A 'Warning' statement is reported in the configuration, when attempting to configure Selective Stateless Packet Forwarding (or Selective Stateless Packet-Based Services) on High-End SRX devices.
Selective Stateless Packet-Based Services allows you to simultaneously use flow-based and packet-based forwarding on a system. You can selectively direct traffic that requires packet-based, stateless forwarding to avoid stateful flow-based forwarding by using stateless firewall filters, also known as access control lists (ACLs).
The reason to use Selective Stateless Packet Forwarding would be, for example, traffic requiring MPLS services. MPLS requires traffic be processed in packet-mode. However, under some circumstances, it might be necessary to concurrently apply certain services to this traffic that can only be provided in flow mode, such as stateful inspection, NAT, and IPsec.
For a configuration overview and example on Selective Stateless Packet-Based Services, refer to the following technical documentation:
Selective Stateless Packet Forwarding works as expected on SRX Branch and J-Series devices. However, the goal here is to confirm if it is possible or not to run packet-based and flow-based traffic on a High-End SRX device.
In the following CLI output, we are trying to create a firewall filter to force the SRX to process all traffic with a source address lying in the 10.1.1.0/24 network range, in packet-mode and bypass the flow-module.
This same portion of configuration works on an SRX Branch/J-Series device; but when it is copied to a High-End SRX device, say an SRX5600, the following Warning is reported:
root@srx5600# show firewall
family inet {
filter bypass-flow-filter {
term bypass-flow-term-1 {
from {
source-address {
10.1.1.0/24;
}
}
##
## Warning: statement ignored: unsupported platform (srx5600)
##
then packet-mode;
}
}
}
Selective Stateless Packet-Based Services are currently not supported on High-End SRX devices.
Selective Stateless Packet-Based Services is only supported on SRX Branch series or J Series routers. It is not supported on High-End SRX devices.
The Feature Support Reference also indicates that it is not supported.
Note: This feature is supported on SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 devices.
Refer to the technical documentation on Packet-Based Forwarding
[edit]
root@srx1500# show firewall
family inet {
filter by-pass-flow-filter {
term by-pass-flow-term1 {
from {
source-address {
10.1.1.0/24;
}
}
then packet-mode;
}
}
}
2020-05-21: Updated reference links and list of supported SRX devices.
2017-03-21: Removed "3600 - 5800" because Selective Stateless Packet-Based Services is not supported all SRX High End devices.