Collect Firewall Metadata with Lumu VA and Juniper SRX
Requirements
- Juniper SRX Firewall Junos version 20+.
- Have admin access to configure a Syslog server on Juniper SRX.
-
Have the most recent version of the Lumu Virtual Appliance
installed.
These are the general steps you should follow to configure a Syslog server on a Juniper SRX Firewall to send all metadata to Lumu:
Deploy and Set Up Lumu VA
All the detailed steps and guidance to create, download, and install a virtual appliance on your preferred hypervisor or Cloud solution are available in our documentation:
Set up a Lumu VA Firewall Log Collector
Go to the Lumu Virtual Appliance and refresh the VA Collectors settings by running the command
lumu-appliance collectors refresh
. If the appliance is running, it should be stopped for setting up collectors.
Select the option that refers to Juniper SRX and the format that suits you best, then inform the following data:
- Protocol type : you can select between TCP and UDP according to your infrastructure and your Juniper’s settings.
- Port number : provide a number between 1024 and 65535, inclusive.
-
Timezone
: The timezone for setting up the VA. Use the canonical ID (e.g. America/Chicago). You can use
this external article
for reference.
Configure Juniper to Send Metadata to Lumu VA
Juniper SRX Firewall can send administrative logs and traffic logs. You need to configure your Firewall to send traffic logs or data-plane logs.
Add a new stream configuration
First, you need to add a new Stream configuration for Lumu VA.
- Access your Juniper Firewall in edit mode using your preferred ssh client.
-
To add a new Stream logging configuration, run the following commands:
set security log streamWhere:
set security log stream format syslog
set security log stream category all
set security log stream host
set security log stream host port
set security log stream transport protocol [tcp|udp]
<stream_name>: Distinctive name to the stream Syslog configuration.
<lumu_va_ip>: IP address of the Lumu VA.
<port>: Destination port number.
Use the one configured in the Lumu VA. In the transport protocol line, select the same protocol configured in the Lumu VA.
Configure your firewall rules to log traffic
You need to configure each of your Firewall rules to log at the session init or close. You can configure it using the GUI or the CLI access.
Using the GUI
You can set the global Firewall options to enable the
Session close
logging by default. To do so, go to the menu
Security Policies & Objects > Security Policies
. Click on the
Global Options
button. There, enable the
Session close
toggle. Click the
OK
button. Finally, commit your changes.
You can enable the
Session initiate
option in the
Global configuration
. It is not recommended to do that. Instead, enable this option per rule.
Session initiate
logging is required for the rules that explicitly block the traffic. Change the configuration in each rule accordingly.
Using the CLI
To configure the logging in the global options, access your Juniper Firewall using your preferred SSH client in edit mode. Run the following command:
Remember to commit your changes.
To enable the Session initiate logging per rule using CLI, you can use the following command.
Where:
Remember to commit your changes.
It is recommended to enable the session initiate logging for rules that explicitly deny traffic. Otherwise, this traffic will not be reported to Lumu VA. (Optional) Enable entity logging in Firewall zones
To enhance events sent by your Juniper firewall, it is recommended to enable identity logging in the zone configuration. You can enable it using the GUI or CLI.
Using the GUI
You can set the identity logging in each zone of interest. This will reflect the identity information of the user in the logs if identity is configured in the Firewall. To do so, go to the menu
Security Policies & Objects > Zones/Screens
. Edit the zone of interest, and enable the toggle
Source Identity Log
. Finally, click the
OK
button and commit your changes.
Using the CLI
To configure the
Source Identity Log
option in each zone of interest using CLI, access your Juniper Firewall using your preferred SSH client in edit mode. Run the following command.
Remember to commit your changes.
For more details on the configuration settings consult the Juniper SXR official documentation article Configuring System Logging for a Security Device.
Related Articles
Collect Firewall metadata with Lumu VA and WatchGuard
Requirements Admin access to configure a syslog server on WatchGuard. The most recent version of the Lumu Virtual Appliance installed. These are the general steps you should follow to configure a syslog server on a WatchGuard Firewall to send all ...Collect Metadata with Lumu VA
The Lumu Virtual Appliance (VA) offers the option to create VA collectors, a seamless way to integrate the network metadata of your entire enterprise into the Lumu cloud with the lowest impact on the network operation. Collecting metadata other than ...Collect FortiGate Firewall Metadata with FortiAnalyzer and Lumu VA
In scenarios where all your FortiGate deployment logs are centralized within a FortiAnalyzer, you can use it to accelerate the deployment of Lumu and forward all firewall logs at once using the FortiAnalyzer data collection capabilities from Lumu. ...Collect Firewall Metadata with Lumu VA and Check Point
Requirements Admin access to configure a syslog server on Check Point firewall. The most recent version of the Lumu Virtual Appliance installed. These are the general steps you should follow to configure a syslog server on a Check Point firewall to ...Collect Firewall Metadata with Lumu VA and Palo Alto NGFW
Requirements Admin access to configure a syslog server on Palo Alto NGFW The most recent version of the Lumu Virtual Appliance installed. These are the general steps you should follow to configure a syslog server on a Palo Alto NGFW to send all ...