SRX

Expand all | Collapse all

SRX firewall as router

Jump to Best Answer
  • 1.  SRX firewall as router

    Posted 05-24-2013 06:25

    Hi Experts

     

    I have srx100,240 and 3400 which I want to use for JNCIE-SP preparation.

    I would like to ask how much things I can practice on these firewalls for JNCIE-SP?

     

    Secondly I want these firewalls to work purely as a router. How can I do that?

    I heard if we disable flow control it will act as a router. Is it true and how can I achieve it?

     

    I connected my laptop simply with srx and use same subnet IP and I was not able to ping interfaces unless and until I enable the host in bound services for that interface,

    When this firewall behave as a router purely will I be needing these sort of things or not?

     

    Thanks and Regards

    Ahmed



  • 2.  RE: SRX firewall as router

    Posted 05-24-2013 07:42

    Hello,

     

    1/ JNCIE-SP exam curriculum

    http://www.juniper.net/us/en/training/certification/service_provider_track.html#jnciesp 

     

    The 8-hour format of this exam requires that candidates build a service provider network consisting of multiple MX series routers. Successful candidates will perform system configuration on all devices, implement various protocols, policies and VPNs, HA capabilities, and Class of Services.

    Exam topics MAY include: Device Infrastructure IGP MPLS BGP VPNs Multicast CoS

     You should be able to use SRX to learn all of the above topics but You won't be able to recreate ALL and ANY scenario which is supported on MX-series. Exceptions include:

    - Graceful Routing Engine Switchover (GRES) - requires 2 Routing Engines

    - Nonstop Routing - ditto

    - Nonstop Bridging - ditto

    - some advanced 802.1Q tag manipulation techniques

    - BRAS/BNG

     

    2/ To put SRX into packet-mode, use

     

    delete security
    set security forwarding-options family mpls mode packet-based
    set security forwarding-options family iso mode packet-based
    set security forwarding-options family inet6 mode packet-based

     

    You may need to reboot Your SRX device after that.

     

    HTH

    Thanks

    Alex



  • 3.  RE: SRX firewall as router

    Posted 06-11-2013 12:55

    Hello Alex

     

    Thanks for the reply. I have both high end (SRX3400) and low end (SRX 210, SRX 100) firewalls.

    I have tried the procedure on high end for now and I am receiving some warnings in configurations as below.

    The question is that is it ok to see these messages after executing the commands you mentioned? and the firewall has been turned as a router now?

     

    I have to try on low end firewalls as well. Will do once I get some info on the mentioned warnings from you.

     

    security {
    forwarding-options {
    family {
    inet6 {
    mode packet-based;
    }
    ##
    ## Warning: configuration block ignored: unsupported platform (srx3400)
    ##
    mpls {
    mode packet-based;
    }
    ##
    ## Warning: configuration block ignored: unsupported platform (srx3400)
    ##
    iso {
    mode packet-based;
    }
    }
    }
    }

     

    Thanks and Regards

    Ahmed



  • 4.  RE: SRX firewall as router
    Best Answer

    Posted 06-12-2013 03:44

    I do not think you can disable flow mode on the Data centre SRX, hence the error in committing that configuration. They are designed as pure firewall while the branch office devices are designed for the multipurpose of routing switching and security. Which means they should change the names to SX for the highend devices then.



  • 5.  RE: SRX firewall as router

     
    Posted 06-17-2013 05:02

    Totally agree with you , you can use packet mode only with branch office SRXs....



  • 6.  RE: SRX firewall as router

    Posted 08-05-2013 04:59

    Hello Lyndidon

     

    Thanks for your reply and to other experts also.

    What I understood from you is that I cant use SRX3400 as a router? Is it true?

     

    Regards



  • 7.  RE: SRX firewall as router

    Posted 08-05-2013 10:58

    You can get further understanding by clicking on these links and examining the details very carefully. The comments are generally good, but better understanding is normally contained in the links provided.


    https://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-packet-based-processing-understanding.html
    https://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-selective-stateless-packet-based-service-understanding.html

     

    The SRX will still be routing traffic, unless you configure it in transparent mode, in which case it will be acting as a switch but with some of the security features of a firewall. The modes simply tell the router/firewall/srx how to process the packets. It is still rotuing packets. Remember the flow module?

     

    Packet mode- process each packet individually without the use of the session table; does not matter if it is from the same SA, SP, going to the same DA, DP and using the same protocol. The packets still have to routed, because the device is acting as a Layer 3 device. Only stateless FF can be applied. With the branch series device, you can decouple the security processing of the "packets" by bypassing the flow module. 

    Flow  mode- group the packets together and treat them as a flow if the SA, DA, SP, DP and protocol are the same by using the session table. With the Data  Centre series, you cannot decouple the security processing of the "packets" bypassing the flow module.

     

    Now, exactly which statement gave you this impression "What I understood from you is that I cant use SRX3400 as a router? Is it true?"



  • 8.  RE: SRX firewall as router

    Posted 08-07-2013 08:12

    @ahmedsharif wrote:

    Hello Lyndidon

     

    Thanks for your reply and to other experts also.

    What I understood from you is that I cant use SRX3400 as a router? Is it true?

     

    Regards


    You can use it to do plenty of routing, just some things are not available that require packet mode.



  • 9.  RE: SRX firewall as router

    Posted 06-17-2013 06:03

    Hello,

    Please check out the "Feature Support Rererence" in SRX documentation section.

    The warnings You are getting are correct: packet-based processing and selective stateless packet-based services are NOT supported on High-End SRX (SRX1K, SRX3K and SRX5K)

    https://www.juniper.net/techpubs/en_US/junos12.1x44/topics/reference/general/security-feature-flow-based-packet-based-processing-support.html 

    HTH

    Thanks
    Alex

     



  • 10.  RE: SRX firewall as router

    Posted 08-14-2019 15:04

    Great tip my friend.

    It was like a magic for me, working fine.

    Thank you!