Logging

This scenario shows how to configure the logging options to retrieve useful information from the intercepted traffic.

../../../../_images/proxy.svg

Test Traffic-Proxy Logging

Description

This example demonstrates how to enable the service logging configuration and what commands can be used to display information about intercepted traffic.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 vif 100 address 192.168.1.1/24
set interfaces ethernet eth0 vif 100 traffic policy in TPROXY
set interfaces ethernet eth1 vif 200 address 10.0.0.1/24
set service traffic-proxy TRAFFIC_PROXY logging connection
set service traffic-proxy TRAFFIC_PROXY logging content
set service traffic-proxy TRAFFIC_PROXY mode ssl
set service traffic-proxy TRAFFIC_PROXY port 3128
set service traffic-proxy TRAFFIC_PROXY x509 ca-cert 'running://test.crt'
set service traffic-proxy TRAFFIC_PROXY x509 ca-key 'running://test.key'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic policy TPROXY rule 5 action proxy tcp 3128
set traffic policy TPROXY rule 5 selector TCP_TRAFFIC
set traffic selector TCP_TRAFFIC rule 1 destination port 80,443,8080,4430
set traffic selector TCP_TRAFFIC rule 1 protocol tcp

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 vif 100 address 192.168.1.2/24
set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth0 vif 200 address 10.0.0.2/24
set protocols static route 0.0.0.0/0 next-hop 10.0.0.1
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Ping IP address 10.0.0.2 from DUT1:

admin@DUT1$ ping 10.0.0.2 count 1 size 56 timeout 1
Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=0.664 ms

--- 10.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.664/0.664/0.664/0.000 ms

Step 5: Ping IP address 192.168.1.2 from DUT2:

admin@DUT2$ ping 192.168.1.2 count 1 size 56 timeout 1
Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=0.252 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.252/0.252/0.252/0.000 ms

Step 6: Initiate a ssl connection from DUT1 to DUT2 and try to send some messages between both endpoints

admin@DUT2$ monitor test connection server 443 ssl cert running://test.crt key running://test.key
admin@DUT1$ monitor test connection client 10.0.0.2 443 ssl source-port 1234

Step 7: Run command service traffic-proxy TRAFFIC_PROXY show stats at DUT0 and check if output does not match the following regular expressions:

intercepted\s+0\s+0
Show output
Statistics for instance "TRAFFIC_PROXY":

-----------------------------
name           packets  bytes
-----------------------------
queue - reply        0      0
queue - orig         0      0
intercepted         14   1277
error                0      0

Step 8: Run command service traffic-proxy TRAFFIC_PROXY show connections at DUT0 and check if output matches the following regular expressions:

ssl 192.168.1\.2 1234 10.0.0\.2 443
Show output
2025-01-10 13:04:59 UTC CONN: ssl 192.168.1.2 1234 10.0.0.2 443 sni:10.0.0.2 names:Server sproto:TLSv1.3:TLS_AES_256_GCM_SHA384 dproto:TLSv1.3:TLS_AES_256_GCM_SHA384 origcrt:0A8EF4CFDEFC7A76593CFD6D924A06B5D12C1FEA usedcrt:A8EB2AFC02D22741D13AB32CD249D5150569D5F9 user:-

Step 9: Run command service traffic-proxy TRAFFIC_PROXY show content at DUT0 and check if output contains the following tokens:

Hello from server
Show output
2025-01-10 13:05:00 UTC [192.168.1.2]:1234 -> [10.0.0.2]:443 (20):
Hello from client 0
2025-01-10 13:05:00 UTC [10.0.0.2]:443 -> [192.168.1.2]:1234 (20):
Hello from server 0
2025-01-10 13:05:00 UTC [192.168.1.2]:1234 -> [10.0.0.2]:443 (EOF)

Step 10: Run command service traffic-proxy TRAFFIC_PROXY show flows at DUT0 and check if output matches the following regular expressions:

192.168.1\.2\s+10.0.0\.2\s+1234\s+443
Show output
Recent flow entries for instance "TRAFFIC_PROXY":

-----------------------------------------
src addr     dst addr  src port  dst port
-----------------------------------------
192.168.1.2  10.0.0.2      1234       443

Attention

The previous commands can be used to retrieve much information about intercepted traffic. If for some reason, traffic does not seem to be properly intercepted, it could be useful to enable logging in the traffic policy. This can be achieved by running set traffic policy <NAME> rule 1 log prefix <PREFIX>. After generating some traffic, the system journal monitor command can be used to review log messages.