SRX

Expand all | Collapse all

Services and ALG processed last

Jump to Best Answer
  • 1.  Services and ALG processed last

    Posted 12-17-2018 14:12

    Hi all,

     

    A few questions..

     

    Please could anyone explain the reasons why services/alg is the final step (except for installing the session in slow-path) in both the first and fast path processing orders?

     

    Why the flow chart shows after the session is created in slow path why does it go next to the fast path screens option, rather than filtering and shaping before egress?

     

    Why is TCP only present in the fast path, what does this involve?

     

    Lastly, if these devices are stateful, when it's written that the filtering happening in the data plane/PFE is stateless, could anyone explain more about this?

     

    Many thanks!



  • 2.  RE: Services and ALG processed last
    Best Answer

     
    Posted 12-17-2018 17:31

    I assume you are talking about this flow diagram.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110&

    SRXpacketFlow.gif

     

    Please could anyone explain the reasons why services/alg is the final step (except for installing the session in slow-path) in both the first and fast path processing orders?

     

    ALG processing are additional parameters, flows or streams that are associated with the primary session.  As a result you need to do all the primary session processing before dealing with the custom setups for additional traffic that is allowed by the ALG.

     

    Why the flow chart shows after the session is created in slow path why does it go next to the fast path screens option, rather than filtering and shaping before egress?

     

    screens are applied after session setup and are needed in both the fast and slow path to provide the desired protection.

     

    Why is TCP only present in the fast path, what does this involve?

     

    TCP is in the same postion fast and first path after the screens.  This is the actual tcp packet changes that take place on the device.

     

    Lastly, if these devices are stateful, when it's written that the filtering happening in the data plane/PFE is stateless, could anyone explain more about this?

     

    Filters only operate on a packet by packet basis in the direction they are applied input or output.  They are not aware and do not see the return traffic only the direction they are applied on.

     

    Greater detail on all the steps can be found in this longer pdf documentation.

    https://www.juniper.net/documentation/en_US/junos12.1x47/information-products/pathway-pages/security/security-processing-flow-based.pdf