This article is helpful for determining if a packet with the following parameters has reached the SRX device or not.

• Source IP address
• Destination IP address
• Protocol (for example TCP, UDP, ICMP, ESP and so on)

Note: The Resolution Guides for SRX NAT refer to this article.

The SRX configuration appears to be correct, but we are not sure if the packet is coming to the SRX device.

One method to check is to use a Firewall Filter and count the number of incoming packets.

Setting up a Firewall Filter requires you to identify the following:

1. Which interface the packet is expected at
2. What is the packet going to look like in detail

For Example:

1. The packet is expected on the public interface ge-0/0/0.0.
2. The packet has the following properties:
   1. Destination IP = 1.1.1.1
   2. Source IP = 3.3.3.3
   3. Protocol = ICMP

The Firewall Filter can be setup with the following configuration mode commands:

set firewall family inet filter icmp-filter term 1 from source-address 3.3.3.3
set firewall family inet filter icmp-filter term 1 from destination-address 1.1.1.1
set firewall family inet filter icmp-filter term 1 from protocol icmp
set firewall family inet filter icmp-filter term 1 then accept
set firewall family inet filter icmp-filter term 1 then count icmp-counter
set firewall family inet filter icmp-filter term default then accept

The Firewall Filter is applied to the interface ge-0/0/0.0 with this command:

set interfaces ge-0/0/0.0 family inet filter input icmp-filter

The resulting configuration looks like this:

# show interfaces ge-0/0/0
ge-0/0/0 {
   unit 0 {
      family inet {
         filter {
            input icmp-filter;
         }
         address 1.1.1.1/30; ## This address was already set on the interface
      }
   }
}

# show firewall family inet filter icmp-filter
icmp-filter {
   term 1 { ## This is the main term which will count the packets.
      from {
         source-address 3.3.3.3;
         destination-address 1.1.1.1;
         protocol icmp;
      }
      then {
         count icmp-counter; ## The icmp-counter will show the bytes/packets incrementing
         accept; ## This will accept the packets if you don't want them to be dropped. You can use - "drop" or "reject" and/or "log" here.
      }
   }
   term default { ## This term will ensure that the other traffic is not affected.      
         then {
              accept;
            }
        }
  }

  Let traffic be initiated.

Then the Firewall Filter stats can be checked with the following:

show firewall filter icmp-filter 
Counter                         Bytes          Packets 
icmp-counter                    84             1 
. 
.

Enter the command again:

.
.
show firewall filter icmp-filter
Counter                         Bytes          Packets
icmp-counter                    168            2
.
.
.

Note: After the use of Firewall Filters, remove them from the interfaces as follows:

#delete interfaces ge-0/0/0.0 family inet filter
#commit

For more information about Firewall Filters, refer to Stateless Firewall Filter Overview.

 

2020-06-30: Removed J-Series references.
2020-03-25: Article checked for accuracy. Found to be valid and relevant; no changes made.