This article provides information on how to selectively bypass the flow daemon in Junos.
Scenario:
- The 10.0.0.2/24 and 192.168.2.1/24 IP addresses are configured on the ge-0/0/0 and ge-0/0/1 interfaces respectively.
- The objective is to allow traffic between the 10.0.0.1/32 and 192.168.2.2/32 end hosts, without being processed by the flow module.
Here, the traffic is matched only with the source and destination prefix. Other parameters can also be mentioned in the matching criteria of the firewall filter.
Configure the firewall filter:
[edit firewall family inet filter bypass_flowd]
root@srx1# show | display set
set firewall family inet filter bypass_flowd term t1 from source-address 10.0.0.1/32
set firewall family inet filter bypass_flowd term t1 from destination-address 192.168.2.2/32
set firewall family inet filter bypass_flowd term t1 then count c1
set firewall family inet filter bypass_flowd term t1 then packet-mode < Bypass the flow daemon
set firewall family inet filter bypass_flowd term t2 from source-address 192.168.2.2/32 |
set firewall family inet filter bypass_flowd term t2 from destination-address 10.0.0.1/32 |
set firewall family inet filter bypass_flowd term t2 then count c2
set firewall family inet filter bypass_flowd term t2 then packet-mode
set firewall family inet filter bypass_flowd term t3 then accept < Include a last term as accept to allow
the rest of the traffic to be evaluated by the flow daemon
Apply the filter to the
ge-0/0/0 and
ge-0/0/1 interfaces:
[edit interfaces ge-0/0/0]
root@srx1# show | display set
set interfaces ge-0/0/0 unit 0 family inet filter input bypass_flowd
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.2/24
[edit interfaces ge-0/0/1]
root@srx1# show | display set
set interfaces ge-0/0/1 unit 0 family inet filter input bypass_flowd
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
The traffic is allowed by the security policies:
set security policies default-policy permit-all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz interfaces ge-0/0/1.0
Verification:
root@srx1> show security flow session
Total sessions: 0
root@srx1> show firewall
Filter: __default_bpdu_filter__
Filter: bypass_flowd
Counters:
Name Bytes Packets
c1 2280 38
c2 2280 38
root@srx1> show security flow session
Total sessions: 0 < no sessions are formed on the device
root@srx1> show firewall
Filter: __default_bpdu_filter__
Filter: bypass_flowd
Counters:
Name Bytes Packets
c1 6120 102
c2 6120 102 < increasing counter for the interested traffic.
When configuring firewall filters for selective stateless packet-based services, adhere to the following guidelines:
-
Accurately identify the traffic that needs to bypass the flow to avoid unnecessary packet drops.
-
Make sure to apply the firewall filter with the packet-mode action on all of the interfaces that are involved in the packet-based flow path.
-
Make sure to configure host-bound TCP traffic to use flow-based forwarding; exclude this traffic, when specifying match conditions for the firewall filter term that contains the packet-mode action modifier.
-
Configure input packet filters (not output) with the packet-mode action modifier.
For information about Selective Stateless Packet-Based Forwarding implementation on high end SRX devices, refer to the following KB article:
2020-07-18: Article reviewed for accuracy; Minor non-technical changes needed.