Logging

This scenario shows how to configure the logging options to retrieve useful information from the intercepted traffic.

../../../../_images/proxy.svg

Test Traffic-Proxy Logging

Description

This example demonstrates how to enable the service logging configuration and what commands can be used to display information about intercepted traffic.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces eth0 traffic policy in TPROXY
set interfaces eth0 address 192.168.1.1/24
set interfaces eth0 tcp-mss 1400
set interfaces eth1.100 address 10.0.0.1/24
set interfaces eth1.100 tcp-mss 1400
set traffic policy TPROXY rule 5 selector TCP_TRAFFIC
set traffic policy TPROXY rule 5 action proxy tcp 3128
set traffic selector TCP_TRAFFIC rule 1 protocol tcp
set traffic selector TCP_TRAFFIC rule 1 destination port 80,443,8080,4430
set service traffic-proxy TRAFFIC_PROXY mode ssl
set service traffic-proxy TRAFFIC_PROXY port 3128
set service traffic-proxy TRAFFIC_PROXY x509 ca-cert running://test.crt
set service traffic-proxy TRAFFIC_PROXY x509 ca-key running://test.key
set service traffic-proxy TRAFFIC_PROXY logging connection
set service traffic-proxy TRAFFIC_PROXY logging content

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 192.168.1.2/24
set protocols static route 0.0.0.0/0 next-hop 192.168.1.1

Step 3: Set the following configuration in DUT2:

set interfaces ethernet eth0 vif 100 address 10.0.0.2/24
set protocols static route 0.0.0.0/0 next-hop 10.0.0.1

Step 4: Ping IP address 10.0.0.2 from DUT1:

admin@DUT1$ ping 10.0.0.2 count 1 size 56 timeout 1
Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=0.935 ms

--- 10.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.935/0.935/0.935/0.000 ms

Step 5: Ping IP address 192.168.1.2 from DUT2:

admin@DUT2$ ping 192.168.1.2 count 1 size 56 timeout 1
Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=0.690 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.690/0.690/0.690/0.000 ms

Step 6: Initiate a ssl connection from DUT1 to DUT2 and try to send some messages between both endpoints

admin@DUT2$ monitor test connection server 443 ssl cert running://test.crt key running://test.key
admin@DUT1$ monitor test connection client 10.0.0.2 443 ssl source-port 1234

Step 7: Run command service traffic-proxy TRAFFIC_PROXY show stats at DUT0 and check if output does not match the following regular expressions:

intercepted\s+0\s+0
Show output
Statistics for instance "TRAFFIC_PROXY":

-----------------------------
name           packets  bytes
-----------------------------
queue - reply        0      0
queue - orig         0      0
intercepted         11   1060
error                0      0

Step 8: Run command service traffic-proxy TRAFFIC_PROXY show connections at DUT0 and check if output matches the following regular expressions:

ssl 192.168.1\.2 1234 10.0.0\.2 443
Show output
2024-06-20 18:17:57 UTC CONN: ssl 192.168.1.2 1234 10.0.0.2 443 sni:- names:Server sproto:TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384 dproto:TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384 origcrt:97F06845892A88C60C6B3996FBEEF9AD273DD4AD usedcrt:7FDC19BDF7D09B74880C16E9FCEA9BD2F21B2191 user:-

Step 9: Run command service traffic-proxy TRAFFIC_PROXY show content at DUT0 and check if output contains the following tokens:

Hello from server
Show output
2024-06-20 18:17:58 UTC [192.168.1.2]:1234 -> [10.0.0.2]:443 (20):
Hello from client 0
2024-06-20 18:17:58 UTC [10.0.0.2]:443 -> [192.168.1.2]:1234 (20):
Hello from server 0
2024-06-20 18:17:58 UTC [192.168.1.2]:1234 -> [10.0.0.2]:443 (EOF)

Step 10: Run command service traffic-proxy TRAFFIC_PROXY show flows at DUT0 and check if output matches the following regular expressions:

192.168.1\.2\s+10.0.0\.2\s+1234\s+443
Show output
Recent flow entries for instance "TRAFFIC_PROXY":

-----------------------------------------
src addr     dst addr  src port  dst port
-----------------------------------------
192.168.1.2  10.0.0.2      1234       443

Attention

The previous commands can be used to retrieve much information about intercepted traffic. If for some reason, traffic does not seem to be properly intercepted, it could be useful to enable logging in the traffic policy. This can be achieved by running set traffic policy <NAME> rule 1 log prefix <PREFIX>. After generating some traffic, the system journal monitor command can be used to review log messages.