MoonPoint Support Weblog

Send NetScreen Traffic Log to a TFTP Server

You can view the traffic log from a NetScreen firewall using the get log traffic command. If you are using the CLI for the router, when the results are displayed via a console or SSH connection, you will need to hit a key at the more prompt to page through the output. You can hit q to stop paging through the output.

But rather than page through it by the above method, you can also transfer the contents of the log to a TFTP server. Instructions for setting up a TFTP server on a Linux system can be found at Setting Up a Linux TFTP Server.

To redirect the output to a TFTP server, use the command get log traffic > tftp <IP Address> <filename>, substituting the IP address of the TFTP server for <IP Address> and the name of the file you want to write to on the TFTP server for <filename>. E.g. the command below would store the log file on a TFTP server at IP address 192.168.0.5 in the file NetScreen-log.txt. Note: the file NetScreen-log.txt must already exist on the server, though it may be an empty file prior to transfer of the log file from the NetScreen firewall

ns5gt-> get log traffic > tftp 192.168.0.5 NetScreen-log.txt
redirect to 192.168.2.5,NetScreen-log.txt
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
tftp transferred records = 1308
tftp success!

If you see a tftp timeout max error message followed by a tftp abort message, firewall software on the TFTP server may be blocking the file transfer. If you see a !rcv tftp error(1) File not found message then you likely have mistyped the name of the file that should be pre-existing on the server or the permissions on that file are not set appropriately, e.g., if the TFTP server is a Linux or Unix system, the file should have world read+write permissions set on it, which you can set with chmod 666 filename.

Applicable Products:

NetScreen-5XP
NetScreen-5XT
NetScreen-25
NetScreen-50
NetScreen-100
NetScreen-204
NetScreen-208
NetScreen- 500
NetScreen-5200
NetScreen-5400

Applicable ScreenOS:

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
4.0.0
4.0.0-DIAL
4.0.0-DIAL2
4.0.1
4.0.2
4.0.3

References:

How To: Redirect output to a TFTP server
Date: October 7, 2008
Juniper Networks Knowledge Base
Setting Up a Linux TFTP Server
Date: December 26, 2008
MoonPoint Support

[/security/firewalls/netscreen] permanent link

Setting Up a Linux TFTP Server

The Trivial File Transport Protocol (TFTP) proivides a mechanism to read files from or write files to a remote server. It is similar to the File Transfer Protocol (FTP), but doesn't have all of the features of FTP, such as an authentication mechanism.

The instructions below were written for the CentOS distribution of Linux, but TFTP server software is available for Linux, Unix, Windows and other operating systems. For Linux systems that use the Red Hat Package Manager (RPM) package management system, you can determine if the tftp-server package is installed with the command rpm -qi tftp-server.

# rpm -qi tftp-server
package tftp-server is not installed

The tftp-server package depends on the xinetd package; you can check if that package is installed with rpm -qi xinetd. If it isn't installed and you use the Yellow dog Updater, Modified (YUM) package management utility, you can install both packages with yum install tftp-server xinetd. To install just the tftp-server package, use yum install tftp-server. The installation of the tftp-server package will create the directory /tftpboot on the system. The directory should be set to 755 for tftp clients to be able to read from or write to files in the directory.

# ls -ld /tftpboot
drwxr-xr-x 2 root root 4096 Dec 24 14:15 /tftpboot

You next need to turn on the tftp service with the chkconfig command.

# chkconfig tftp on

You can verify that the service is available with chkconfig --list tftp.

# chkconfig --list tftp
tftp            on

TFTP uses the User Datagram Protocol and listens for data on port 69, so you can also use netstat -a | grep tftp to check on whether the system is listening for data on port 69. You should see something like the following if it is listening:

udp        0      0 *:tftp                      *:*

If you have firewall software running on the TFTP server, you will also need to allow connectivity to UDP port 69 through the firewall. You can do this on a CentOS system through the GUI by taking the following steps:

Click on System.
Click on Administration.
Select Security Level and Firewall
Under Firewall Options, select other ports.
Click on the Add button.
Put 69 in the port field and select udp for the protocol.
Click on OK.
Click on OK again.
When prompted to override any existing firewall configuration, click on Yes.

To be able to write to a file on the tftp server, e.g. a file named firewall-log.txt in the /tftpboot directory, you need to first create the file with the touch command and then set the permissions on the file so it is "world" writable.

# touch /tftpboot/firewall-log.txt
# chmod 666 /tftpboot/firewall-log.txt

Once you have the TFTP server configured, you can then transfer files from the tftp client to the server.

References:

TFTP Server
Date: January 8, 2007
CentOS
Configuring a TFTP Server
Date: June 5, 2003
ONLamp.com

[/network/tftp] permanent link

Fri, Dec 26, 2008 7:24 pm

Fri, Dec 26, 2008 6:23 pm