SRX

Hi everyone.

Is it correct SRX creates " Session" for new flow that passes Security policy? 

I am confused about at what point Session is created in session table, please see the example below:

PC( 199.199.199.10)---199.199.199.1-f0/1-SRX-f0/2-200.200.200.1-----PC 200.200.200.20

SET UP:

SRX has  vlan 199, vlan.199 in Zone TRUST ,199.199.199.1/24, f0//1 access port

SRX has vlan 200, vlan.200 in Zone UNTRUST , 200.200.200.1/24 f0/2 access port

SRC has STATIC Destination NAT which translate all traffic received from ZONE TRUST and destined to 100.100.100.10, will have DEST natted to 200.200.200.20

We know Security policy is evaluated after STATIC DEST NAT. Therefore we write a policy on POST NAT IP.

Config is under additional info at the bottom of this post.

PC ( 199.199.199.10) issues ping to 100.100.100.10

I see session table on SRX:

root> show security flow session

Session ID: 29032, Policy name: A/5, Timeout: 2, Valid
In: 199.199.199.10/26998 --> 100.100.100.10/1;icmp, If: vlan.199, Pkts: 1, Bytes: 60
Out: 200.200.200.20/1 --> 199.199.199.10/26998;icmp, If: vlan.200, Pkts: 1, Bytes: 60

1) Above we " IN"  SRC IP is 199.199.199.10 DST 100.100.100.10 is created before " Security Policy " is evaluated , I based this because DST IP is still 100.100.100.10 not the NATTED IP 200.200.200.20

2) It also shows Sesson is created in session table even before STATIC DEST NAT is attempted before DST IP is still 100.100.100.10 not 200.200.200.20

What am i mssing ?  I know the whole lot but I am trying to get the logic down.

Thanks and have a nice weekend!!

Additional info:

root> show configuration | display set

set version 11.4R7.5
set system root-authentication encrypted-password "$1$K8pkQCB3$PMhEh2V68NzABTnuUWOiv0"
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members all
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan199
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan200
set interfaces fe-0/0/3 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan199
set interfaces fe-0/0/4 unit 0
set interfaces fe-0/0/5 unit 0
set interfaces fe-0/0/6 unit 0
set interfaces fe-0/0/7 unit 0
set interfaces vlan unit 199 family inet address 199.199.199.1/24
set interfaces vlan unit 200 family inet address 200.200.200.1/24
set security address-book global address ZEE 200.200.200.20/32
set security address-book global address GIGI 100.100.100.10/32
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat static rule-set ZEE1 from zone TRUST
set security nat static rule-set ZEE1 rule RULE1 match destination-address 100.100.100.10/32
set security nat static rule-set ZEE1 rule RULE1 then static-nat prefix 200.200.200.20/32
set security policies from-zone TRUST to-zone UNTRUST policy A match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy A match destination-address GIGI
set security policies from-zone TRUST to-zone UNTRUST policy A match destination-address ZEE
set security policies from-zone TRUST to-zone UNTRUST policy A match application any
set security policies from-zone TRUST to-zone UNTRUST policy A then permit
set security policies from-zone UNTRUST to-zone TRUST policy A match source-address GIGI
set security policies from-zone UNTRUST to-zone TRUST policy A match destination-address any
set security policies from-zone UNTRUST to-zone TRUST policy A match application any
set security policies from-zone UNTRUST to-zone TRUST policy A then permit
set security zones security-zone TRUST host-inbound-traffic system-services all
set security zones security-zone TRUST interfaces vlan.199
set security zones security-zone UNTRUST host-inbound-traffic system-services all
set security zones security-zone UNTRUST interfaces vlan.200
set vlans vlan199 vlan-id 199
set vlans vlan199 l3-interface vlan.199
set vlans vlan200 vlan-id 200
set vlans vlan200 l3-interface vlan.200

Check out the flow chart in this kb article for the details.  You do have this correct that destination NAT drives the security policy while source NAT does not.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

The session table entry is not about the policy evaluation but letting you know what is happening to the packet on the SRX.  This gives us both the pre and post nat addresses in the flow so we can understand the packet flow.  There is no session created until the full flow chart is evaluated on the first packet and setups the session.