SRX

Hi,

 

Why are new sessions created while I am using firewall filter on both interfaces with action-modifier packet-mode?

 

I have this configuration, interfaces:

 

ge-2/0/0 {
    gigether-options {
        802.3ad ae0;
    }
}
ge-2/0/1 {
    gigether-options {
        802.3ad ae0;
    }
}
ge-2/0/4 {
    gigether-options {
        802.3ad ae1;
    }
}
ge-2/0/5 {
    gigether-options {
        802.3ad ae1;
    }
}
ge-2/0/8 {
    gigether-options {
        802.3ad ae2;
    }
}
ge-2/0/9 {
    gigether-options {
        802.3ad ae2;
    }
}
ge-2/0/12 {
    gigether-options {
        802.3ad ae4;
    }
}
ge-2/0/13 {
    gigether-options {
        802.3ad ae4;
    }
}
ae0 {
    description "!ISP!";
    per-unit-scheduler;
    vlan-tagging;
    aggregated-ether-options {
        minimum-links 1;
        link-speed 1g;
        lacp {
            active;
        }
    }
    unit 500 {
        vlan-id 500;
        family inet {
            filter {
                input bypass-flow-filter;
            }
            address x.x.x.2/29;
        }
    }
}
ae1 {
    description "!core !";
    per-unit-scheduler;
    vlan-tagging;
    mtu 1600;
    aggregated-ether-options {
        minimum-links 1;
        link-speed 1g;
        lacp {
            active;
        }
    }
    unit 47 {
        vlan-id 47;
        family inet {
            filter {
                input bypass-flow-filter;
            }
            address y.y.y.y/30;
        }
    }
}
ae2 {
    description "!mgmt users nat!";
    vlan-tagging;
    aggregated-ether-options {
        minimum-links 1;
        link-speed 1g;
        lacp {
            active;
        }
    }
    unit 1330 {
        vlan-id 1330;
        family inet {
            address 192.168.30.1/24;
        }
    }
    unit 1337 {
        vlan-id 1337;
        family inet {
            address 192.168.2.5/24;
        }
    }
}

 

user@srx650# top show interfaces lo0.0                             
family inet {
    filter {
        input f-fw-re-protection;
    }
    address pub.lic.ip/32;
}

 

 

user@srx650> show configuration firewall
family inet {
    filter bypass-flow-filter {
        term bypass-flow-term-1 {
            from {
                destination-address {
                    x.x.x.3/32 except; # source nat-ip, pool on interface ae0.500
                }
            }
            then packet-mode;
        }
        term accept-rest {
            then accept;
        }
    }


user@srx650# show firewall family inet filter f-fw-re-protection # on lo0.0
term deny-ssh {
    from {
        inactive: source-prefix-list {
            pref-kxnet-management except;
        }
        protocol tcp;
        destination-port ssh;
    }
    then {
        count "lo0.0 deny ssh";
        log;
        syslog;
        discard;
    }
}
term allow-icmp {
    from {
        protocol icmp;
        icmp-type [ echo-request echo-reply unreachable time-exceeded ];
    }
    then {
        policer icmp-policer;
        accept;
    }
}
term allow-tcp-connection {
    from {
        protocol tcp;
        tcp-flags "(syn & !ack) | fin | rst";
    }
    then {
        policer tcp-connection-policer;
        accept;
    }
}
term last-allow {
    then accept;
}

 

user@srx650> show configuration security zones
security-zone xxx {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        ae0.500;
    }
}
security-zone yyy {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        ae1.47;
        ae3.37;
        ae4.54;
        lo0.0;
    }
}

user@srx650> show configuration security policies
from-zone xxx to-zone yyy {
    policy permit-all {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone yyy to-zone xxx {
    policy permit-all {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

 

 

 

 

Majority of traffic is going through interfaces ae0.500 and ae1.47.. As you can see. I configured it for packet-mode with filters. Why I see number of flow sessions going through this two interfaces? Why are there so many packet drops? I don't use "set security forwarding-options family xyz mode packet-based" because of nat.

 

 

 

user@srx650> show security flow session

Session ID: 19, Policy name: permit-all/5, Timeout: 232, Valid
  In: .../63953 --> .../80;tcp, If: ae1.47, Pkts: 7, Bytes: 288
  Out: .../80 --> .../63953;tcp, If: ae0.500, Pkts: 1, Bytes: 48

Session ID: 50, Policy name: permit-all/4, Timeout: 34, Valid
  In: .../3631 --> .../52745;udp, If: ae0.500, Pkts: 1, Bytes: 60
  Out: .../52745 --> .../3631;udp, If: ae1.47, Pkts: 1, Bytes: 46

Session ID: 107, Policy name: permit-all/4, Timeout: 40, Valid
  In: .../11714 --> .../55754;udp, If: ae0.500, Pkts: 2, Bytes: 316
  Out: .../55754 --> .../11714;udp, If: ae1.47, Pkts: 2, Bytes: 1492

Session ID: 140, Policy name: permit-all/5, Timeout: 32, Valid
  In: .../63691 --> .../53;udp, If: ae1.47, Pkts: 1, Bytes: 72
  Out: .../53 --> .../63691;udp, If: ae0.500, Pkts: 1, Bytes: 703

Session ID: 169, Policy name: permit-all/5, Timeout: 1786, Valid
  In: .../12177 --> .../80;tcp, If: ae1.47, Pkts: 4, Bytes: 824
  Out: .../80 --> .../12177;tcp, If: ae0.500, Pkts: 3, Bytes: 1083

user@srx650> show security flow status
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off

user@srx650> show security flow statistics
    Current sessions: 9268
    Packets forwarded: 0
    Packets dropped: 25053944
    Fragment packets: 61629518

 

I also see this on daily graph - current sessions. The number of current session corelate with traffic going through ae.500 <-> ae1.47

Does counters (sessions or dropped packets) have something with lo0.0 with no packet-mode action modifier?

 

Any answer appriciated.

Regards

 

 

#selective.packetmode

I also see

user@srx650# run show security flow gate    
Hole: 0.0.0.0-0.0.0.0/0-0->d.d.d.d-d.d.d.d/5060-5060
  Translated: 0.0.0.0/0->c.c.c.c/5060
  Protocol: udp
  Application: SIP ALG/63
  Age: 410 seconds
  Flags: 0x0080
  Zone: yyy
  Reference count: 9
  Resource: x-xxxx-xxxx

 Hole: 0.0.0.0-0.0.0.0/0-0->b.b.b.b-b.b.b.b/5060-5060
  Translated: 0.0.0.0/0->a.a.a.a/5060
  Protocol: udp
  Application: SIP ALG/63
  Age: 436 seconds
  Flags: 0x0080
  Zone: yyy
  Reference count: 3
  Resource: y-yyyy-yyyy
....

 I _don't_ have alg disabled:  set security alg sip disabled. I thought that it will be also skipped if i'm using packet-mode act. modifier.

 

 

In your bypass filter, try adding 0.0.0.0/0 or add a counter to see whether it actually hits that term:

 

 

    filter bypass-flow-filter {
        term bypass-flow-term-1 {
            from {
                destination-address {
                    0.0.0.0/0;
                    x.x.x.3/32 except;

 

 

Hi

 

I added counter, but it doesn't show any numbers

 

 

user@srx650> show configuration firewall 
family inet {
    filter bypass-flow-filter {
        term bypass-flow-term-1 {
            from {
                destination-address {
                    x.x.x.x/32 except;
                }
            }
            then {
                count "term bypass-flow-term-1";
                packet-mode;


user@srx650> show firewall 

Filter: bypass-flow-filter                                     

Filter: f-fw-re-protection                                     
Counters:
Name              Bytes                  Packets
lo0.0 deny ssh    416                    8
...

Maybe you find it.

 

I'll add that 0.0.0.0/0 later. I think it could break traffic. Does it depends on position of 0.0.0.0/0 before x.x.x.x/32 or it doesnt matter. I think there is logical OR between them. And last question. What is purpose of x.x.x.x/32 _except_ ? I thought that the filter does this:

1st term: if packet is not destined to x.x.x.x/32 then packet-mode and go to next term in filter (there is no accept in 1st term)

2nd term: accept everything

- that means ip address x.x.x.x/32 will not use packet-mode. but will be accepted by second term. everything else will use packet-mode and in second term will be accepted

Am I right? Or there is something different when using packet-mode act. modifier?

 

Regards

 

I'd recommend just adding one net or so to start with, see if that works, before adding 0/0 🙂
http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-collections/config-guide-policy/policy-configuring-match-conditions-in-firewall-filter-terms.html
The order of the prefixes doesn't matter, it's longest match.
I would agree that if you create a filter with only one except it _should_ create a 0.0.0.0/0 implicit, but it seems that's not the case even when using except.
"Each list of prefixes contains an implicit 0/0 except statement, which means that any prefix that does not match any prefix in the list is explicitly considered not to match."

There's an example in that url with:

 

 

To match all destinations except one, in this example 10.1.1.0/24, configure the match conditions as follows:

[edit firewall family family-name filter filter-name term term-name from]
destination-address {
    0.0.0.0/0;
    10.1.1.0/24 except;
}

 

 

It works. I added another preffix /32. Also replaced another firewall on port ae1.47 because the firewall should be different: One is using source-prefix another is using destination-prefix. I also cleared flow sessions with command clear security flow destination-prefix n.n.n.n to see if it really works. After that new flow session for that n/32 was not created again. I didn't notice any traffic teardown. But didn't inspect it a lot only on graphs. I will add 0.0.0.0/0 during maintenance window only tu be sure.

 

 

ae0:
unit 500 {
    vlan-id 500;
    family inet {
        filter {
            input f-from-inet;
        }
        address x.x.x.x/29;
    }
}
ae1:
unit 47 {
    vlan-id 47;
    family inet {
        filter {
            input f-from-backbone-test;
        }
        address y.y.y.y/30;
    }
}

 

 

 

 

    filter f-from-inet {
        term bypass-flow-term-1 {
            from {
                destination-address {
                    x.x.x.x/32 except;
                    n.n.n.n/32;
                }
            }
            then {
                count bypass1;
                packet-mode;
            }
        }
        term accept-rest {
            then accept;
        }
    }
    filter f-from-backbone-test {
        term bypass-flow-term-1 {       
            from {
                source-address {
                    n.n.n.n/32;
                }
            }
            then {
                count bypass2;
                packet-mode;
            }
        }
        term accept-rest {
            then accept;
        }
    }
}

 

 

 

Filter: f-from-inet                                        
Counters:
Name                                                Bytes              Packets
bypass1                                            286404                 7070

Filter: f-from-backbone-test                             
Counters:
Name                                                Bytes              Packets
bypass2                                          17740405                14126

 

 

Thanks a lot