Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to enable IDP inline tap mode on a SRX chassis cluster

0

0

Article ID: KB22406 KB Last Updated: 28 Dec 2018Version: 3.0
Summary:
This document will describe the process of enabling IDP inline tap mode on SRX chassis cluster.
Symptoms:

The goal is to enable IDP inline tap mode on a SRX Chassis Cluster with minimal network traffic impact. 

IDP inline tap mode is used to provide best case deep inspection analysis of traffic while maintaining over all performance and stability of the device. The inline tap feature provides passive, inline detection of application layer threats for traffic matching security policies which have the IDP application service enabled. When a device is in inline tap mode, packets pass through firewall inspection and are also copied to the independent IDP module. This allows the packets to get to the next service module without waiting for IDP processing results. By doing this, when the traffic input is beyond the IDP throughput limit, the device can still sustain processing as long as it does not go beyond the modules limits, such as with the firewall. If the IDP process fails, all other features of the device will continue to function normally. Once the IDP process recovers, it will resume processing packets for inspection. Since inline tap mode puts IDP in a passive mode for monitoring, preventative actions such as session close, drop, and mark diffserv are deferred. The action drop packet is ignored.
Inline tap mode can only be configured if the forwarding process mode is set to maximize IDP sessions, which ensures stability and resiliency for firewall services.

Solution:
In order to switch IDP mode from default regular mode to inline tap mode we must restart the device. For a stand alone SRX, enter the following command, commit and reboot the box to change the mode.
root@srx01-ftm#  set security forwarding-process application-services maximize-idp-sessions inline-tap

However, we need to take extra steps for enabling inline tap mode on a chassis cluster as mentioned below. In this example, we will Consider a SRX cluster with node 0 primary for all the RGs and node 1 as secondary for all RGs. 

{primary:node0}[edit]
root@srx01-ftm# run show chassis cluster status
Cluster ID: 8
Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 1

node0 200 primary no no
node1 100 secondary no no

 

Redundancy group: 1 , Failover count: 3

node0 200 primary no no
node1 100 secondary no no

{primary:node0}[edit]
root@srx01-ftm#


Inorder to change the mode, enter the following command, and commit on primary node0

root@srx01-ftm#  set security forwarding-process application-services maximize-idp-sessions inline-tap
root@srx01-ftm# commit


Now, we will go ahead and reboot the nodes starting with secondary node 1

{secondary:node1}
root@srx02-ftm> request system reboot
Reboot the system ? [yes,no] (no) y


Once Node 1 comes back up, fail over both the RGs onto node1 making it primary for both the RGs and current node 0 as secondary.

{primary:node0}[edit]
root@srx01-ftm# run request chassis cluster failover redundancy-group 1 node 1 
node1:
--------------------------------------------------------------------------
Initiated manual failover for redundancy group 1

Confirm that RG1 is failed over onto node 1

{primary:node0}[edit]
root@srx01-ftm# run show chassis cluster status
Cluster ID: 8
Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 1

node0 200 primary no no
node1 100 secondary no no

 

Redundancy group: 1 , Failover count: 4

node0 200 secondary no yes
node1 255 primary no yes

 
Note, priority 255 is showing that RG1 is in manual reset state that needs to be cleared using the following command.
{primary:node0}[edit]
root@srx01-ftm# run request chassis cluster failover reset reset redundancy-group 1
node0:
--------------------------------------------------------------------------
No reset required for redundancy group 1.
node1:
--------------------------------------------------------------------------
Successfully reset manual failover for redundancy group 1

{primary:node0}[edit]
root@srx01-ftm# run show chassis cluster status
Cluster ID: 8
Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 1
node0 200 primary no no
node1 100 secondary no no

Redundancy group: 1 , Failover count: 4
node0 200 secondary no no
node1 100 primary no no

 
Now, failover RG0 onto node 1 and reset the failover as follows.
{primary:node0}[edit]
root@srx01-ftm# run request chassis cluster failover redundancy-group 0 node 1
node1:
--------------------------------------------------------------------------
Initiated manual failover for redundancy group 0

{primary:node0}[edit]
root@srx01-ftm#
Message from syslogd@srx01-ftm at Dec 7 19:44:17 ...
srx01-ftm node0.cpp0 RDP: Remote side reset connection: rdp.(25165826:50177).(260046849:pfe)

Message from syslogd@srx01-ftm at Dec 7 19:44:17 ...
srx01-ftm node0.cpp0 RDP: Remote side reset connection: rdp.(25165826:50178).(260046849:1008)

Message from syslogd@srx01-ftm at Dec 7 19:44:17 ...
srx01-ftm node0.cpp0 RDP: Remote side reset connection: rdp.(25165826:50179).(260046849:1007)

Message from syslogd@srx01-ftm at Dec 7 19:44:17 ...
srx01-ftm node0.cpp0 RDP: Remote side closed connection: rdp.(25165826:50176).(serverRouter:chassis)

{secondary-hold:node0}[edit]
root@srx01-ftm# run request chassis cluster failover reset redundancy-group 0

node0:
--------------------------------------------------------------------------
No reset required for redundancy group 0.

node1:
--------------------------------------------------------------------------
Successfully reset manual failover for redundancy group 0

{secondary-hold:node0}[edit]
root@srx01-ftm# run show chassis cluster status
Cluster ID: 8
Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 2
node0 200 secondary-hold no no
node1 100 primary no no
Redundancy group: 1 , Failover count: 4
node0 200 secondary no no
node1 100 primary no no

 
Now reboot secondary node0.
{secondary:node0}[edit]
root@srx01-ftm# run request system reboot
Reboot the system ? [yes,no] (no) y

Once node 0 is back up, and starts to show in the cluster,  fail over both the RGs from node 1 back onto node 0 and reset the failovers.
(note that failing over the RGs back onto node0 is not necessary for inline tap mode, but we will fail them back to be at same status as the start of this test)
{primary:node1}
root@srx02-ftm> request chassis cluster failover redundancy-group 1 node 0
node0:
--------------------------------------------------------------------------
Initiated manual failover for redundancy group 1

{primary:node1}
root@srx02-ftm> request chassis cluster failover reset redundancy-group 1 
node0:
--------------------------------------------------------------------------
Successfully reset manual failover for redundancy group 1

node1:
--------------------------------------------------------------------------
No reset required for redundancy group 1.

{secondary:node0}[edit]
root@srx01-ftm#

{primary:node1}
root@srx02-ftm> request chassis cluster failover redundancy-group 0 node 0
node0:
--------------------------------------------------------------------------
Initiated manual failover for redundancy group 0

{primary:node1}
root@srx02-ftm>
Message from syslogd@srx02-ftm at Dec 7 20:00:02 ...
srx02-ftm node1.cpp0 RDP: Remote side closed connection: rdp.(41943042:45066).(serverRouter:chassis)

Message from syslogd@srx02-ftm at Dec 7 20:00:03 ...
srx02-ftm node1.cpp0 RDP: Remote side reset connection: rdp.(41943042:45067).(260046849:pfe)

{secondary-hold:node1}
root@srx02-ftm> request chassis cluster failover reset redundancy-group 0
node0:
--------------------------------------------------------------------------
Successfully reset manual failover for redundancy group 0

node1:
--------------------------------------------------------------------------
No reset required for redundancy group 0.


{secondary-hold:node1}
root@srx02-ftm> 

Now, confirm that inline tap mode is enabled:

{primary:node0}[edit]
root@srx01-ftm> show security idp status | match mode
Forwarding process mode : maximizing sessions


This forwarding process mode "maximizing sessions” specifies that inline tap mode is active.


Note:  IDP Inline Tap Mode is not supported with JUNOS 15.1X49-D10 and higher (Reference https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-idp-overview.htmlJUNOS 12.3X48 is the latest version of code that supports IDP Inline Tap Mode.



 
 
Modification History:
2018-12-27: Added note about IDP inline Tap Mode support.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search