Normally, one would enable logging on each security policy. If you have hundreds of policies, and you want/need logging for troubleshooting, it takes a while (and some serious) effort to enable this for all policies.
root@srx# show security policies
from-zone Trust to-zone Untrust {
policy allow-outbound {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Untrust to-zone Trust {
policy allow-web {
match {
source-address any;
destination-address www;
application junos-http;
}
then {
permit;
}
}
}
If you have a juniper SRX firewall, this can be done by using apply-groups. Just create the group and then apply it.
First create the groups:
groups {
global-logging {
security {
policies {
from-zone <*> to-zone <*> {
policy <*> {
then {
log {
session-init;
}
}
}
}
}
}
}
}And apply the group to the security policy:
root@srx# set security policies apply-groups global-logging
The result can be seen by using the display inheritance option.
root@srx# show security policies | display inheritance
apply-groups global-logging
from-zone Trust to-zone Untrust {
policy allow-outbound {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
##
## 'log' was inherited from group 'global-logging'
##
log {
##
## 'session-init' was inherited from group 'global-logging'
##
session-init;
}
}
}
}
from-zone Untrust to-zone Trust {
policy allow-web {
match {
source-address any;
destination-address www;
application junos-http;
}
then {
permit;
##
## 'log' was inherited from group 'global-logging'
##
log {
##
## 'session-init' was inherited from group 'global-logging'
##
session-init;
}
}
}
}
If there are a few policies that you want to exclude from the apply-group inheritance, you can use the apply-group-except statement.