Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to selectively bypass the flow daemon in SRX

0

0

Article ID: KB26757 KB Last Updated: 23 Jul 2020Version: 3.0
Summary:

This article provides information on how to selectively bypass the flow daemon in Junos.

Symptoms:
  • Junos provides an option to bypass the flow daemon for selected traffic on the basis of various parameters. This feature is known as Selective Stateless Packet-Based Forwarding.

  • Selective stateless packet-based services allow you to simultaneously use both flow-based and packet-based forwarding on a system.

  • You can selectively direct traffic that requires packet-based stateless forwarding to avoid stateful flow-based forwarding by using stateless firewall filters.

Solution:

Scenario:

  • The 10.0.0.2/24 and 192.168.2.1/24 IP addresses are configured on the ge-0/0/0 and ge-0/0/1 interfaces respectively.
  • The objective is to allow traffic between the 10.0.0.1/32 and 192.168.2.2/32 end hosts, without being processed by the flow module.

Here, the traffic is matched only with the source and destination prefix. Other parameters can also be mentioned in the matching criteria of the firewall filter.

Configure the firewall filter:

[edit firewall family inet filter bypass_flowd]
root@srx1# show | display set
set firewall family inet filter bypass_flowd term t1 from source-address 10.0.0.1/32
set firewall family inet filter bypass_flowd term t1 from destination-address 192.168.2.2/32
set firewall family inet filter bypass_flowd term t1 then count c1
set firewall family inet filter bypass_flowd term t1 then packet-mode < Bypass the flow daemon
set firewall family inet filter bypass_flowd term t2 from source-address 192.168.2.2/32 |
set firewall family inet filter bypass_flowd term t2 from destination-address 10.0.0.1/32 |
set firewall family inet filter bypass_flowd term t2 then count c2 
set firewall family inet filter bypass_flowd term t2 then packet-mode

set firewall family inet filter bypass_flowd term t3 then accept < Include a last term as accept to  allow 
                                                                   the rest of the traffic to be evaluated by the flow daemon
Apply the filter to the ge-0/0/0 and ge-0/0/1 interfaces:
[edit interfaces ge-0/0/0]
root@srx1# show | display set
set interfaces ge-0/0/0 unit 0 family inet filter input bypass_flowd
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.2/24


[edit interfaces ge-0/0/1]
root@srx1# show | display set
set interfaces ge-0/0/1 unit 0 family inet filter input bypass_flowd
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
The traffic is allowed by the security policies:
set security policies default-policy permit-all

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0

set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz interfaces ge-0/0/1.0

Verification:

root@srx1> show security flow session
Total sessions: 0

root@srx1> show firewall

Filter: __default_bpdu_filter__

Filter: bypass_flowd
Counters:
Name Bytes Packets
c1    2280 38
c2    2280 38

root@srx1> show security flow session
Total sessions: 0 < no sessions are formed on the device

root@srx1> show firewall

Filter: __default_bpdu_filter__

Filter: bypass_flowd
Counters:
Name Bytes Packets
c1    6120 102
c2    6120 102   < increasing counter for the interested traffic. 

When configuring firewall filters for selective stateless packet-based services, adhere to the following guidelines:

  • Accurately identify the traffic that needs to bypass the flow to avoid unnecessary packet drops.

  • Make sure to apply the firewall filter with the packet-mode action on all of the interfaces that are involved in the packet-based flow path.

  • Make sure to configure host-bound TCP traffic to use flow-based forwarding; exclude this traffic, when specifying match conditions for the firewall filter term that contains the packet-mode action modifier.

  • Configure input packet filters (not output) with the packet-mode action modifier.

For information about Selective Stateless Packet-Based Forwarding implementation on high end SRX devices, refer to the following KB article:

Modification History:
2020-07-18:  Article reviewed for accuracy; Minor non-technical changes needed. 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search