Juniper SRX Firewall
Juniper SRX series security gateway — RT_FLOW session lifecycle, RT_UTM Enhanced Web Filtering, RT_IDP intrusion detection alerts, and RT_IDS screen-based DoS protection with JunOS structured syslog.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/network-juniper-srx/generator.yml \
--id srx \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| SESSION_CLOSE | RT_FLOW session teardown | ~45% | network |
| SESSION_CREATE | Permitted session establishment | ~31% | network |
| WEBFILTER_PERMITTED | URL allowed by EWF category | ~13% | network |
| WEBFILTER_BLOCKED | URL blocked by EWF | ~4.5% | network |
| SESSION_DENY | Session denied by security policy | ~4% | network |
| IDP_ATTACK | IDP signature match | ~1.5% | intrusion_detection |
| RT_SCREEN | Screen alerts (SYN flood, port scan) | ~1% | intrusion_detection |
Realism Features
- Correlated sessions — SESSION_CREATE pushes to shared pool; SESSION_CLOSE pops with matching 5-tuple
- Juniper predefined service names — junos-https, junos-dns-udp, junos-ssh, etc.
- 27 real Enhanced Web Filtering categories (Enhanced_Social_Web_Youtube, Enhanced_Malicious_Web_Sites)
- NAT tracking — outbound sessions carry source NAT IP/port through session lifecycle
- 15 IDP signatures with Juniper-style attack names and severity levels
- 11 screen event types (SYN flood, TCP port scan, IP spoofing, ICMP flood)
Sample Output
{
"@timestamp": "2026-02-21T14:32:10.123456+00:00",
"event": {
"action": "flow_close",
"category": ["network"],
"dataset": "juniper_srx.log",
"outcome": "success",
"type": ["end", "allowed", "connection"]
},
"source": { "ip": "10.1.1.30", "port": 52341 },
"destination": { "ip": "142.250.80.46", "port": 443 },
"juniper": {
"srx": {
"application": "SSL",
"reason": "TCP FIN",
"service_name": "junos-https",
"tag": "RT_FLOW_SESSION_CLOSE"
}
},
"observer": { "product": "SRX", "type": "firewall", "vendor": "Juniper" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | srx-fw-01 | SRX hostname |
| domain | example.com | Domain for FQDN |
| nat_ip | 198.51.100.1 | Public NAT IP |
| wf_profile | corporate-web-filter | Web filtering profile |
| agent_id | a7d2e4f1-... | Filebeat agent ID |
| agent_version | 8.17.0 | Filebeat version |
Related Generators
Cisco ASA Firewall
Cisco ASA adaptive security appliance syslog — TCP/UDP/ICMP connection lifecycle, ACL permit/deny decisions, NAT translations, VPN tunnel events, and failover status messages.
Check Point Security Gateway
Check Point Security Gateway SmartLog — 8 software blades including Firewall, IPS, Application Control, URL Filtering, Anti-Bot, Anti-Virus, Threat Emulation, and Identity Awareness.
Network Traffic (Continent-Level Geo)
Network traffic events enriched with continent-level geographic information. Models cross-continent and same-continent flows for both inbound and outbound directions, with realistic allow/deny outcomes based on geographic policy.