Routing

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX320 - bypass_flowd firewall filter no longer working on Junos v20 onwards

    This message was posted by a user wishing to remain anonymous
    Posted 06-08-2022 10:38
    This message was posted by a user wishing to remain anonymous

    Hi,

    My SRX320 is in flow mode, and one of the devices on the network uses NetBios name services over UDP port 137 to connect to a server in irb.4. Flowmode blocks these packets so to resolve this I applied the bypass_flowd firewall filter (link to juniper article) which listens for the NetBios traffic and changes it to packet mode so it gets passed to the server where it needs to connect to (server and client are in different irb's). When I upgraded from Junos v19 to v20 (or newer) the bypass filter no longer works and the count c1 doesnt increment. 

    Has anyone ever come across this issue before and how did you resolve it please, or pointers to where I should look and see why the traffic isn't matching?  

    Filter applied on the SRX:
    set interfaces irb unit 4 family inet filter input bypass_flowd
    set firewall family inet filter bypass_flowd term t1 from source-address 10.233.216.129/32
    set firewall family inet filter bypass_flowd term t1 from protocol udp
    set firewall family inet filter bypass_flowd term t1 from source-port 137
    set firewall family inet filter bypass_flowd term t1 then count c1
    set firewall family inet filter bypass_flowd term t1 then packet-mode
    set firewall family inet filter bypass_flowd term t1 then syslog
    set firewall family inet filter bypass_flowd term t4 then count t4
    set firewall family inet filter bypass_flowd term t4 then accept
    set firewall family inet filter bypass_flowd term t3 then accept
    ​

    Thanks in advance, 


  • 2.  RE: SRX320 - bypass_flowd firewall filter no longer working on Junos v20 onwards

     
    Posted 06-09-2022 05:56
    Have you tried creating a normal security policies that permits the udp 137 from 10.233.216.129 with the normal zone designations.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX320 - bypass_flowd firewall filter no longer working on Junos v20 onwards

    Posted 06-09-2022 13:26
    Hi, 

    I just have a default permit  any everything policy applied which should catch it.

    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit

    ------------------------------
    KEVIN MCCARTAN
    ------------------------------



  • 4.  RE: SRX320 - bypass_flowd firewall filter no longer working on Junos v20 onwards

     
    Posted 06-09-2022 13:27
    Hi,
    I have no good answer, but it would narrow this down a lot if you could check whether counter t4 is increasing:
    - if not the fwf is skipped completely which would a lot
    - if yes, then one of the match conditions from termt1 is broken
    And btw you want to delete term t3 as it doesn't do anything.
    Would you mind sharing your original v19 and one of the v20 (the oldest / lowest if possible) versions you tried?
    Regards
    Ulf


  • 5.  RE: SRX320 - bypass_flowd firewall filter no longer working on Junos v20 onwards

    Posted 06-10-2022 09:33
    Hi Ulf,

    t4 count is incrementing. I have now removed t3 as yes it was pointless :) .. 
    v19 versions I have tested and it works: 19.4R3-S1.3  --- 19.4R3.11 
    v20 version I have tested and it doesnt work: 20.4R3.8
    v21 version I have tested and it doesnt work: 21.4R2.10

    Thanks


    ------------------------------
    KEVIN MCCARTAN
    ------------------------------



  • 6.  RE: SRX320 - bypass_flowd firewall filter no longer working on Junos v20 onwards

     
    Posted 06-13-2022 09:44
    Hm, still doesn't ring a bell. Can you try to narrow down further by removing match conditions and actions one by one from t1 and so figure out which one is broken? I'd start with "then syslog".  Regards Ulf


  • 7.  RE: SRX320 - bypass_flowd firewall filter no longer working on Junos v20 onwards

    Posted 06-13-2022 10:28
    Hi Ulf,

    So I did more testing by creating pcaps on the SRX and applying the pcap filter to the interfaces (removing the bypass_flowd filter) and turns out the netbios traffic isnt getting to the pcap, so the firewall filter isnt at fault. For some reason the Netbios name service traffic just isnt getting as far as the firewall filter from v20.  

    Thanks

    ------------------------------
    KEVIN MCCARTAN
    ------------------------------



  • 8.  RE: SRX320 - bypass_flowd firewall filter no longer working on Junos v20 onwards

     
    Posted 06-13-2022 11:27
    Didn't you say the t4 counter is increasing, which proves that traffic hits the fwf? (Traffic not hitting the pcap can have the same root cause as the fwf not working as expected.)


  • 9.  RE: SRX320 - bypass_flowd firewall filter no longer working on Junos v20 onwards

    Posted 06-13-2022 12:42
    So in v19 (version that works) - the pcap on the SRX sees the NetBios traffic from client trying to communicate, but on v20 (version not working) im not even see the NetBios traffic at all. 
    and the only firewall filter applied on the interfaces is the pcap filter. 

    Thanks

    ------------------------------
    KEVIN MCCARTAN
    ------------------------------