Viewing logs on VPN tunnel



  • I have successfully created a site-to-site VPN tunnel on a Netscreen 50 firewall, and i have Logging enabled.  However when i view the log in the tunnel it shows no entries…

    Can anyone tell me if there is a way to view the TCP/IP traffic passing through the policy?
    Is it not available due to encryption? If so, i may aswell turn off logging on the policy???

    Cheers,

    Jai.



  • if its policy based it should log, if its route based w/ trust to trust you probably need a trust to trust log.

    set up 2 rules.
    1st trust to trust with your source and dest vpn private networks then log
    2nd trust to trust any no log so you don’t drop anything else


  • Global Moderator

    If your tunnel is in trust and your traffic is coming from there Firewall72 is absolutly right, no policy is needed, so no logging can be seen. Two way of overcomming this:

    1 Enable zoneblock on trust and define a any any any permit policy from trust to trust

    2 Create a custom VPN zone and place tunnel interface in this zone. Create policies (both direction if needed!!) from trust to this zone, with logging.

    Hope this helps.

    Michel



  • Hi,

    Thanks for the follow-up.  The debug will show if a policy lookup is being done.  Just in case you wanted to take a further look.

    Rgds,

    John



  • Yes, both are in the trust zone for both firewalls. I supposed that might be the scenario as Jai’s case.

    As my current vpn setup is ‘live’, i made no attempts to change it till something break or something crack 🙂

    @firewall72:

    Hi,

    Is your traffic crossing zones or are the route based tunnels in the same zone?  For example, two Netscreen Firewalls setup with a  point-to-point VPN.  Both Firewalls are using the trust-vr, tun.1, and bound to the trust zone.  This would not result in a policy look-up because the source and destination are in the “trust” zone.  Does this apply in your case?

    Rgds,

    John



  • Hi,

    Is your traffic crossing zones or are the route based tunnels in the same zone?  For example, two Netscreen Firewalls setup with a  point-to-point VPN.  Both Firewalls are using the trust-vr, tun.1, and bound to the trust zone.  This would not result in a policy look-up because the source and destination are in the “trust” zone.  Does this apply in your case?

    Rgds,

    John



  • I think i am having the same scenario as Jai. When using policy-based tunnels, i am able to view the traffic that is flowing via the policies when logging is enabled.

    After i switched all the tunnels to route-based, the logging does not show any traffic even through the tunnels are working fine.

    I am using a SSG140 using firmware 5.4.0r4.0 as well



  • Thats great! Thanks John, i will try this.

    Cheers,

    Jai.



  • Hi,

    That is odd.  I would note the policy ID and run a debug while testing.  This will show you what policy is being used for your test.  To make things easier, I would set a flow filter (e.g. set ff dst-ip 192.168.1.1 ip-proto 1).  Run a “debug flow basic”, ping 192.168.1.1 (remote VPN host) and return with “undebug all”.  Then try “get db str”.  This should show you which policy is being used to route that traffic.  If it matches, I would try to disable it and re-add it.  Hope this helps.

    Rgds,

    John



  • 5.4.0r4.0 is my firmware version if thats what your asking.

    I do indeed have Logging enabled, and im accessing the logs in the GUI via the log icon in the policy.

    Jai.



  • Hi,

    What version of code are you running?  If you configured a policy-based VPN and enabled logging, it should show up.  How are you accessing the logs?

    Rgds,

    John


 

30
Online

38.4k
Users

12.7k
Topics

44.5k
Posts