Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to change forwarding mode for IPv4 from 'flow based' to 'packet based'

0

0

Article ID: KB30461 KB Last Updated: 13 Jan 2020Version: 5.0
Summary:

This article explains how to change the forwarding mode on SRX (Branch Series) or J Series devices from flow-based to packet-based for IPv4 traffic.

Note: The solution described here does not apply to the following SRX High End devices: SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800.

 

Symptoms:

An SRX device can operate in two different modes: packet mode and flow mode. In flow mode, SRX processes all traffic by analyzing the state or session of traffic. This is also called stateful processing of traffic. In packet mode, SRX processes the traffic as a traditional router on a per-packet basis. This is also known as stateless processing of traffic. Security features like IPsec, NAT, UTM, and so on, do not work in packet mode. By default, Junos OS on SRX devices works in flow mode.

 

Solution:

To check the forwarding mode:

  1. From operational mode, enter the show security flow status command.
root> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based 
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Advanced services data-plane memory mode: Default
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware

As you can see, the device is in flow-based mode for IPv4 (inet) traffic.

  1. As the device in packet mode will work as a router (and not a firewall), delete the security feature configuration from the device.
[edit]
root# delete security 
  1. Change the mode to packet-based using following command:
[edit]
root# set security forwarding-options family mpls mode packet-based
  1. Commit the change. The commit completes with the following warning, prompting you to reboot the device to make the changes effective.
[edit]
root# commit
warning: You have changed mpls flow mode.
You have to reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
warning: Inet flow mode has been changed to packet-based mode for mpls mode modification.
warning: You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
commit complete
  1. Reboot the device. Reboot both nodes in the case of a cluster.
[edit]
root# run request system reboot
Reboot the system ? [yes,no] (no) yes

Verification:

  1. Once the device is up after reboot, check the flow status again. As you can see, the forwarding mode is now packet-based.

root> show security flow status
Flow forwarding mode:
Inet forwarding mode: packet based  
Inet6 forwarding mode: drop
MPLS forwarding mode: packet based
ISO forwarding mode: drop
Advanced services data-plane memory mode: Default
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
 

Note: This feature is not supported on SRX High End devices. The following warning appears when configured:"Warning: configuration block ignored: unsupported platform"

Note: As of 15.1X49-D70, for the SRX1500 series, SRX4100, SRX4200, devices and vSRX, you do not need to reboot the device when you are switching modes between flow mode and packet mode. For SRX300-Series you do need to reboot.

 

Modification History:

2020-01-13: Added note about solution not applying to some SRX High End devices

2017-03-21: Added note that solution is not supported on SRX High End devices

2017-06-22: Added that no need to reboot after 15.1X49-D70

2017-08-07: Reboot is required for entire SRX300-Series

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search