz

FMT_MOF.1/Services

None

None

FMT_MTD.1/CoreData

None

None

FMT_MTD.1/CryptoKeys

None

None

FMT_SMF.1

FMT_SMF.1/VPN

FMT_SMF.1/FFW

All management activities of TSF data (including creation, modification and deletion of firewall rules).

None

Ability to administer the TOE locally and remotely

Local

<37>1 2021-09-29T12:39:25.733Z VSRX_TOE login 20829 - - Login attempt for user acumensec from host [unknown]

<38>1 2021-09-29T12:39:31.884Z VSRX_TOE login 20829 LOGIN_INFORMATION [junos@2636.1.1.1.2.129 username="acumensec" hostname="[unknown\]" tty-name="ttyv0"] User acumensec logged in from host [unknown] on device ttyv0

<190>1 2021-09-29T12:39:32.226Z VSRX_TOE mgd 20847 UI_AUTH_EVENT [junos@2636.1.1.1.2.129 username="acumensec" authentication-level="j-super-user"] Authenticated user 'acumensec' assigned to class 'j-super-user'

<190>1 2021-09-29T12:39:32.226Z VSRX_TOE mgd 20847 UI_LOGIN_EVENT [junos@2636.1.1.1.2.129 username="acumensec" class-name="j-super-user" local-peer="" pid="20847" ssh-connection="" client-mode="cli"] User 'acumensec' login, class 'j-super-user' [20847], ssh-connection '', client-mode 'cli'

Remote

<38>1 2021-09-29T12:45:01.580Z VSRX_TOE sshd 21135 - - Accepted keyboard-interactive/pam for acumensec from 10.1.2.146 port 33504 ssh2

<190>1 2021-09-29T12:45:01.915Z VSRX_TOE mgd 21148 UI_AUTH_EVENT [junos@2636.1.1.1.2.129 username="acumensec" authentication-level="j-super-user"] Authenticated user 'acumensec' assigned to class 'j-super-user'

<190>1 2021-09-29T12:45:01.915Z VSRX_TOE mgd 21148 UI_LOGIN_EVENT [junos@2636.1.1.1.2.129 username="acumensec" class-name="j-super-user" local-peer="" pid="21148" ssh-connection="10.1.2.146 33504 10.1.2.129 22" client-mode="cli"] User 'acumensec' login, class 'j-super-user' [21148], ssh-connection '10.1.2.146 33504 10.1.2.129 22', client-mode 'cli'

Ability to configure the access banner

<182>1 2021-10-01T10:58:24.632Z VSRX_TOE mgd 54807 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[system login message\]" delimiter="\"" data="Login message: Only Authorized Users Allowed" value="This is a login message. Warning: Only authorized users allowed !"] User 'acumensec' set: [system login message] "Login message: Only Authorized Users Allowed -- "This is a login message. Warning: Only authorized users allowed !"

<182>1 2021-10-01T10:59:15.045Z VSRX_TOE mgd 54807 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[system login announcement\]" delimiter="\"" data="This is MOTD banner." value="This is an MOTD banner. \\n This is EXEC banner. \\n"] User 'acumensec' set: [system login announcement] "This is MOTD banner. -- "This is an MOTD banner. \n This is EXEC banner. \n"

Ability to configure the session inactivity time before session termination or locking

<182>1 2021-10-01T09:50:49.070Z VSRX_TOE mgd 48114 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[system login class security-admin idle-timeout\]" delimiter="" data="unconfigured" value="1"] User 'acumensec' set: [system login class security-admin idle-timeout] unconfigured -- "1"

<14>1 2021-10-01T09:52:56.150Z VSRX_TOE -cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.129 username="acumensec"] Idle timeout for user 'acumensec' exceeded and session terminated

Ability to update the TOE, and to verify the updates using digital signature and [published hash] capability prior to installing those updates

<190>1 2023-02-17T11:08:28.481Z Proliant_Node0 mgd 5002 UI_CHILD_START [junos@2636.1.1.1.2.129 command=”/usr/libexec/ui/package”] Starting child ‘/usr/libexec/ui/package'

<29>1 2023-02-17T11:08:28.484Z Proliant Node0 mgd 9302 - - /usr/libexec/ui/package -X update -reboot /var/home/acumensec/junos-install-vsrx3-x86-64-22.2R1.9.tgz

<118>1 2023-02-17T11:16:15.726Z Proliant_Node0 kernel - - - Verified os-kernel-prd-x86-64-20220607 signed by PackageProductionECP256_2022 method ECDSA256+SHA256

<118>1 2023-02-17T11:16:15.726Z Proliant_Node0 kernel - - - Verified os-libs-12-x86-64-20220607 signed by PackageProductionECP256_2022 method ECDSA256+SHA256

<118>1 2023-02-17T11:16:15.726Z Proliant_Node0 kernel - - - Verified os-runtime-x86-64-20220607 signed by PackageProductionECP256_2022 method ECDSA256+SHA256

<118>1 2023-02-17T11:16:15.726Z Proliant_Node0 kernel - - - Verified jail-runtime-x86-32-20220607 signed by PackageProductionECP256_2022 method ECDSA256+SHA256

<118>1 2023-02-17T11:16:15.726Z Proliant_Node0 kernel - - - Verified dsa-x86-64-22.9 signed by PackageProductionECP256_2022 method ECDSA256+SHA256

<118>1 2023-02-17T11:16:15.726Z Proliant_Node0 kernel - - - Verified fips-mode-x86-64-20220617 signed by PackageProductionECP256_2022 method ECDSA256+SHA256

Ability to configure the authentication failure parameters for FIA_AFL.1

<182>1 2023-02-22T10:37:08.552Z Proliant_Node0 mgd 12191 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[system login retry-options tries-before-disconnect\]" delimiter="" data="unconfigured" value="5"] User 'acumensec' set: [system login retry-options tries-before-disconnect] unconfigured -- "5"

<182>1 2023-02-22T10:37:08.553Z Proliant_Node0 mgd 12191 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[system login retry-options lockout-period\]" delimiter="" data="unconfigured" value="1"] User 'acumensec' set: [system login retry-options lockout-period] unconfigured -- "1"

Definition of packet filtering rules

<182>1 2023-02-22T07:12:49.599Z Proliant_Node0 mgd 13150 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter TCP-ports term allow then\]" delimiter="" data="unconfigured" value="accept"] User 'acumensec' set: [firewall filter TCP-ports term allow then] unconfigured -- "accept”

<182>1 2023-02-22T10:46:34.748Z Proliant_Node0 mgd 12723 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[interfaces reth1 unit 0 family inet filter input\]" delimiter="" data="unconfigured" value="TCP_filter"] User 'acumensec' set: [interfaces reth1 unit 0 family inet filter input] unconfigured -- "TCP_filter"

Ordering of packet filtering rules by priority

<182>1 2023-02-22T11:16:15.344Z Proliant_Node0 mgd 12723 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall family inet filter dst-allow term allow then\]" delimiter="" data="unconfigured" value="accept"] User 'acumensec' set: [firewall family inet filter dst-allow term allow then] unconfigured -- "accept"

<182>1 2023-02-22T11:16:39.401Z Proliant_Node0 mgd 12723 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall family inet filter dst-allow term deny then discard\]" delimiter="" value=""] User 'acumensec' set: [firewall family inet filter dst-allow term deny then discard]

Ability to configure firewall rules

<182>1 2023-02-22T07:12:41.900Z Proliant_Node0 mgd 13150 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter TCP-ports term allow from protocol tcp\]" delimiter="" value=""] User 'acumensec' set: [firewall filter TCP-ports term allow from protocol tcp]

<182>1 2023-02-22T07:12:49.599Z Proliant_Node0 mgd 13150 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter TCP-ports term allow then\]" delimiter="" data="unconfigured" value="accept"] User 'acumensec' set: [firewall filter TCP-ports term allow then] unconfigured -- "accept”

Enable, disable signatures applied to sensor interfaces, and determine the behavior of IPS functionality

Signature enabled

<14>1 2022-08-02T11:50:20.785Z Proliant_Node0 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address="10.1.1.146" source-port="22362" destination-address="10.1.5.29" destination-port="1" connection-tag="0" service-name="icmp" nat-source-address="10.1.1.146" nat-source-port="22362" nat-destination-address="10.1.5.29" nat-destination-port="1" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn-bypass" source-zone-name="trust" destination-zone-name="untrust" session-id="348283" username="N/A" roles="N/A" packet-incoming-interface="reth1.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A" tunnel-inspection="Off" tunnel-inspection-policy-set="root" source-tenant="N/A" destination-service="N/A"] session created 10.1.1.146/22362->10.1.5.29/1 0x0 icmp 10.1.1.146/22362->10.1.5.29/1 0x0 N/A N/A N/A N/A 1 vpn-bypass trust untrust 348283 N/A(N/A) reth1.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A Off root N/A N/A

<14>1 2022-08-02T11:50:20.786Z Proliant_Node0 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.129 epoch-time="1659440989" message-type="SIG" source-address="10.1.1.146" source-port="22355" destination-address="10.1.5.29" destination-port="25" protocol-name="ICMP" service-name="SERVICE_IDP" application-name="NONE" rule-name="1" rulebase-name="IPS" policy-name="IDP_Source" export-id="1048576" repeat-count="2" action="DROP" threat-severity="INFO" attack-name="IPv4_source" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="0.0.0.0" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="trust" source-interface-name="reth1.0" destination-zone-name="untrust" destination-interface-name="reth2.0" packet-log-id="0" alert="yes" username="N/A" roles="N/A" xff-header="N/A" cve-id="N/A" session-id="348238" message="-"] IDP: at 1659440989, SIG Attack log <10.1.1.146/22355->10.1.5.29/25> for ICMP protocol and service SERVICE_IDP application NONE by rule 1 of rulebase IPS in policy IDP_Source. attack: id=1048576, repeat=2, action=DROP, threat-severity=INFO, name=IPv4_source, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:reth1.0->untrust:reth2.0, packet-log-id: 0, alert=yes, username=N/A, roles=N/A, xff-header=N/A, cve-id=N/A, session-id=348238 and misc-message -

<14>1 2022-08-02T11:50:20.786Z Proliant_Node0 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.129 epoch-time="1659440989" message-type="SIG" source-address="10.1.1.146" source-port="22355" destination-address="10.1.5.29" destination-port="25" protocol-name="ICMP" service-name="SERVICE_IDP" application-name="NONE" rule-name="1" rulebase-name="IPS" policy-name="IDP_Source" export-id="1048576" repeat-count="2" action="DROP" threat-severity="INFO" attack-name="IPv4_source" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="0.0.0.0" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="trust" source-interface-name="reth1.0" destination-zone-name="untrust" destination-interface-name="reth2.0" packet-log-id="0" alert="yes" username="N/A" roles="N/A" xff-header="N/A" cve-id="N/A" session-id="348238" message="-"] IDP: at 1659440989, SIG Attack log <10.1.1.146/22355->10.1.5.29/25> for ICMP protocol and service SERVICE_IDP application NONE by rule 1 of rulebase IPS in policy IDP_Source. attack: id=1048576, repeat=2, action=DROP, threat-severity=INFO, name=IPv4_source, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:reth1.0->untrust:reth2.0, packet-log-id: 0, alert=yes, username=N/A, roles=N/A, xff-header=N/A, cve-id=N/A, session-id=348238 and misc-message -

Signature disabled

<14>1 2022-08-02T14:24:46.700Z Proliant_Node0 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address="10.1.1.146" source-port="22796" destination-address="10.1.5.29" destination-port="1" connection-tag="0" service-name="icmp" nat-source-address="10.1.1.146" nat-source-port="22796" nat-destination-address="10.1.5.29" nat-destination-port="1" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn-bypass" source-zone-name="trust" destination-zone-name="untrust" session-id="357681" username="N/A" roles="N/A" packet-incoming-interface="reth1.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A" tunnel-inspection="Off" tunnel-inspection-policy-set="root" source-tenant="N/A" destination-service="N/A"] session created 10.1.1.146/22796->10.1.5.29/1 0x0 icmp 10.1.1.146/22796->10.1.5.29/1 0x0 N/A N/A N/A N/A 1 vpn-bypass trust untrust 357681 N/A(N/A) reth1.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A Off root N/A N/A

Modify these parameters that define the network traffic to be collected and analyzed:

• Source IP addresses (host address and network address)

  <182>1 2023-02-22T11:44:10.082Z Proliant_Node0 mgd 12723 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack IPv4-src attack-type signature protocol ipv4 source match\]" delimiter="" data="unconfigured" value="equal"] User 'acumensec' set: [security idp custom-attack IPv4-src attack-type signature protocol ipv4 source match] unconfigured -- "equal"

  <182>1 2023-02-22T11:44:10.083Z Proliant_Node0 mgd 12723 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack IPv4-src attack-type signature protocol ipv4 source value\]" delimiter="" data="unconfigured" value="10.1.1.146"] User 'acumensec' set: [security idp custom-attack IPv4-src attack-type signature protocol ipv4 source value] unconfigured -- "10.1.1.146"

• Destination IP addresses (host address and network

  <182>1 2023-02-22T11:49:26.089Z Proliant_Node0 mgd 12723 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack IPv4-dst attack-type signature protocol ipv4 destination value\]" delimiter="" data="unconfigured" value="10.1.3.161"] User 'acumensec' set: [security idp custom-attack IPv4-dst attack-type signature protocol ipv4 destination value] unconfigured -- "10.1.3.161"

• Source port (TCP and UDP)

  <182>1 2023-02-22T11:52:32.476Z Proliant_Node0 mgd 12723 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack TCP-src attack-type signature protocol tcp source-port value\]" delimiter="" data="unconfigured" value="1026"] User 'acumensec' set: [security idp custom-attack TCP-src attack-type signature protocol tcp source-port value] unconfigured -- "1026"

  <182>1 2023-02-22T11:54:44.137Z Proliant_Node0 mgd 12723 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack UDP-src attack-type signature protocol udp source-port value\]" delimiter="" data="unconfigured" value="1035"] User 'acumensec' set: [security idp custom-attack UDP-src attack-type signature protocol udp source-port value] unconfigured -- "1035"

• Destination port (TCP and UDP)

  <182>1 2023-02-22T11:58:07.093Z Proliant_Node0 mgd 12723 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack TCP-dst attack-type signature protocol tcp destination-port value\]" delimiter="" data="unconfigured" value="1025"] User 'acumensec' set: [security idp custom-attack TCP-dst attack-type signature protocol tcp destination-port value] unconfigured -- "1025"

  <182>1 2023-02-22T11:59:43.020Z Proliant_Node0 mgd 12723 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack UDP-dst attack-type signature protocol udp destination-port value\]" delimiter="" data="unconfigured" value="1036"] User 'acumensec' set: [security idp custom-attack UDP-dst attack-type signature protocol udp destination-port value] unconfigured -- "1036"

• • Protocol (IPv4 and IPv6)

  <182>1 2023-02-22T12:13:46.343Z Proliant_Node0 mgd 12723 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack Proto-IPv4 attack-type signature protocol ipv4 protocol value\]" delimiter="" data="unconfigured" value="4"] User 'acumensec' set: [security idp custom-attack Proto-IPv4 attack-type signature protocol ipv4 protocol value] unconfigured -- "4"

  <182>1 2023-02-22T12:20:32.925Z Proliant_Node0 mgd 12723 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack Proto-IPv6 attack-type signature protocol ipv6 next-header value\]" delimiter="" data="unconfigured" value="41"] User 'acumensec' set: [security idp custom-attack Proto-IPv6 attack-type signature protocol ipv6 next-header value] unconfigured -- "41"

• ICMP type and code

  <182>1 2023-02-22T12:26:20.596Z Proliant_Node0 mgd 12723 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack ICMP-type attack-type signature protocol icmp type value\]" delimiter="" data="unconfigured" value="8"] User 'acumensec' set: [security idp custom-attack ICMP-type attack-type signature protocol icmp type value] unconfigured -- "8"

  <182>1 2023-02-22T12:27:37.168Z Proliant_Node0 mgd 12723 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack ICMP-code attack-type signature protocol icmp code value\]" delimiter="" data="unconfigured" value="1"] User 'acumensec' set: [security idp custom-attack ICMP-code attack-type signature protocol icmp code value] unconfigured -- "1"

Update (import) signatures

<182>1 2022-08-03T07:29:40.597Z Proliant_Node0 mgd 44488 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security screen ids-option Pre-existing\]" delimiter="" data="unconfigured" value="alarm-without-drop"] User 'acumensec' set: [security screen ids-option Pre-existing] unconfigured -- "alarm-without-drop"

<182>1 2022-08-03T07:29:44.111Z Proliant_Node0 mgd 44488 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security screen ids-option Pre-existing ip\]" delimiter="" data="unconfigured" value="tear-drop"] User 'acumensec' set: [security screen ids-option Pre-existing ip] unconfigured -- "tear-drop"

Create custom signatures

<182>1 2022-08-05T12:45:03.832Z Proliant_Node0 mgd 150 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack IPv4-version severity\]" delimiter="" data="unconfigured" value="info"] User 'acumensec' set: [security idp custom-attack IPv4-version severity] unconfigured -- "info"

<182>1 2022-08-05T12:45:03.832Z Proliant_Node0 mgd 150 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack IPv4-version attack-type signature context\]" delimiter="" data="unconfigured" value="packet"] User 'acumensec' set: [security idp custom-attack IPv4-version attack-type signature context] unconfigured -- "packet"

<182>1 2022-08-05T12:45:03.832Z Proliant_Node0 mgd 150 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack IPv4-version attack-type signature direction\]" delimiter="" data="unconfigured" value="any"] User 'acumensec' set: [security idp custom-attack IPv4-version attack-type signature direction] unconfigured -- "any"

<182>1 2022-08-05T12:45:03.833Z Proliant_Node0 mgd 150 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack IPv4-version attack-type signature protocol ipv4 protocol match\]" delimiter="" data="unconfigured" value="equal"] User 'acumensec' set: [security idp custom-attack IPv4-version attack-type signature protocol ipv4 protocol match] unconfigured -- "equal"

<182>1 2022-08-05T12:45:03.833Z Proliant_Node0 mgd 150 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack IPv4-version attack-type signature protocol ipv4 protocol value\]" delimiter="" data="unconfigured" value="4"] User 'acumensec' set: [security idp custom-attack IPv4-version attack-type signature protocol ipv4 protocol value] unconfigured -- "4"

Configure anomaly detection

<182>1 2022-08-03T07:37:10.470Z Proliant_Node0 mgd 44488 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall policer policer-throughput\]" delimiter="" data="unconfigured" value="filter-specific"] User 'acumensec' set: [firewall policer policer-throughput] unconfigured -- "filter-specific"

<182>1 2022-08-03T07:37:10.471Z Proliant_Node0 mgd 44488 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall policer policer-throughput if-exceeding\]" delimiter="" value=""] User 'acumensec' set: [firewall policer policer-throughput if-exceeding]

<182>1 2022-08-03T07:37:10.471Z Proliant_Node0 mgd 44488 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall policer policer-throughput if-exceeding bandwidth-limit\]" delimiter="" data="unconfigured" value="32k"] User 'acumensec' set: [firewall policer policer-throughput if-exceeding bandwidth-limit] unconfigured -- "32k"

<182>1 2022-08-03T07:37:10.471Z Proliant_Node0 mgd 44488 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall policer policer-throughput if-exceeding burst-size-limit\]" delimiter="" data="unconfigured" value="1500"] User 'acumensec' set: [firewall policer policer-throughput if-exceeding burst-size-limit] unconfigured -- "1500"

<182>1 2022-08-03T07:37:21.158Z Proliant_Node0 mgd 44488 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall policer policer-throughput then\]" delimiter="" data="unconfigured" value="discard"] User 'acumensec' set: [firewall policer policer-throughput then] unconfigured -- "discard"

Enable and disable actions to be taken when signature or anomaly matches are detected

<182>1 2023-02-22T13:04:26.115Z Proliant_Node0 mgd 12129 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall policer policer-throughput then\]" delimiter="" data="unconfigured" value="discard"] User 'acumensec' set: [firewall policer policer-throughput then] unconfigured -- "discard"

<182>1 2023-02-22T13:05:22.198Z Proliant_Node0 mgd 12129 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="delete" pathname="[firewall policer policer-throughput then\]" delimiter="\"" value="discard"] User 'acumensec' delete: [firewall policer policer-throughput then] "discard

Modify thresholds that trigger IPS reactions

<182>1 2022-08-04T12:41:57.552Z Proliant_Node0 mgd 32710 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[services rpm probe owner test threshold-test target address\]" delimiter="" data="unconfigured" value="10.1.3.28"] User 'acumensec' set: [services rpm probe owner test threshold-test target address] unconfigured -- "10.1.3.28"

<182>1 2022-08-04T12:42:00.646Z Proliant_Node0 mgd 32710 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[services rpm probe owner test threshold-test thresholds rtt\]" delimiter="" data="unconfigured" value="50"] User 'acumensec' set: [services rpm probe owner test threshold-test thresholds rtt] unconfigured -- "50"

Modify the duration of traffic blocking actions

<182>1 2023-02-22T13:11:01.830Z Proliant_Node0 mgd 12129 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[schedulers scheduler schedule-tuesday tuesday start-time 16:00 stop-time 16:30\]" delimiter="" value=""] User 'acumensec' set: [schedulers scheduler schedule-tuesday tuesday start-time 16:00 stop-time 16:30]

<182>1 2023-02-22T13:11:15.282Z Proliant_Node0 mgd 12129 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security policies from-zone trust to-zone untrust policy vpn-deny scheduler-name\]" delimiter="" data="unconfigured" value="schedule-tuesday"] User 'acumensec' set: [security policies from-zone trust to-zone untrust policy vpn-deny scheduler-name] unconfigured -- "schedule-tuesday"

Modify the known-good and known-bad lists (of IP addresses or address ranges)

<182>1 2023-02-22T13:15:58.342Z Proliant_Node0 mgd 12129 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security address-book book3 address known-good\]" delimiter="" data="unconfigured" value="10.1.1.146/32"] User 'acumensec' set: [security address-book book3 address known-good] unconfigured -- "10.1.1.146/32"

<182>1 2022-08-04T13:06:56.602Z Proliant_Node0 mgd 32710 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security address-book book3 address known-bad\]" delimiter="" data="unconfigured" value="10.1.3.161/32"] User 'acumensec' set: [security address-book book3 address known-bad] unconfigured -- "10.1.3.161/32"

Configure the known-good and known-bad lists to override signature-based IPS policies

<14>1 2022-08-05T10:14:49.398Z Proliant_Node0 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.129 source-address="10.1.1.146" source-port="0" destination-address="10.1.3.161" destination-port="0" connection-tag="0" service-name="icmp" protocol-id="1" icmp-type="8" policy-name="known-bad-policy" source-zone-name="trust" destination-zone-name="untrust" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth1.0" encrypted="No" reason="Denied by policy" session-id="163556" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A" source-tenant="N/A" destination-service="N/A"] session denied 10.1.1.146/0->10.1.3.161/0 0x0 icmp 1(8) known-bad-policy trust untrust UNKNOWN UNKNOWN N/A(N/A) reth1.0 No Denied by policy 163556 N/A N/A -1 N/A N/A N/A N/A N/A

<14>1 2022-08-05T10:55:54.403Z Proliant_Node0 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address="10.1.3.161" source-port="0" destination-address="10.1.1.146" destination-port="0" connection-tag="0" service-name="icmp" nat-source-address="10.1.3.161" nat-source-port="0" nat-destination-address="10.1.1.146" nat-destination-port="0" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="known-good-policy" source-zone-name="untrust" destination-zone-name="trust" session-id="168100" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A" tunnel-inspection="Off" tunnel-inspection-policy-set="root" source-tenant="N/A" destination-service="N/A"] session created 10.1.3.161/0->10.1.1.146/0 0x0 icmp 10.1.3.161/0->10.1.1.146/0 0x0 N/A N/A N/A N/A 1 known-good-policy untrust trust 168100 N/A(N/A) reth2.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A Off root N/A N/A

Ability to manage the trusted public keys database

<182>1 2023-11-29T07:39:02.630Z Proliant_Node0 mgd 69627 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[system login user tester authentication ssh-ecdsa /* SECRET-DATA */\]" delimiter="" value=""] User 'acumensec' set: [system login user tester authentication ssh-ecdsa /* SECRET-DATA */]

Ability to manage the cryptographic keys

<38>1 2023-02-22T13:21:52.110Z Proliant_Node0 ssh-keygen 13377 - - Generated SSH key file /etc/ssh/fips_ssh_host_ecdsa_key.pub with fingerprint SHA256:QwCmhn5oD41IhNSSFGmjSIq0EKmubD6K71wlPtO+hEw

Ability to configure the cryptographic functionality

<190>1 2021-10-01T09:05:59.503Z VSRX_TOE mgd 46513 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.129 username="acumensec" command="set system services ssh ciphers aes128-cbc "] User 'acumensec', command 'set system services ssh ciphers aes128-cbc '

Ability to configure the lifetime for IPsec SAs

<182>1 2023-02-22T13:59:57.731Z Proliant_Node0 mgd 12129 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security ipsec proposal ipsec-devices-proposal lifetime-seconds\]" delimiter="" data="unconfigured" value="28800"] User 'acumensec' set: [security ipsec proposal ipsec-devices-proposal lifetime-seconds] unconfigured -- "28800"

Ability to import X.509v3 certificates to the TOE's trust store

<29>1 2022-12-07T09:45:49.144Z Proliant_Node0 pkid 20720 PKID_PV_CERT_LOAD [junos@2636.1.1.1.2.129 type-string="AcumenICA"] Certificate AcumenICA has been successfully loaded

Ability to start and stop services

<190>1 2021-09-30T10:31:50.410Z VSRX_TOE mgd 82886 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.129 username="acumensec" command="set system services ssh "] User 'acumensec', command 'set system services ssh '

Ability to modify the behavior of the transmission of audit data to an external IT entity, the handling of audit data, the audit functionality when Local Audit Storage Space is full

<182>1 2023-02-22T14:07:52.135Z Proliant_Node0 mgd 12129 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[system services netconf ssh\]" delimiter="" value=""] User 'acumensec' set: [system services netconf ssh]

<182>1 2023-02-22T14:05:18.020Z Proliant_Node0 mgd 12129 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[system syslog file auditlog archive size\]" delimiter="" data="unconfigured" value="65536"] User 'acumensec' set: [system syslog file auditlog archive size] unconfigured -- "65536"

<182>1 2023-02-22T14:05:18.020Z Proliant_Node0 mgd 12129 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[system syslog file auditlog archive files\]" delimiter="" data="unconfigured" value="3"] User 'acumensec' set: [system syslog file auditlog archive files] unconfigured -- "3"

Ability to configure thresholds for SSH rekeying

<182>1 2023-02-22T14:11:10.922Z Proliant_Node0 mgd 12129 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[system services ssh rekey data-limit\]" delimiter="" data="unconfigured" value="6553600"] User 'acumensec' set: [system services ssh rekey data-limit] unconfigured -- "6553600"

Ability to re-enable an Administrator account

<37>1 2021-10-11T12:47:25.700Z VSRX_TOE sshd 9848 LIBJNX_LOGIN_ACCOUNT_UNLOCKED [junos@2636.1.1.1.2.129 username="acumensec"] Account for user 'acumensec' has been unlocked for logins

Ability to set the time which is used for time-stamps

<190>1 2021-10-05T06:21:00.970Z VSRX_TOE mgd 21760 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.129 username="acumensec" command="run set date 202110050630.00 "] User 'acumensec', command 'run set date 202110050630.00 '

<190>1 2021-10-05T06:21:00.989Z VSRX_TOE mgd 21760 UI_CHILD_START [junos@2636.1.1.1.2.129 command="/bin/date"] Starting child '/bin/date'

<37>1 2021-10-05T06:30:00.000Z VSRX_TOE date 21937 - - date set by root

<190>1 2021-10-05T06:30:00.002Z VSRX_TOE mgd 21760 UI_CHILD_STATUS [junos@2636.1.1.1.2.129 command="/bin/date" pid="21937" status-code="512"] Cleanup child '/bin/date', PID 21937, status 0x200

<29>1 2021-10-05T06:30:00.002Z VSRX_TOE mgd 21760 UI_CHILD_EXITED [junos@2636.1.1.1.2.129 pid="21937" return-value="2" core-dump-status="" command="/bin/date"] Child exited: PID 21937, status 2, command '/bin/date'

<30>1 2021-10-05T06:30:00.015Z VSRX_TOE nsd 23326 NSD_SYS_TIME_CHANGE - System time has changed.

Ability to configure NTP

<182>1 2023-02-22T14:23:37.828Z Proliant_Node0 mgd 12129 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[system ntp server 10.1.1.160\]" delimiter="" value=""] User 'acumensec' set: [system ntp server 10.1.1.160]

<182>1 2023-02-22T14:24:54.508Z Proliant_Node0 mgd 12129 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="delete" pathname="[system ntp server 10.1.1.160\]" delimiter="" value=""] User 'acumensec' delete: [system ntp server 10.1.1.160]

Ability to configure the reference identifier for the peer

<182>1 2023-11-29T07:29:05.116Z Proliant_Node0 mgd 69627 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security ike gateway gw-b remote-identity inet\]" delimiter="" data="unconfigured" value="10.1.5.251"] User 'acumensec' set: [security ike gateway gw-b remote-identity inet] unconfigured -- "10.1.5.251"

Ability to manage the TOE's trust store and designate X509.v3 certificates as trust anchors

<182>1 2023-02-22T07:21:57.600Z Proliant_Node0 mgd 13150 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security pki ca-profile AcumenCA ca-identity\]" delimiter="" data="unconfigured" value="AcumenCA"] User 'acumensec' set: [security pki ca-profile AcumenCA ca-identity] unconfigured -- "AcumenCA"

<29>1 2023-02-22T07:22:24.769Z Proliant_Node0 pkid 11250 PKID_PV_CERT_LOAD [junos@2636.1.1.1.2.129 type-string="AcumenCA"] Certificate AcumenCA has been successfully loaded

FMT_SMF.1/IPS

Modification of an IPS policy element.

Identifier or name of the modified IPS policy element (e.g. which signature, baseline, or known- good/known-bad list was modified).

<182>1 2023-02-22T11:44:10.082Z Proliant_Node0 mgd 12723 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack IPv4-src attack-type signature protocol ipv4 source match\]" delimiter="" data="unconfigured" value="equal"] User 'acumensec' set: [security idp custom-attack IPv4-src attack-type signature protocol ipv4 source match] unconfigured -- "equal"

<182>1 2023-02-22T11:44:10.083Z Proliant_Node0 mgd 12723 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp custom-attack IPv4-src attack-type signature protocol ipv4 source value\]" delimiter="" data="unconfigured" value="10.1.1.146"] User 'acumensec' set: [security idp custom-attack IPv4-src attack-type signature protocol ipv4 source value] unconfigured -- "10.1.1.146"

FMT_SMR.2

None

None

FPF_RUL_EXT.1

Application of rules configured with the ‘log’ operation

Source and destination addresses

Source and destination ports

Transport Layer Protocol

Time of Log: 2022-11-29 10:25:35 UTC, Filter: pfe, Filter action: discard, Name of interface: reth1.0

Name of protocol: TCP, Packet Length: 40, Source address: 10.1.1.146:20, Destination address: 10.1.3.161:1035

FPT_SKP_EXT.1

None

None

FPT_APW_EXT.1

None

None

FPT_TST_EXT.1

None

None

FPT_STM_EXT.1

Discontinuous changes to time - either Administrator actuated or changed via an automated process

(Note that no continuous changes to time need to be logged. See also application note on FPT_STM_EXT.1)

For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (e.g., IP address).

<190>1 2021-10-05T06:21:00.970Z VSRX_TOE mgd 21760 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.129 username="acumensec" command="run set date 202110050630.00 "] User 'acumensec', command 'run set date 202110050630.00 '

<190>1 2021-10-05T06:21:00.989Z VSRX_TOE mgd 21760 UI_CHILD_START [junos@2636.1.1.1.2.129 command="/bin/date"] Starting child '/bin/date'

<37>1 2021-10-05T06:30:00.000Z VSRX_TOE date 21937 - - date set by root

<190>1 2021-10-05T06:30:00.002Z VSRX_TOE mgd 21760 UI_CHILD_STATUS [junos@2636.1.1.1.2.129 command="/bin/date" pid="21937" status-code="512"] Cleanup child '/bin/date', PID 21937, status 0x200

<29>1 2021-10-05T06:30:00.002Z VSRX_TOE mgd 21760 UI_CHILD_EXITED [junos@2636.1.1.1.2.129 pid="21937" return-value="2" core-dump-status="" command="/bin/date"] Child exited: PID 21937, status 2, command '/bin/date'

<30>1 2021-10-05T06:30:00.015Z VSRX_TOE nsd 23326 NSD_SYS_TIME_CHANGE - System time has changed.

FPT_TUD_EXT.1

Initiation of update; result of the update attempt (success or failure)

None

<190>1 2023-02-17T11:08:28.481Z Proliant_Node0 mgd 5002 UI_CHILD_START [junos@2636.1.1.1.2.129 command=”/usr/libexec/ui/package”] Starting child ‘/usr/libexec/ui/package'

<29>1 2023-02-17T11:08:28.484Z Proliant Node0 mgd 9302 - - /usr/libexec/ui/package -X update -reboot /var/home/acumensec/junos-install-vsrx3-x86-64-22.2R1.9.tgz

FTA_SSL.3

The termination of a remote session by the session locking mechanism

None

<14>1 2021-10-01T09:52:56.150Z VSRX_TOE -cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.129 username="acumensec"] Idle timeout for user 'acumensec' exceeded and session terminated

<190>1 2021-10-01T09:52:56.158Z VSRX_TOE mgd 49989 UI_LOGOUT_EVENT [junos@2636.1.1.1.2.129 username="acumensec"] User 'acumensec' logout

FTA_SSL.4

The termination of an interactive session

None

<190>1 2021-10-01T10:08:16.234Z VSRX_TOE mgd 51170 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.129 username="acumensec" command="exit "] User 'acumensec', command 'exit '

<190>1 2021-10-01T10:08:16.235Z VSRX_TOE mgd 51170 UI_LOGOUT_EVENT [junos@2636.1.1.1.2.129 username="acumensec"] User 'acumensec' logout

FTA_SSL_EXT.1 (if “terminate the session” is selected)

The termination of a local session by the session locking mechanism

None

<14>1 2021-10-01T10:37:08.360Z VSRX_TOE -cli - UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.129 username="acumensec"] Idle timeout for user 'acumensec' exceeded and session terminated

<190>1 2021-10-01T10:37:08.360Z VSRX_TOE mgd 53004 UI_LOGOUT_EVENT [junos@2636.1.1.1.2.129 username="acumensec"] User 'acumensec' logout

FTA_TAB.1

None

None

FTP_ITC.1

Initiation of the trusted channel

Termination of the trusted channel

Failure of the trusted channel functions

Identification of the initiator and target of failed trusted channels establishment attempt

Initiation

<38>1 2021-09-27T09:25:13.032Z VSRX_TOE sshd 70000 - - Accepted keyboard-interactive/pam for acumensec from 10.1.2.146 port 59010 ssh2

<190>1 2021-09-27T09:25:13.361Z VSRX_TOE mgd 70011 UI_AUTH_EVENT [junos@2636.1.1.1.2.129 username="acumensec" authentication-level="j-super-user"] Authenticated user 'acumensec' assigned to class 'j-super-user'

<190>1 2021-09-27T09:25:13.362Z VSRX_TOE mgd 70011 UI_LOGIN_EVENT [junos@2636.1.1.1.2.129 username="acumensec" class-name="j-super-user" local-peer="" pid="70011" ssh-connection="10.1.2.146 59010 10.1.2.129 22" client-mode="cli"] User 'acumensec' login, class 'j-super-user' [70011], ssh-connection '10.1.2.146 59010 10.1.2.129 22', client-mode 'cli'

Failure

<35>1 2021-09-27T09:41:37.763Z VSRX_TOE sshd 70783 - - error: PAM: Authentication error for acumensec from 10.1.2.146

<37>1 2021-09-27T09:41:37.763Z VSRX_TOE sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.129 username="acumensec" source-address="10.1.2.146"] Login failed for user 'acumensec' from host '10.1.2.146'

<35>1 2021-09-27T09:41:41.966Z VSRX_TOE sshd 70783 - - error: PAM: Authentication error for acumensec from 10.1.2.146

<37>1 2021-09-27T09:41:41.966Z VSRX_TOE sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.129 username="acumensec" source-address="10.1.2.146"] Login failed for user 'acumensec' from host '10.1.2.146'

<35>1 2021-09-27T09:41:50.812Z VSRX_TOE sshd 70783 - - error: PAM: Authentication error for acumensec from 10.1.2.146

<37>1 2021-09-27T09:41:50.812Z VSRX_TOE sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.129 username="acumensec" source-address="10.1.2.146"] Login failed for user 'acumensec' from host '10.1.2.146'

Termination

<37>1 2021-09-29T10:45:55.798Z VSRX_TOE sshd 14027 LIBJNX_LOGIN_ACCOUNT_LOCKED [junos@2636.1.1.1.2.129 username="acumensec"] Account for user 'acumensec' has been locked out from logins

<38>1 2021-09-29T10:45:55.799Z VSRX_TOE sshd 14027 - - Failed password for acumensec from 10.1.2.146 port 33362 ssh2

<37>1 2021-09-29T10:46:20.818Z VSRX_TOE sshd - SSHD_LOGIN_ATTEMPTS_THRESHOLD [junos@2636.1.1.1.2.129 limit="5" username="acumensec"] Threshold for unsuccessful authentication attempts (5) reached by user 'acumensec'

<38>1 2021-09-29T10:46:20.818Z VSRX_TOE sshd 14028 - - Disconnecting authenticating user acumensec 10.1.2.146 port 33362: Too many password failures for acumensec

<38>1 2021-09-29T10:46:20.819Z VSRX_TOE sshd 14027 - - Disconnecting authenticating user acumensec 10.1.2.146 port 33362: Too many password failures for acumensec [preauth]

FTP_TRP.1/Admin

Initiation of the trusted path

Termination of the trusted path.

Failure of the trusted path functions.

None

Initiation

<38>1 2021-10-01T11:07:41.592Z VSRX_TOE sshd 55853 - - Accepted keyboard-interactive/pam for acumensec from 10.1.2.146 port 35880 ssh2

<190>1 2021-10-01T11:07:41.942Z VSRX_TOE mgd 55864 UI_AUTH_EVENT [junos@2636.1.1.1.2.129 username="acumensec" authentication-level="j-super-user"] Authenticated user 'acumensec' assigned to class 'j-super-user'

<190>1 2021-10-01T11:07:41.942Z VSRX_TOE mgd 55864 UI_LOGIN_EVENT [junos@2636.1.1.1.2.129 username="acumensec" class-name="j-super-user" local-peer="" pid="55864" ssh-connection="10.1.2.146 35880 10.1.2.129 22" client-mode="cli"] User 'acumensec' login, class 'j-super-user' [55864], ssh-connection '10.1.2.146 35880 10.1.2.129 22', client-mode 'cli'

Failure

<35>1 2021-09-27T09:41:37.763Z VSRX_TOE sshd 70783 - - error: PAM: Authentication error for acumensec from 10.1.2.146

<37>1 2021-09-27T09:41:37.763Z VSRX_TOE sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.129 username="acumensec" source-address="10.1.2.146"] Login failed for user 'acumensec' from host '10.1.2.146'

<35>1 2021-09-27T09:41:41.966Z VSRX_TOE sshd 70783 - - error: PAM: Authentication error for acumensec from 10.1.2.146

<37>1 2021-09-27T09:41:41.966Z VSRX_TOE sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.129 username="acumensec" source-address="10.1.2.146"] Login failed for user 'acumensec' from host '10.1.2.146'

<35>1 2021-09-27T09:41:50.812Z VSRX_TOE sshd 70783 - - error: PAM: Authentication error for acumensec from 10.1.2.146

<37>1 2021-09-27T09:41:50.812Z VSRX_TOE sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.129 username="acumensec" source-address="10.1.2.146"] Login failed for user 'acumensec' from host '10.1.2.146'

Termination

<37>1 2021-09-29T10:45:55.798Z VSRX_TOE sshd 14027 LIBJNX_LOGIN_ACCOUNT_LOCKED [junos@2636.1.1.1.2.129 username="acumensec"] Account for user 'acumensec' has been locked out from logins

<38>1 2021-09-29T10:45:55.799Z VSRX_TOE sshd 14027 - - Failed password for acumensec from 10.1.2.146 port 33362 ssh2

<37>1 2021-09-29T10:46:20.818Z VSRX_TOE sshd - SSHD_LOGIN_ATTEMPTS_THRESHOLD [junos@2636.1.1.1.2.129 limit="5" username="acumensec"] Threshold for unsuccessful authentication attempts (5) reached by user 'acumensec'

<38>1 2021-09-29T10:46:20.818Z VSRX_TOE sshd 14028 - - Disconnecting authenticating user acumensec 10.1.2.146 port 33362: Too many password failures for acumensec

<38>1 2021-09-29T10:46:20.819Z VSRX_TOE sshd 14027 - - Disconnecting authenticating user acumensec 10.1.2.146 port 33362: Too many password failures for acumensec [preauth]

FMT_SMF.1/IPS

<182>1 2022-08-05T12:47:47.327Z Proliant_Node0 mgd 150 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security idp idp-policy deny-policy rulebase-ips rule rule1 match from-zone\]" delimiter="" data="unconfigured" value="any"] User 'acumensec' set: [security idp idp-policy deny-policy rulebase-ips rule rule1 match from-zone] unconfigured -- "any"

Source and destination IP addresses.

The content of the header fields that were determined to match the policy.

TOE interface that received the packet

Aspect of the anomaly-based IPS policy rule that triggered the event (e.g. throughput, time of day, frequency, etc.).

Network-based action by the TOE (e.g. allowed, blocked, sent reset to source IP, sent blocking notification to firewall).1

<14>1 2022-08-04T10:58:34.276Z Proliant_Node0 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.129 source-address="2001:10:1:3:0:0:0:28" source-port="0" destination-address="2001:10:1:1:0:0:0:128" destination-port="0" connection-tag="0" service-name="icmpv6" protocol-id="58" icmp-type="128" policy-name="schedule" source-zone-name="untrust" destination-zone-name="trust" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" encrypted="No" reason="Denied by policy" session-id="21108" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A" source-tenant="N/A" destination-service="N/A"] session denied 2001:10:1:3:0:0:0:28/0->2001:10:1:1:0:0:0:128/0 0x0 icmpv6 58(128) schedule untrust trust UNKNOWN UNKNOWN N/A(N/A) reth2.0 No Denied by policy 21108 N/A N/A -1 N/A N/A N/A N/A N/A

Source and destination IP addresses (and, if applicable, indication of whether the source and/or destination address matched the list).

TOE interface that received the packet.

Network-based action by the TOE (e.g. allowed, blocked, sent reset).

<14>1 2022-08-05T10:55:54.403Z Proliant_Node0 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address="10.1.3.161" source-port="0" destination-address="10.1.1.146" destination-port="0" connection-tag="0" service-name="icmp" nat-source-address="10.1.3.161" nat-source-port="0" nat-destination-address="10.1.1.146" nat-destination-port="0" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="known-good-policy" source-zone-name="untrust" destination-zone-name="trust" session-id="168100" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A" tunnel-inspection="Off" tunnel-inspection-policy-set="root" source-tenant="N/A" destination-service="N/A"] session created 10.1.3.161/0->10.1.1.146/0 0x0 icmp 10.1.3.161/0->10.1.1.146/0 0x0 N/A N/A N/A N/A 1 known-good-policy untrust trust 168100 N/A(N/A) reth2.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A Off root N/A N/A

<14>1 2022-08-05T10:14:49.398Z Proliant_Node0 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.129 source-address="10.1.1.146" source-port="0" destination-address="10.1.3.161" destination-port="0" connection-tag="0" service-name="icmp" protocol-id="1" icmp-type="8" policy-name="known-bad-policy" source-zone-name="trust" destination-zone-name="untrust" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth1.0" encrypted="No" reason="Denied by policy" session-id="163556" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A" source-tenant="N/A" destination-service="N/A"] session denied 10.1.1.146/0->10.1.3.161/0 0x0 icmp 1(8) known-bad-policy trust untrust UNKNOWN UNKNOWN N/A(N/A) reth1.0 No Denied by policy 163556 N/A N/A -1 N/A N/A N/A N/A N/A

Modification of which IPS policies are active on a TOE interface.

Enabling/disabling a TOE interface with IPS policies applied.

Identification of the TOE interface.

The IPS policy and interface mode (if applicable).

Modification of which IPS policies are active on a TOE interface.

<182>1 2023-09-27T10:12:14.782Z Proliant_Node0 mgd 39458 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security zones security-zone trust interfaces reth1.0\]" delimiter="" value=""] User 'acumensec' set: [security zones security-zone trustinterfaces reth1.0]

<182>1 2023-09-27T10:12:41.394Z Proliant_Node0 mgd 39458 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[security policies from-zone trust to-zone untrust policy bypass then permit application-services idp-policy\]" delimiter="" data="unconfigured" value="IDP_src"] User 'acumensec' set: [security policies from-zone trust to-zone untrust policy bypass then permit application-services idp-policy] unconfigured -- "IDP_src"

Enabling/disabling a TOE interface with IPS policies applied.

<182>1 2023-09-27T10:16:32.546Z Proliant_Node0 mgd 39458 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[interfaces reth1 unit 0\]" delimiter="" data="unconfigured" value="disable"] User 'acumensec' set: [interfaces reth1 unit 0] unconfigured -- "disable"

Modification of which mode(s) is/are active on a TOE interface.

<182>1 2023-09-27T10:19:04.627Z Proliant_Node0 mgd 39458 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[interfaces reth1\]" delimiter="" data="unconfigured" value="promiscuous-mode"] User 'acumensec' set: [interfaces reth1] unconfigured -- "promiscuous-mode"

Name or identifier of the matched signature

Source and destination IP addresses

The content of the header fields that were determined to match the signature.

TOE interface that received the packet

• Definition of packet filtering rules:

  <182>1 2023-02-01T11:31:10.142Z Proliant_Node0 mgd 81936 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall family inet filter SRC_DENY term drop from source-address 10.1.1.146/32\]" delimiter="" value=""] User 'acumensec' set: [firewall family inet filter SRC_DENY term drop from source-address 10.1.1.146/32]

  <182>1 2023-02-01T11:31:43.123Z Proliant_Node0 mgd 81936 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall family inet filter SRC_DENY term drop then discard\]" delimiter="" value=""] User 'acumensec' set: [firewall family inet filter SRC_DENY term drop then discard]

  <182>1 2023-02-01T11:31:47.137Z Proliant_Node0 mgd 81936 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall family inet filter SRC_DENY term drop then\]" delimiter="" data="unconfigured" value="log"] User 'acumensec' set: [firewall family inet filter SRC_DENY term drop then] unconfigured -- "log"

• Association of packet filtering rules to network interfaces

  <182>1 2023-02-01T11:37:19.068Z Proliant_Node0 mgd 81936 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[interfaces st0 unit 0 family inet filter output\]" delimiter="" data="unconfigured" value="SRC_DENY"] User 'acumensec' set: [interfaces st0 unit 0 family inet filter output] unconfigured -- "SRC_DENY"

• Ordering of packet filtering rules by priority

  <182>1 2023-02-01T11:41:01.701Z Proliant_Node0 mgd 81936 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter DEST_PERMIT term permit from destination-address 10.1.3.161/32\]" delimiter="" value=""] User 'acumensec' set: [firewall filter DEST_PERMIT term permit from destination-address 10.1.3.161/32]

  <182>1 2023-02-01T11:41:07.196Z Proliant_Node0 mgd 81936 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter DEST_PERMIT term permit then\]" delimiter="" data="unconfigured" value="accept"] User 'acumensec' set: [firewall filter DEST_PERMIT term permit then] unconfigured -- "accept"

  <182>1 2023-02-01T11:41:09.880Z Proliant_Node0 mgd 81936 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter DEST_PERMIT term permit then\]" delimiter="" data="unconfigured" value="log"] User 'acumensec' set: [firewall filter DEST_PERMIT term permit then] unconfigured -- "log"

  <182>1 2023-02-01T11:41:21.622Z Proliant_Node0 mgd 81936 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter DEST_PERMIT term drop from destination-address 10.1.3.161/32\]" delimiter="" value=""] User 'acumensec' set: [firewall filter DEST_PERMIT term drop from destination-address 10.1.3.161/32]

  <182>1 2023-02-01T11:41:31.951Z Proliant_Node0 mgd 81936 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter

  DEST_PERMIT term drop then discard\]" delimiter="" value=""] User 'acumensec' set: [firewall filter DEST_PERMIT term drop then discard]

  <182>1 2023-02-01T11:41:34.822Z Proliant_Node0 mgd 81936 UI_CFG_AUDIT_SET [junos@2636.1.1.1.2.129 username="acumensec" action="set" pathname="[firewall filter DEST_PERMIT term drop then\]" delimiter="" data="unconfigured" value="log"] User 'acumensec' set: [firewall filter DEST_PERMIT term drop then] unconfigured -- "log"

Source and destination addresses

Source and destination ports

{primary:node0}[edit]

acumensec@Proliant_Node0:fips# run show firewall log detail

Time of Log: 2022-11-29 10:16:39 UTC, Filter: pfe, Filter action: accept, Name of interface: reth1.0

Name of Protocol: TCP, Packet Length: 40, Source address: 10.1.1.146:1300, Destination address: 10.1.3.161:80

Time of Log: 2022-11-29 10:16:39 UTC, Filter: pfe, Filter action: accept, Name of interface: reth1.0

Name of Protocol: TCP, Packet Length: 40, Source address: 10.1.1.146:1300, Destination address: 10.1.3.161:80

Time of Log: 2022-11-29 10:16:39 UTC, Filter: pfe, Filter action: accept, Name of interface: reth1.0

Name of Protocol: TCP, Packet Length: 40, Source address: 10.1.1.146:1300, Destination address: 10.1.3.161:80

Time of Log: 2022-11-29 10:16:36 UTC, Filter: pfe, Filter action: discard, Name of interface: reth1.0

Name of Protocol: TCP, Packet Length: 40, Source address: 10.1.1.146:1200, Destination address: 10.1.3.161:80

Time of Log: 2022-11-29 10:16:36 UTC, Filter: pfe, Filter action: discard, Name of interface: reth1.0

Name of Protocol: TCP, Packet Length: 40, Source address: 10.1.1.146:1200, Destination address: 10.1.3.161:80

Time of Log: 2022-11-29 10:16:36 UTC, Filter: pfe, Filter action: discard, Name of interface: reth1.0

Name of Protocol: TCP, Packet Length: 40, Source address: 10.1.1.146:1200, Destination address: 10.1.3.161:80

FPT_TST_EXT.3

FTP_ITC.1/VPN

Initiation of the trusted channel

No additional information.

Initiation

FTP_ITC.1/VPN

Termination of the trusted channel

No additional information.

Termination

<14>1 2022-07-15T13:17:56.130Z Proliant_Node0 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.129 source-address="10.1.1.146" source-port="57642" destination-address="10.1.3.28" destination-port="22" connection-tag="0" service-name="junos-ssh" protocol-id="6" icmp-type="0" policy-name="vpn-deny" source-zone-name="trust" destination-zone-name="vpnzone" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth1.0" encrypted="No" reason="Denied by policy" session-id="41942" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A" source-tenant="N/A" destination-service="N/A"] session denied 10.1.1.146/57642->10.1.3.28/22 0x0 junos-ssh 6(0) vpn-deny trust vpnzone UNKNOWN UNKNOWN N/A(N/A) reth1.0 No Denied by policy 41942 N/A N/A -1 N/A N/A N/A N/A N/A

FTP_ITC.1/VPN

Failure of the trusted channel functions

Identification of the initiator and target of failed trusted channel establishment attempt

Failure

<27>1 2022-07-25T07:32:45.548Z Proliant_Node0 kmd 20805 - - IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: ike-vpn-devices Gateway: gw-b, Local: 10.1.5.129/500, Remote: 10.1.5.29/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator

<27>1 2022-07-25T07:32:46.554Z Proliant_Node0 kmd 20805 - - IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: ike-vpn-devices Gateway: gw-b, Local: 10.1.5.129/500, Remote: 10.1.5.29/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator