Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to process host inbound traffic when selective packet processing service is used?

0

0

Article ID: KB22801 KB Last Updated: 24 Mar 2019Version: 2.0
Summary:
This article provides information on how to process host inbound traffic, when the selective packet processing service is used. Host inbound traffic is any traffic directed to the f/w itself. This includes management traffic, routing protocol packets, and so on.
Symptoms:
When selective packet processing service is used the host inbound traffic like ssh,telnet or J-web access to the box is seen to be failing. Is there any recommended way to process the host inbound traffic without completely disabling the selective packet processing service?
Solution:
The recommended way to process host inbound traffic when the selective packet processing service is used, is to flow-process them. In other words, the firewall filter should be written in such a way that the traffic destined to the firewall itself should just be accepted and the rest of traffic allowed to bypass the flow module.

See The following example:
Host (10.1.1.2/24) --- (10.1.1.1/24) ge-0/0/0.0 SRX
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                filter {
                    input example_packet_filter;
                }
             address 10.1.1.1/24;
            }
        }
    }
}

firewall {
    family inet {
        filter example_packet_filter {
            term t1 {
                from {
                    destination-address 10.1.1.1/32;
                }
        then {
            accept;
        }
      term t2 {
          then {
              packet-mode;
              accept;
          }
      }
         }
     }
}

The host inbound traffic can also be packet-processed when the selective packet mode is used; however this is not recommended as it may pose potential security risks.
The above firewall filter is modified, as shown below, so that all ingress traffic bypasses the flow module.

firewall {
    family inet {
        filter example_packet_filter {
            term t1 {
                then {
                    packet-mode;
                    accept;
                }
            }
        }
    }
}


Special consideration must be taken for the TCP host inbound traffic, when they are packet-processed. When the TCP host inbound traffic (Telnet, SSH, BGP, and so on) is filtered, as it completely bypasses the flow engine, a flow session is not created.

However when the routing-engine sends SYN-ACK in response to the SYN packet, this is processed by the flow engine. All traffic generated by the f/w is always processed by flow engine. The SYN-ACK packet will be dropped as flow engine sees this as a new flow; yet the first packet is not a SYN packet.

In order to process TCP host inbound traffic, the TCP SYN check must be disabled.
security {
    flow {
        tcp-session {
            no-syn-check;
        }
    }
}

 
As shown below, the flow session indicates this session was initiated by 10.1.1.1/23; although this is not the case. The initial SYN packet from host (10.1.1.2/57221) completely bypassed the flow engine; so as seen by the flow module, the first packet processed for this session is generated by the f/w (10.1.1.1/23).

You can also see the reverse wing is created to allow traffic in opposite direction; however the packet counter will never increment as all traffic in that direction will bypass the flow module.
Session ID: 303, Policy name: self-traffic-policy/1, Timeout: 1800, Valid
In: 10.1.1.1/23 --> 10.1.1.2/57221;tcp, If: .local..0, Pkts: 85, Bytes: 7315
Out: 10.1.1.2/57221 --> 10.1.1.1/23;tcp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search