cancel
Showing results for 
Search instead for 
Did you mean: 

Resource Policy Access Control Logging

ryandgr_
Occasional Contributor

Resource Policy Access Control Logging

Is the ability to log resource policy access control available within the Juniper SSL VPN appliance?

For example, if I have a Network Connect resource policy configured with Access policies that restrict the networks a specified role can access, can I have it log access that was subsequently denied by said policy?

Detailed Rules (Edit)
1.Allow tcp://192.168.1.100:80,443, tcp://192.168.1.123:80,443, tcp://192.168.1.200:80,443
2.Deny tcp://192.168.0.0/16:80,443
3.Allow tcp://*:80,443

So here if I had a machine trying to access 192.168.1.150, it would be denied by line 2 above. And if that happens, I would like to know about it. But I don't see where I can have it log denied connections like that. It doesn't show up via the normal syslogs such as logins, logouts, etc.

Thanks,

-Ryan

4 REPLIES 4
cbarcellos_
Regular Contributor

Re: Resource Policy Access Control Logging

ryandgr,

The IVE doesn't have a way to log deny matches. You'd need to do the filtering in your standalone firewall in order to log this.

ryandgr_
Occasional Contributor

Re: Resource Policy Access Control Logging

That's what I figured. Just makes it harder because I have to correlate logs in order to find out who is being denied. Since tThe DHCP pool is dynamic, in order to figure out who is having the problems I have to associate the IP from the firewall logs, with the IP from the Juniper connect logs, and then grab the username from the Juniper logs. Plus it's nice to have protection in layers, rather than just blow everything open in the Juniper box and then lock down on the firewall.

cbarcellos_
Regular Contributor

Re: Resource Policy Access Control Logging

That would be handy to have. I'd recommend having your SE open a feature request for that ability.

stine_
Super Contributor

Re: Resource Policy Access Control Logging

Are these for NC policies? If so, isn't the blocking done in the NC app on the client , and not in the SA?