Logging

This scenario shows how to configure the logging options to retrieve useful information from the intercepted traffic.

../../../../_images/proxy.svg

Test Traffic-Proxy Logging

Description

This example demonstrates how to enable the service logging configuration and what commands can be used to display information about intercepted traffic.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces eth0.100 traffic policy in TPROXY
set interfaces eth0.100 address 10.0.0.1/24
set interfaces eth0.100 tcp-mss 1400
set interfaces eth1.200 address 192.168.1.1/24
set interfaces eth1.200 tcp-mss 1400
set traffic policy TPROXY rule 5 selector TCP_TRAFFIC
set traffic policy TPROXY rule 5 action proxy tcp 3128
set traffic selector TCP_TRAFFIC rule 1 protocol tcp
set traffic selector TCP_TRAFFIC rule 1 destination port 80,443,8080,4430
set service traffic-proxy TRAFFIC_PROXY mode ssl
set service traffic-proxy TRAFFIC_PROXY port 3128
set service traffic-proxy TRAFFIC_PROXY x509 ca-cert running://test.crt
set service traffic-proxy TRAFFIC_PROXY x509 ca-key running://test.key
set service traffic-proxy TRAFFIC_PROXY logging connection
set service traffic-proxy TRAFFIC_PROXY logging content

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 vif 100 address 10.0.0.2/24
set protocols static route 0.0.0.0/0 next-hop 10.0.0.1

Step 3: Set the following configuration in DUT2:

set interfaces ethernet eth0 vif 200 address 192.168.1.2/24
set protocols static route 0.0.0.0/0 next-hop 192.168.1.1

Step 4: Ping IP address 192.168.1.2 from DUT1:

admin@DUT1$ ping 192.168.1.2 count 1 size 56 timeout 1
Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=0.805 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.805/0.805/0.805/0.000 ms

Step 5: Ping IP address 10.0.0.2 from DUT2:

admin@DUT2$ ping 10.0.0.2 count 1 size 56 timeout 1
Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=0.522 ms

--- 10.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.522/0.522/0.522/0.000 ms

Step 6: Initiate a ssl connection from DUT1 to DUT2 and try to send some messages between both endpoints

admin@DUT2$ monitor test connection server 443 ssl cert running://test.crt key running://test.key
admin@DUT1$ monitor test connection client 192.168.1.2 443 ssl source-port 1234

Step 7: Run command service traffic-proxy TRAFFIC_PROXY show stats at DUT0 and check if output does not match the following regular expressions:

intercepted\s+0\s+0
Show output
Statistics for instance "TRAFFIC_PROXY":

-----------------------------
name           packets  bytes
-----------------------------
queue - reply        0      0
queue - orig         0      0
intercepted         13   1138
error                0      0

Step 8: Run command service traffic-proxy TRAFFIC_PROXY show connections at DUT0 and check if output matches the following regular expressions:

ssl 10.0.0\.2 1234 192.168.1\.2 443
Show output
2023-12-13 00:27:57 UTC CONN: ssl 10.0.0.2 1234 192.168.1.2 443 sni:- names:Server sproto:TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384 dproto:TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384 origcrt:1F90CACDC630E2FE353AD2893E17EA1DF7B8A093 usedcrt:002409437F449D71C9AF38CE7BD110E6388E1BEB user:-

Step 9: Run command service traffic-proxy TRAFFIC_PROXY show content at DUT0 and check if output contains the following tokens:

Hello from server
Show output
2023-12-13 00:27:58 UTC [10.0.0.2]:1234 -> [192.168.1.2]:443 (18):
Hello from client
2023-12-13 00:27:58 UTC [192.168.1.2]:443 -> [10.0.0.2]:1234 (18):
Hello from server
2023-12-13 00:27:58 UTC [10.0.0.2]:1234 -> [192.168.1.2]:443 (EOF)

Step 10: Run command service traffic-proxy TRAFFIC_PROXY show flows at DUT0 and check if output matches the following regular expressions:

10.0.0\.2\s+192.168.1\.2\s+1234\s+443
Show output
Recent flow entries for instance "TRAFFIC_PROXY":

-----------------------------------------
src addr  dst addr     src port  dst port
-----------------------------------------
10.0.0.2  192.168.1.2      1234       443

Attention

The previous commands can be used to retrieve much information about intercepted traffic. If for some reason, traffic does not seem to be properly intercepted, it could be useful to enable logging in the traffic policy. This can be achieved by running set traffic policy <NAME> rule 1 log prefix <PREFIX>. After generating some traffic, the system journal monitor command can be used to review log messages.