Juniper SRX firewalls are stateful firewalls - they keep a memory table of tcp and udp sessions and match packets to existing sessions. This is called flow mode.
It can also operate as a stateless device or a router (even a switch if ethernet-switching is used). This is called packet mode.
To check if flow mode or packet mode is currently configured in SRX:Code:
root@srx-host> show security flow status
node0:
--------------------------------------------------------------------------
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Advanced services data-plane memory mode: Default
Flow trace status
Flow tracing status: on
Flow tracing options: basic
Flow session distribution
Distribution mode: RR-based
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
Note here: if output contains node0/node1, srx node is part of a chassis cluster - only supported in flow mode. Above output confirms:
- ipv4 mode forwarding mode: flow mode
- ipv6 mode: drop (see also: Juniper SRX IPv6 forwarding - how to enable flow mode or packet mode.
http://forum.ivorde.com/juniper-srx-ipv6-forwarding-how-to-enable-flow-mode-or-packet-mode-t19671.html)
- mpls mode: drop
To switch from flow mode to packet mode, following conditions need to be configured in the SRX firewall:
- the srx node must NOT be part of a chassis cluster. If it is, cluster needs to be deactivated first (> set chassis cluster disable) and rebooted - PAY ATTENTION TO WHAT YOU ARE DOING !!!
- configure packet mode for family mpls.
- deactivate or delete any security policies.
- reboot the srx.
1. Configure srx packet mode in the configuration:
Code:
[edit]
root@srx-host# set security forwarding-options family mpls mode packet-based
root@srx-host# commit
[edit security forwarding-options family]
'mpls'
MPLS mode packet-based not allowed when [security policies] are configured.
[edit security]
'policies'
security policies not allowed when [security forwarding-options family mpls mode] is packet-based
error: commit failed: (statements constraint check failed)
Note 1: to enable packet mode for ipv4 needs it enabled for fampily mpls in the configuration.
2. Deactivate or delete any security policies on the srx configuration:
Code:
[edit]
root@srx-host# deactivate security policies
[edit]
root@srx-host# commit
warning: You have changed mpls flow mode.
You have to reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
warning: Inet flow mode has been changed to packet-based mode for mpls mode modification.
warning: You must reboot the system for your change to take effect.
commit complete
3. Reboot the srx firewalls to activate packet mode:
Code:
root@srx-host# run request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 2269]
Verify that forwarding mode is in effect (after reboot):Code:
root@srx-host> show security flow status
Flow forwarding mode:
Inet forwarding mode: packet based
Inet6 forwarding mode: drop
MPLS forwarding mode: packet based
ISO forwarding mode: drop
Advanced services data-plane memory mode: Default
Flow trace status
Flow tracing status: on
Flow tracing options: basic
Flow session distribution
Distribution mode: RR-based
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
Important notes:
- packet mode is only supported in SRX branch devices (SRX 100/110/210/220/240/550 and 650) and in Virtual srx.
- when changing a device from cluster to two independent srx routers, cluster control and management links (fxp0 and em0) will change so devices will become unresponsive. Make sure you adjust the configuration to avoid locking your self out. "Commit confirmed" does not help you in these situations.
- packet mode changes the firewall behavior to act as a stateless device. Firewall filters are still able to drop/reject/accept traffic but they work on every packet basis, not per state (as Cisco Access lists).
- reverting back to stateful forwarding (flow mode) - it is enough to delete the " security forwarding-options family mpls" config and re-activate security policies.
More information: Branch SRX Series and J Series Selective Packet Services
http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf
Juniper SRX firewalls are stateful firewalls - they keep a memory table of tcp and udp sessions and match packets to existing sessions. This is called flow mode.
It can also operate as a stateless device or a router (even a switch if ethernet-switching is used). This is called packet mode.
[b]To check if flow mode or packet mode is currently configured in SRX:[/b]
[code]
root@srx-host> show security flow status
node0:
--------------------------------------------------------------------------
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Advanced services data-plane memory mode: Default
Flow trace status
Flow tracing status: on
Flow tracing options: basic
Flow session distribution
Distribution mode: RR-based
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
[/code]
Note here: if output contains node0/node1, srx node is part of a chassis cluster - only supported in flow mode. Above output confirms:
- ipv4 mode forwarding mode: flow mode
- ipv6 mode: drop (see also: Juniper SRX IPv6 forwarding - how to enable flow mode or packet mode. [url]http://forum.ivorde.com/juniper-srx-ipv6-forwarding-how-to-enable-flow-mode-or-packet-mode-t19671.html[/url])
- mpls mode: drop
To switch from flow mode to packet mode, following conditions need to be configured in the SRX firewall:
- the srx node must NOT be part of a chassis cluster. If it is, cluster needs to be deactivated first (> set chassis cluster disable) and rebooted - PAY ATTENTION TO WHAT YOU ARE DOING !!!
- configure packet mode for family mpls.
- deactivate or delete any security policies.
- reboot the srx.
[h2]1. Configure srx packet mode in the configuration:[/h2]
[code]
[edit]
root@srx-host# set security forwarding-options family mpls mode packet-based
root@srx-host# commit
[edit security forwarding-options family]
'mpls'
MPLS mode packet-based not allowed when [security policies] are configured.
[edit security]
'policies'
security policies not allowed when [security forwarding-options family mpls mode] is packet-based
error: commit failed: (statements constraint check failed)
[/code]
Note 1: to enable packet mode for ipv4 needs it enabled for fampily mpls in the configuration.
[h2]2. Deactivate or delete any security policies on the srx configuration:[/h2]
[code]
[edit]
root@srx-host# deactivate security policies
[edit]
root@srx-host# commit
warning: You have changed mpls flow mode.
You have to reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
warning: Inet flow mode has been changed to packet-based mode for mpls mode modification.
warning: You must reboot the system for your change to take effect.
commit complete
[/code]
[h2]3. Reboot the srx firewalls to activate packet mode:[/h2]
[code]
root@srx-host# run request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 2269][/code]
[b]Verify that forwarding mode is in effect (after reboot):[/b][code]
root@srx-host> show security flow status
Flow forwarding mode:
Inet forwarding mode: packet based
Inet6 forwarding mode: drop
MPLS forwarding mode: packet based
ISO forwarding mode: drop
Advanced services data-plane memory mode: Default
Flow trace status
Flow tracing status: on
Flow tracing options: basic
Flow session distribution
Distribution mode: RR-based
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
[/code]
Important notes:
- packet mode is only supported in SRX branch devices (SRX 100/110/210/220/240/550 and 650) and in Virtual srx.
- when changing a device from cluster to two independent srx routers, cluster control and management links (fxp0 and em0) will change so devices will become unresponsive. Make sure you adjust the configuration to avoid locking your self out. "Commit confirmed" does not help you in these situations.
- packet mode changes the firewall behavior to act as a stateless device. Firewall filters are still able to drop/reject/accept traffic but they work on every packet basis, not per state (as Cisco Access lists).
- reverting back to stateful forwarding (flow mode) - it is enough to delete the " security forwarding-options family mpls" config and re-activate security policies.
More information: Branch SRX Series and J Series Selective Packet Services [url]http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf[/url]