Overview

Juniper Firewalls support next-generation firewall capabilities such as intrusion prevention, application visibility and control, and content security features that include anti-virus, anti-spam, and Web filtering.

Integrating your Juniper Firewall logs into Hunters will allow ingestion of the logs, as well as detection and advanced investigation and correlation over these logs.

Supported data types

  • Juniper User Logs - Actions performed or errors encountered by user-space processes.

  • Juniper Interactive Command Logs - Commands issued at the Junos OS command-line interface (CLI) prompt or by a client application such as a Junos XML protocol or NETCONF XML client.

Hunters Integration

In order to integrate your Juniper logs into Hunters, the logs need to be collected from your network to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

Expected Format

Juniper User Logs Example:

10.101.1.45

vpn.domain

<12>Jun 29 20:54:32 10.101.1.45 vpn.vpn.domain 1 2022-06-29T20:54:50.699-07:00 vpn.domain junos-alg - RT_ALG_WRN_CFG_NEED [junos@2636.1.1.1.2.105 name="MSRPC" message="detected packet from 10.101.1.45/50734 which need extra policy config with UUID:12345678-XXXXXX or 'junos-ms-rpc-any' to let it pass-through on ASL session"]

<11>Jun 29 20:34:21 10.101.1.45 vpn.domain 1 2022-06-29T20:34:39.030-07:00 vpn.domain RT_IPSEC - RT_IPSEC_REPLAY [junos@2636.1.1.1.2.105 interface-name="reth0.0" tunnel-id="2012e" source-address="10.101.1.45" destination-address="10.101.1.45" length="83" type="ESP" index="474fb470" sequence-number="2f2c"]

<10>Jun 29 21:00:29 10.101.1.45 vpn.domain 1 2022-06-29T21:00:47.850-07:00 vpn.domain PERF_MON - RTPERF_CPU_THRESHOLD_EXCEEDED [junos@2636.1.1.1.2.105 fpc-slot="0" pic-slot="2" current-value="87"] FPC 0 PIC 2 CPU utilization exceeds threshold, current value = 87

<14>Jun 29 20:54:49 10.101.1.45 vpn01.shared.sac.corp.elmae 1 2022-06-29T20:54:48.824-07:00 vpn01.shared.sac RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.137 reason="idle Timeout" source-address="10.101.1.45" source-port="32953" destination-address="10.101.1.45" destination-port="123" connection-tag="0" service-name="junos-ntp" nat-source-address="10.101.1.45" nat-source-port="32953" nat-destination-address="10.101.1.45" nat-destination-port="123" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="aws-dc-standard-policy(global)" source-zone-name="shared-vpn" destination-zone-name="vpn-fffffffffff" source-vrf-name="N/A" destination-vrf-name="N/A" session-id-32="854772" packets-from-client="1" bytes-from-client="76" packets-from-server="1" bytes-from-server="76" elapsed-time="59" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth1.0" encrypted="UNKNOWN"]

Juniper Interactive Commands Logs Example:

<190>Jun 29 20:25:03 10.101.1.45 vpn.domain 1 2022-06-29T20:25:03.602-07:00 vpn.domain mgd 35234 UI_LOGIN_EVENT [junos@2636.1.1.1.2.137 username="sw-ncm" class-name="j-RW-CLASS" local-peer="" pid="35234" ssh-connection="10.101.1.45 52836 10.101.1.45 22" client-mode="cli"] User 'sw-ncm' login, class 'j-RW-CLASS' [35234], ssh-connection '10.101.1.45 52836 10.101.1.45 22', client-mode 'cli'