it is my first topic, and i write because i need an help about screenos, Infranet controller and STRM.
Hope that this is the right board to open it.
i have two screenos clusters. The first one (we can call it cluster1) protect the lan 10.10.0.0, the second one (Cluster2) protect the lan 10.20.0.0.
we have also a Juniper infranet controller too, that manage access to both networks 10.10.and 10.20 by domain users. This infranet controller has ip 10.10.0.10, so it is behind cluster1.
We are installing Juniper STRM and we collect all logs.
Firewall logs aren't sent directly to STRM, but are sent to NSM, and NSM forward them to STRM.
We configured STRM to have in the field "log Source" the real ip of the firewall that generated log entry instead of the NSM ip.
Now, when i see in STRM logs about traffic destined to network 10.10.0.0, in the field "Log source" i see my cluster1 firewall ip (so "[email protected]), but when i see logs about traffic destined to network 10.20.0.0 (behind cluster2), in the field "log source" i have "[email protected]".
Both firewall are configured in the same mode, and there is nothing different, unless that cluster1 is direclty connected to Infranet Controller, while cluster2 need to cross cluster1 to reach it.
Attached you'll find a screenshot of fake logs.
Hope to make sense.
Thanks a lot for your help.
While we are working from IC side , can you post query with STRM forum using the below URk since this needs
STRM log analysis .
Also opening a case with JTAC support with STRM product is also alternate way to get a faster resolution