SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Bypassing statefull firewall with firewall filters?

    Posted 03-30-2011 02:49

    Hi,

     

    I have a customer behind my SRX650-Cluster, that gives me a very high session-count (over 200000 sessions!). In fact this customer does not realy need any security-policies configured, so I need only the routing-part of the SRX for him. My other customers, that are running also over this cluster do use security-policies. My question is now, would it be possible to bypass the traffic of this one customer, so that there are no sessions used? I tried fiddling a little with firewall-filter and using routing-instance, but when I put there inet.0, I get an error, that inet.0 is not defined... ATM I'm using Junos 10.0R3, will be upgrading to 10.4R3 in some days.


    #selective.packetmode


  • 2.  RE: Bypassing statefull firewall with firewall filters?

     
    Posted 03-30-2011 02:59

    The basic firewall filter you want to create is one that matches on the traffic of that customer, with the action packet-mode. That will bypass flow.

     

    Here's an appnote: http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf



  • 3.  RE: Bypassing statefull firewall with firewall filters?

    Posted 03-30-2011 03:48

    I tried packet-mode the exact way you wrote:

     

     

    root@srx650-2> show configuration interfaces reth0 
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 0 {
        family inet {
            filter {
                input-list [ ddos-block vlan131-bypass ];
            }
            address x.x.252.212/29;
        }
    }
    
    root@srx650-2> show configuration firewall 
    family inet {
        filter ddos-block {
            term 1 {
                from {
                    destination-address {
                        x.x.3.4/32;
                    }
                }
                then {
                    discard;
                }
            }
            term 2 {
                then accept;
            }
        }
        filter vlan131-bypass {
            term 1 {
                from {
                    destination-address {
                        x.x.251.100/32;
                    }
                }
                then {
                    packet-mode;
                    accept;
                }
            }
            term 2 {
                then accept;
            }
        }
    }

     

     

    reth0 is my incoming interface, so I applied the filter there. After commiting this, I checked with "show security flow session destination-prefix x.x.251.100" if there is any active session to this IP and it was empty. After accessing the destination-IP and checking again, I get this:

     

    root@srx650-2> show security flow session destination-prefix x.x.251.100    
    node0:
    --------------------------------------------------------------------------
    
    Session ID: 17871, Policy name: TK_intern-In/28, State: Backup, Timeout: 14400
      In: x.x.54.186/51772 --> x.x.251.100/443;tcp, If: reth0.0
      Out: x.x.251.100/443 --> x.x.54.186/51772;tcp, If: reth3.0
    
    1 sessions displayed
    
    node1:
    --------------------------------------------------------------------------
    
    Session ID: 78107, Policy name: TK_intern-In/28, State: Active, Timeout: 1796
      In: x.x.54.186/51772 --> x.x.251.100/443;tcp, If: reth0.0
      Out: x.x.251.100/443 --> x.x.54.186/51772;tcp, If: reth3.0
    
    1 sessions displayed

     

    As I understand, a session was created even when I have a firewall-filter that should force this traffic into packet-mode and therefore not create any session... as there is also a policy applied (TK_intern-In) it seems to me, as this packet was forwarded in flow-mode... what am I missing?

     



  • 4.  RE: Bypassing statefull firewall with firewall filters?

     
    Posted 03-30-2011 04:02
    Try to add a count to see if your term is hit.


  • 5.  RE: Bypassing statefull firewall with firewall filters?
    Best Answer

    Posted 03-30-2011 04:34

    Got it! the other filter had a term 2 with accept, therefore no traffic could hit the vlan131-bypass filter... second one was, that I had to create a second filter with my target-IP as source-address and put it on the internal interface to get the way back also bypassed... works now as I wanted it to have...