Set firewall family inet filter blocked.IP term 1 then discard Set firewall family inet filter blocked.IP term 1 then syslog Set firewall family inet filter blocked.IP term 1 from prefix-list unblock.zeusCC except
Set firewall family inet filter blocked.IP term 1 from prefix-list block.zeusCC Set security log stream Server host port 12345 Set security log stream Server host 192.168.1.1 Set security log stream Server format syslog Set security log source-address 192.168.1.254 Set policy-options prefix-list unblock.zeusCC Set policy-options prefix-list block.zeusCC 216.244.83.99/32 Set policy-options prefix-list block.zeusCC 24.126.145.5/32 Set policy-options prefix-list block.zeusCC 12.20.235.200/32 Set policy-options prefix-list block.zeusCC 5.135.62.209/32 Set interfaces fe-0/0/0 unit 0 family inet dhcp Set interfaces fe-0/0/0 unit 0 family inet filter output blocked.IP Set interfaces fe-0/0/0 unit 0 family inet filter input blocked.IP
JUNIPER SRX SHOW MAC ADDRESS ON INTERFACE ARCHIVE
Set system syslog file policy_session archive Set system syslog host 192.168.1.1 interactive-commands none Set system syslog host 192.168.1.1 change-log none Set system syslog host 192.168.1.1 any any So make sure you collect the syslog messages from the Control pane. If you need/want logging for this, you need to add the syslog statement. Even if it's blocked by the firewall filter. The normal firewall policy logging will show traffic ALLOWED to these blocked ip addresses. The reason for this is that this process takes place on a different level in the SRX. As you can see, there's also a syslog entry in the filter. The discard statement discards the packet. This makes is possible to block entire subnets, but allow parts within that subnet to be accessed.Į.g. the unblock.zeusCC list contains a subset of addresses that are to be allowed. The first list (block.zeusCC) contains the addresses to be blocked. I used two prefix-lists for the following reason. This filter 'reads' the filtered IP addresses from prefix-lists, which we'll take a look at later on.