This article is helpful for determining if a packet with the following parameters has reached the SRX device or not.
- Source IP address
- Destination IP address
- Protocol (for example TCP, UDP, ICMP, ESP and so on)
Note: The Resolution Guides for SRX NAT refer to this article.
The SRX configuration appears to be correct, but we are not sure if the packet is coming to the SRX device.
One method to check is to use a Firewall Filter and count the number of incoming packets.
Setting up a Firewall Filter requires you to identify the following:
- Which interface the packet is expected at
- What is the packet going to look like in detail
For Example:
- The packet is expected on the public interface ge-0/0/0.0.
- The packet has the following properties:
- Destination IP = 1.1.1.1
- Source IP = 3.3.3.3
- Protocol = ICMP
The Firewall Filter can be setup with the following configuration mode commands:
set firewall family inet filter icmp-filter term 1 from source-address 3.3.3.3
set firewall family inet filter icmp-filter term 1 from destination-address 1.1.1.1
set firewall family inet filter icmp-filter term 1 from protocol icmp
set firewall family inet filter icmp-filter term 1 then accept
set firewall family inet filter icmp-filter term 1 then count icmp-counter
set firewall family inet filter icmp-filter term default then accept
The Firewall Filter is applied to the interface ge-0/0/0.0 with this command:
set interfaces ge-0/0/0.0 family inet filter input icmp-filter
The resulting configuration looks like this:
# show interfaces ge-0/0/0
ge-0/0/0 {
unit 0 {
family inet {
filter {
input icmp-filter;
}
address 1.1.1.1/30; ## This address was already set on the interface
}
}
}
# show firewall family inet filter icmp-filter
icmp-filter {
term 1 { ## This is the main term which will count the packets.
from {
source-address 3.3.3.3;
destination-address 1.1.1.1;
protocol icmp;
}
then {
count icmp-counter; ## The icmp-counter will show the bytes/packets incrementing
accept; ## This will accept the packets if you don't want them to be dropped. You can use - "drop" or "reject" and/or "log" here.
}
}
term default { ## This term will ensure that the other traffic is not affected.
then {
accept;
}
}
}
Let traffic be initiated.
Then the Firewall Filter stats can be checked with the following:
show firewall filter icmp-filter
Counter Bytes Packets
icmp-counter 84 1
.
.
Enter the command again:
.
.
show firewall filter icmp-filter
Counter Bytes Packets
icmp-counter 168 2
.
.
.
Note: After the use of Firewall Filters, remove them from the interfaces as follows:
#delete interfaces ge-0/0/0.0 family inet filter
#commit
For more information about Firewall Filters, refer to Stateless Firewall Filter Overview.
2020-06-30: Removed J-Series references.
2020-03-25: Article checked for accuracy. Found to be valid and relevant; no changes made.