Juniper Firewalls support next-generation firewall capabilities such as intrusion prevention, application visibility and control, and content security features that include anti-virus, anti-spam, and Web filtering.

Integrating your Juniper Firewall logs into Hunters will allow ingestion of the logs, as well as detection and advanced investigation and correlation over these logs.

Supported data types

  • Juniper User Logs - Actions performed or errors encountered by user-space processes.

  • Juniper Interactive Command Logs - Commands issued at the Junos OS command-line interface (CLI) prompt or by a client application such as a Junos XML protocol or NETCONF XML client.

Hunters Integration

In order to integrate your Juniper logs into Hunters, the logs need to be collected from your network to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

Expected Format

Juniper User Logs Example:


<12>Jun 29 20:54:32 vpn.vpn.domain 1 2022-06-29T20:54:50.699-07:00 vpn.domain junos-alg - RT_ALG_WRN_CFG_NEED [junos@2636. name="MSRPC" message="detected packet from which need extra policy config with UUID:12345678-XXXXXX or 'junos-ms-rpc-any' to let it pass-through on ASL session"]

<11>Jun 29 20:34:21 vpn.domain 1 2022-06-29T20:34:39.030-07:00 vpn.domain RT_IPSEC - RT_IPSEC_REPLAY [junos@2636. interface-name="reth0.0" tunnel-id="2012e" source-address="" destination-address="" length="83" type="ESP" index="474fb470" sequence-number="2f2c"]

<10>Jun 29 21:00:29 vpn.domain 1 2022-06-29T21:00:47.850-07:00 vpn.domain PERF_MON - RTPERF_CPU_THRESHOLD_EXCEEDED [junos@2636. fpc-slot="0" pic-slot="2" current-value="87"] FPC 0 PIC 2 CPU utilization exceeds threshold, current value = 87

<14>Jun 29 20:54:49 vpn01.shared.sac.corp.elmae 1 2022-06-29T20:54:48.824-07:00 vpn01.shared.sac RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636. reason="idle Timeout" source-address="" source-port="32953" destination-address="" destination-port="123" connection-tag="0" service-name="junos-ntp" nat-source-address="" nat-source-port="32953" nat-destination-address="" nat-destination-port="123" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="aws-dc-standard-policy(global)" source-zone-name="shared-vpn" destination-zone-name="vpn-fffffffffff" source-vrf-name="N/A" destination-vrf-name="N/A" session-id-32="854772" packets-from-client="1" bytes-from-client="76" packets-from-server="1" bytes-from-server="76" elapsed-time="59" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth1.0" encrypted="UNKNOWN"]

Juniper Interactive Commands Logs Example:

<190>Jun 29 20:25:03 vpn.domain 1 2022-06-29T20:25:03.602-07:00 vpn.domain mgd 35234 UI_LOGIN_EVENT [junos@2636. username="sw-ncm" class-name="j-RW-CLASS" local-peer="" pid="35234" ssh-connection=" 52836 22" client-mode="cli"] User 'sw-ncm' login, class 'j-RW-CLASS' [35234], ssh-connection ' 52836 22', client-mode 'cli'