Using the Juniper JUNOS "apply-groups" command on SRX firewalls to log session information

Have you ever wondered how you could log information to your syslog server anytime there is a flow that matches a security policy on your SRX firewalls? A lot of us want to ensure we have a record of what traverses the firewall due to some regulatory and compliance requirements by some security auditors.
This post is intended to introduce you to the concept of apply-groups and how it can be used to enable logging in a Juniper SRX firewall security policy if a flow matches.
This post doesn't show how to create a security policy but it does show how to enable security policy logging on SRX firewalls via CLI for those with thousands of security policies.

 1) set and the group name

[edit]
root@homefwsrx210# edit groups session-init-close

2) Under the "edit groups  session-init-close" hierarchy, set the necessary policy actions as show below

[edit groups session-init-close]

~# set  security policies from-zone <*> to-zone <*> policy <*> then log session-init

~# set  security policies from-zone <*> to-zone <*> policy <*> then log session-close

~# top

[edit ]
~#...

The <*> is a wildcard that matches any. So this means that the above 2 commands in #2 above will match any source, any destination zone and any policy, then will insert the "log session-init and log session-close" action at the end of any policy.

3) Apply the configured group settings under the "edit security policies" hierarchy

[edit security policies]
~# set apply-groups session-init-close
~# commit

**** For JUNOS CLI experts, only these 2 commands are needed from the configuration mode****

#set groups session-init-close security policies from-zone <*> to-zone <*> policy <*> then log session-init session-close

#set security policies apply-groups session-init-close
#commit

After the configuration commits, use the following command to verify

#show security policies | display inheritance

Before the apply-groups configuration




After the apply-groups configuration



Conclusion:
The apply-groups in JUNOS is a very powerful arsenal for grouping together configuration objects and can be applied to different hierarchy depending on the administrator's preference.

I hope this has been informative for you.

Running Arista vEOS on ESXi6

Having scampered around for a while in search of an L2 switch to interconnect all my VMs (especially the ones for CCIE JNCIE CNSE and CCSA exams) inside my Dell R710 server, I stumbled yet again on Arista's vEOS which in my honest opinion, is a very good OS and very similar to cisco's IOS. It supports basic L2 functionality and advanced L3 functionality. The purpose of this post is not to discuss it's features but rather to discuss what needs to be done to get this up and running in VMWare ESXi6. For those that have run this vEOS on earlier versions of ESXi - 5.5 and lower - there has been no issues as the installation and bootup process are seamless.
In ESXi6 however, there's a little twist and tweak to be done to get it to work. The tweak is to convert the vEOS VMDK file from thin to think because by default, ESXi6 treats the VMDK as sparse whereas ESXi5.5 treats it as Thick. Refer to https://eos.arista.com/tip-for-arista-veos-on-vmware-esx-6/#comment-494
Note:
1)Log in to ESXi shell and navigate to the VM folder in the datastore that houses the vmdk image

2) Do "ls" command to verify that the image resides in that folder.

3) Issue the command below to convert the vmdk to thick provision

vmkfstools -i vEOS-lab-4.15.0F.vmdk -d eagerzeroedthick vEOS-lab-4.15.0F-thick.vmdk

4)Modify VM settings, delete the old hard disk, add new hard disk and reference the 

new thick provisioned vmdk.

5)Save the VM settings and power on the VM.

HTH