Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides
Register
FAQ
It is currently Tue Jun 06, 2023 8:14 am

ROOT ‹ Network Security & Routing & Switching ‹ Security, NAT, Policies, Screen, Flow, TCP ‹ Juniper SRX packet mode switch back to flow mode (verification)

Post a reply

Juniper SRX packet mode switch back to flow mode (verification)

« Previous topic | Next topic »
Author Message
mandrei99
Post  Post subject: Juniper SRX packet mode switch back to flow mode (verification)  |  Posted: Tue May 28, 2013 9:57 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 250

Offline
 

Juniper SRX packet mode switch back to flow mode (verification)

Probably you know how to enable srx to run in packet mode (due to MPLS header being just after the ethernet header, it applies to inet family also).

To check the mode that an SRX box is running under:
Code:
# run show security flow status   
  Flow forwarding mode:
    Inet forwarding mode: packet based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: packet based
    ISO forwarding mode: drop
    Advanced services data-plane memory mode: Default
  Flow trace status
    Flow tracing status: off


Right now my box is running in packet mode. This means that nat/ipsec/stateless firewall functions and policies are all disabled. The box is a soho router.

SRX change packet mode to flow mode


Deleting the configuraiton under "security forwarding-options family mpls" will disable packet mode (but not immediately):
Code:
root@cameron# show security forwarding-options
family {
    mpls {
        mode packet-based;
    }
}

[edit]
# delete security forwarding-options

[edit]
# commit
run show security flow status
commit complete

[edit]
# run show security flow status
  Flow forwarding mode:
    Inet forwarding mode: packet based (reboot needed to change to flow based)
    Inet6 forwarding mode: drop
    MPLS forwarding mode: packet based (reboot needed to change to drop)
    ISO forwarding mode: drop
    Advanced services data-plane memory mode: Default
  Flow trace status
    Flow tracing status: off


Switching back to flow mode will trigger MPLS family to be dropped by default, unless you are configuring selective packet mode ( only some interfaces will work in packet mode) for both families mpls and inet on the input (see http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf, page 16 for more details.

After reboot:
Code:
> show security flow status
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
    Advanced services data-plane memory mode: Default
  Flow trace status
    Flow tracing status: off


https://forum.ivorde.com/juniper-srx-packet-mode-how-to-switch-between-flow-mode-and-packet-mode-t19681.html





Top
mandrei99
Post  Post subject: Re: Juniper SRX packet mode switch back to flow mode (verification)  |  Posted: Tue May 28, 2013 11:10 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 250

Offline
More links:
Understanding Packet-Based and Flow-Based Forwarding
http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-admin-guide/packet-flow-based-fwd-section.html#packet-flow-based-fwd-section

Understanding Selective Stateless Packet-Based Services
http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-admin-guide/jd0e38164.html#jd0e38164

Configuring Selective Stateless Packet-Based Services
http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-admin-guide/config-stateless-packet-option-section.html#config-stateless-packet-option-section


Top
Display posts from previous:  Sort by  
 E-mail friendPrint view
Post a reply

Topics related to - "Juniper SRX packet mode switch back to flow mode (verification)"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. Junos 11.4 - SRX flow mode - traffic destined for loopback lo0 interface

mandrei99

0

6866

Thu May 30, 2013 9:20 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX firewall debug: packet dropped: for self but not interested

admin

0

4554

Mon Jun 23, 2014 3:52 am

admin View the latest post

There are no new unread posts for this topic. BGP Blackhole (RTBH) with Juniper SRX firewall

mandrei99

0

7970

Thu May 29, 2014 6:45 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic

admin

2

3710

Wed May 11, 2016 9:15 pm

admin View the latest post

There are no new unread posts for this topic. Configuring and verifying unicast reverse path filter (uRPF) on Juniper SRX

admin

1

5737

Fri Feb 01, 2013 12:09 pm

admin View the latest post

There are no new unread posts for this topic. Juniper SRX NAT64 behavior in relation to DF (Don’t Fragment) bit on incoming IPv4 packets

admin

0

2682

Thu Mar 10, 2016 11:31 am

admin View the latest post

There are no new unread posts for this topic. Juniper SRX testcase - How to block TCP SYN packets with data/segment bytes (strict-syn-check)

admin

0

3063

Tue Jun 19, 2012 8:38 am

admin View the latest post

There are no new unread posts for this topic. Juniper SRX - How to perform source nat on Junos self originated packets - Junos 11.4

debuser

0

3289

Sun Jun 03, 2012 3:46 pm

debuser View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
cronNews News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


ROOT ‹ Network Security & Routing & Switching ‹ Security, NAT, Policies, Screen, Flow, TCP
Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO