Re: Resource Policy Access Control Logging

ryandgr_ · ‎01-26-2010

Is the ability to log resource policy access control available within the Juniper SSL VPN appliance?

For example, if I have a Network Connect resource policy configured with Access policies that restrict the networks a specified role can access, can I have it log access that was subsequently denied by said policy?

Detailed Rules (Edit)
1.	Allow tcp://192.168.1.100:80,443, tcp://192.168.1.123:80,443, tcp://192.168.1.200:80,443
2.	Deny tcp://192.168.0.0/16:80,443
3.	Allow tcp://*:80,443

So here if I had a machine trying to access 192.168.1.150, it would be denied by line 2 above. And if that happens, I would like to know about it. But I don't see where I can have it log denied connections like that. It doesn't show up via the normal syslogs such as logins, logouts, etc.

Thanks,

-Ryan

cbarcellos_ · ‎01-26-2010

ryandgr,

The IVE doesn't have a way to log deny matches. You'd need to do the filtering in your standalone firewall in order to log this.

ryandgr_ · ‎01-26-2010

That's what I figured. Just makes it harder because I have to correlate logs in order to find out who is being denied. Since tThe DHCP pool is dynamic, in order to figure out who is having the problems I have to associate the IP from the firewall logs, with the IP from the Juniper connect logs, and then grab the username from the Juniper logs. Plus it's nice to have protection in layers, rather than just blow everything open in the Juniper box and then lock down on the firewall.

cbarcellos_ · ‎01-27-2010

That would be handy to have. I'd recommend having your SE open a feature request for that ability.

stine_ · ‎02-03-2010

Are these for NC policies? If so, isn't the blocking done in the NC app on the client , and not in the SA?