Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides
Register
FAQ
It is currently Wed Oct 04, 2023 9:46 pm

ROOT ‹ Network Security & Routing & Switching ‹ Juniper SRX ‹ Juniper SRX Packet mode - how to switch between flow mode and packet mode

Post a reply

Juniper SRX Packet mode - how to switch between flow mode and packet mode

« Previous topic | Next topic »
Author Message
mandrei99
Post  Post subject: Juniper SRX Packet mode - how to switch between flow mode and packet mode  |  Posted: Thu Jan 15, 2015 6:36 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 250

Offline
 

Juniper SRX Packet mode - how to switch between flow mode and packet mode

Juniper SRX firewalls are stateful firewalls - they keep a memory table of tcp and udp sessions and match packets to existing sessions. This is called flow mode.

It can also operate as a stateless device or a router (even a switch if ethernet-switching is used). This is called packet mode.

To check if flow mode or packet mode is currently configured in SRX:
Code:
root@srx-host> show security flow status
node0:
--------------------------------------------------------------------------
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
    Advanced services data-plane memory mode: Default
  Flow trace status
    Flow tracing status: on
    Flow tracing options: basic
  Flow session distribution
    Distribution mode: RR-based
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware


Note here: if output contains node0/node1, srx node is part of a chassis cluster - only supported in flow mode. Above output confirms:
- ipv4 mode forwarding mode: flow mode
- ipv6 mode: drop (see also: Juniper SRX IPv6 forwarding - how to enable flow mode or packet mode. http://forum.ivorde.com/juniper-srx-ipv6-forwarding-how-to-enable-flow-mode-or-packet-mode-t19671.html)
- mpls mode: drop

To switch from flow mode to packet mode, following conditions need to be configured in the SRX firewall:
- the srx node must NOT be part of a chassis cluster. If it is, cluster needs to be deactivated first (> set chassis cluster disable) and rebooted - PAY ATTENTION TO WHAT YOU ARE DOING !!!
- configure packet mode for family mpls.
- deactivate or delete any security policies.
- reboot the srx.

1. Configure srx packet mode in the configuration:


Code:
[edit]
root@srx-host# set security forwarding-options family mpls mode packet-based 
root@srx-host# commit
[edit security forwarding-options family]
  'mpls'
    MPLS mode packet-based not allowed when [security policies] are configured.
[edit security]
  'policies'
    security policies not allowed when [security forwarding-options family mpls mode] is packet-based
error: commit failed: (statements constraint check failed)


Note 1: to enable packet mode for ipv4 needs it enabled for fampily mpls in the configuration.

2. Deactivate or delete any security policies on the srx configuration:


Code:
[edit]
root@srx-host# deactivate security policies

[edit]
root@srx-host# commit
warning: You have changed mpls flow mode.
You have to reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
warning: Inet flow mode has been changed to packet-based mode for mpls mode modification.
warning: You must reboot the system for your change to take effect.
commit complete


3. Reboot the srx firewalls to activate packet mode:


Code:
root@srx-host# run request system reboot
Reboot the system ? [yes,no] (no) yes

Shutdown NOW!
[pid 2269]

Verify that forwarding mode is in effect (after reboot):
Code:
root@srx-host> show security flow status
  Flow forwarding mode:
    Inet forwarding mode: packet based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: packet based
    ISO forwarding mode: drop
    Advanced services data-plane memory mode: Default
  Flow trace status
    Flow tracing status: on
    Flow tracing options: basic
  Flow session distribution
    Distribution mode: RR-based
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware


Important notes:
- packet mode is only supported in SRX branch devices (SRX 100/110/210/220/240/550 and 650) and in Virtual srx.
- when changing a device from cluster to two independent srx routers, cluster control and management links (fxp0 and em0) will change so devices will become unresponsive. Make sure you adjust the configuration to avoid locking your self out. "Commit confirmed" does not help you in these situations.
- packet mode changes the firewall behavior to act as a stateless device. Firewall filters are still able to drop/reject/accept traffic but they work on every packet basis, not per state (as Cisco Access lists).
- reverting back to stateful forwarding (flow mode) - it is enough to delete the " security forwarding-options family mpls" config and re-activate security policies.

More information: Branch SRX Series and J Series Selective Packet Services http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf





Top
Display posts from previous:  Sort by  
 E-mail friendPrint view
Post a reply

Topics related to - "Juniper SRX Packet mode - how to switch between flow mode and packet mode"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. Juniper SRX IPv6 forwarding - flow mode or packet mode.

mandrei99

0

4366

Thu Jan 15, 2015 6:13 am

mandrei99 View the latest post

There are no new unread posts for this topic. How to monitor CPU usage and flow sessions via SNMP - Juniper SRX Branch - 12.1X44

mandrei99

0

14475

Tue Jun 18, 2013 6:13 pm

mandrei99 View the latest post

There are no new unread posts for this topic. SRX: How to list firewall flow sessions table

mandrei99

0

11375

Tue Mar 10, 2015 6:08 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX - How to collect RSI (Request Support Information) to provide it to Juniper TAC

mandrei99

0

28096

Fri Jul 12, 2013 9:46 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX: How to access/vty on the PFE from CLI

mandrei99

0

8815

Mon Jan 26, 2015 6:39 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX cluster - How the hostname is configured

mandrei99

0

6223

Sat Jan 31, 2015 7:04 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX PPPoE configuration for RCS RDS provider in Romania

mandrei99

0

4387

Fri Jan 09, 2015 8:21 am

mandrei99 View the latest post

There are no new unread posts for this topic. Attachment(s) Squid http(s) transparent proxy with Juniper SRX | part 1

mandrei99

0

10546

Fri May 03, 2013 4:30 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Squid http(s) transparent proxy with Juniper SRX | part 2

mandrei99

0

9180

Tue May 21, 2013 5:58 am

mandrei99 View the latest post

There are no new unread posts for this topic. Attachment(s) Squid http(s) transparent proxy with Juniper SRX | part 3

mandrei99

0

9047

Fri May 24, 2013 8:32 am

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
cronNews News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


ROOT ‹ Network Security & Routing & Switching ‹ Juniper SRX
Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO