Flow Trace for Tenant Systems
Flow trace also called traceoptions, allows you to monitor traffic flow into and out of an SRX Series Firewall. You can use tracoptions as debugging tool to trace the packets as they traverse the SRX Series Firewall. Traceoptions help you to get details of actions by your security device.
Flow Trace Support for Tenant Systems Overview
For an SRX Series Firewall configured with tenant systems, by default the traceoptions are configured at the root level only. In this case, all the system traces including root and tenant systems are logged in one single trace file. This generated large amounts of information in a single file.
Starting in Junos OS Release 19.4R1, you can enable tracing operations per tenant system level. When you configure the traceoptions at the tenant system level, then the traces for that specific tenant systems are logged in the respective trace file. You can generate an output file for the specified tenant system, and you can find the required traffic information easily in the trace file.
When you enable traceoptions, you specify the name of the file and the type of information you want to trace.
All flow trace sent to one log file in root, if you enable the traceoptions under root context. Traces for a tenant system only sent to the respective trace file, if you enable the traceoptions for the specific tenant system.
Configure Flow Trace Support for Tenant Systems
Configuring traceoptions for a tenant system includes configuring both a target file and a flag. The target file determines where the trace output is recorded. The flag defines what type of data to be collected. If you configure traceoptions for a tenant system, the respective trace file sent to the specific tenant system log file only.
To configure traceoptions for a tenant system:
After you commit the traceoptions configuration, you can view the traceoptions debug files for the tenant system using show log tracefilename operational command.
user@host:TSYS1> show log flow_tsys1.logNov 7 13:21:47 13:21:47.217744:CID-0:THREAD_ID-05:LSYS_ID-32:RT:<192.0.2.0/0->198.51.100.0/9011;1,0x0> : Nov 7 13:21:47 13:21:47.217747:CID-0:THREAD_ID-05:LSYS_ID-32:RT:packet [84] ipid = 39281, @0x7f490ae56d52 Nov 7 13:21:47 13:21:47.217749:CID-0:THREAD_ID-05:LSYS_ID-32:RT:---- flow_process_pkt: (thd 5): flow_ctxt type 0, common flag 0x0, mbuf 0x4882b600, rtbl7 Nov 7 13:21:47 13:21:47.217752:CID-0:THREAD_ID-05:LSYS_ID-32:RT: flow process pak fast ifl 88 in_ifp lt-0/0/0.101 Nov 7 13:21:47 13:21:47.217753:CID-0:THREAD_ID-05:LSYS_ID-32:RT: lt-0/0/0.101:192.0.2.0->198.51.100.0, icmp, (0/0) Nov 7 13:21:47 13:21:47.217756:CID-0:THREAD_ID-05:LSYS_ID-32:RT: find flow: table 0x11d0a2680, hash 20069(0xffff), sa 192.0.2.0, da 198.51.100.0, sp 0, d0 Nov 7 13:21:47 13:21:47.217760:CID-0:THREAD_ID-05:LSYS_ID-32:RT:Found: session id 0x12. sess tok 28685 Nov 7 13:21:47 13:21:47.217761:CID-0:THREAD_ID-05:LSYS_ID-32:RT: flow got session. Nov 7 13:21:47 13:21:47.217761:CID-0:THREAD_ID-05:LSYS_ID-32:RT: flow session id 18 Nov 7 13:21:47 13:21:47.217763:CID-0:THREAD_ID-05:LSYS_ID-32:RT: vector bits 0x200 vector 0x84ae85f0 Nov 7 13:21:47 13:21:47.217764:CID-0:THREAD_ID-05:LSYS_ID-32:RT:set nat 0x11e463550(18) timeout const to 2 Nov 7 13:21:47 13:21:47.217765:CID-0:THREAD_ID-05:LSYS_ID-32:RT: set_nat_timeout 2 on session 18 Nov 7 13:21:47 13:21:47.217765:CID-0:THREAD_ID-05:LSYS_ID-32:RT:refresh nat 0x11e463550(18) timeout to 2 Nov 7 13:21:47 13:21:47.217767:CID-0:THREAD_ID-05:LSYS_ID-32:RT:insert usp tag for apps Nov 7 13:21:47 13:21:47.217768:CID-0:THREAD_ID-05:LSYS_ID-32:RT:mbuf 0x4882b600, exit nh 0xfffb0006