SRX

 View Only
last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Bypassing statefull firewall with firewall filters?

    Posted 03-30-2011 02:49

    Hi,

     

    I have a customer behind my SRX650-Cluster, that gives me a very high session-count (over 200000 sessions!). In fact this customer does not realy need any security-policies configured, so I need only the routing-part of the SRX for him. My other customers, that are running also over this cluster do use security-policies. My question is now, would it be possible to bypass the traffic of this one customer, so that there are no sessions used? I tried fiddling a little with firewall-filter and using routing-instance, but when I put there inet.0, I get an error, that inet.0 is not defined... ATM I'm using Junos 10.0R3, will be upgrading to 10.4R3 in some days.


    #selective.packetmode


  • 2.  RE: Bypassing statefull firewall with firewall filters?

     
    Posted 03-30-2011 02:59

    The basic firewall filter you want to create is one that matches on the traffic of that customer, with the action packet-mode. That will bypass flow.

     

    Here's an appnote: http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf



  • 3.  RE: Bypassing statefull firewall with firewall filters?

    Posted 03-30-2011 03:48

    I tried packet-mode the exact way you wrote:

     

     

    root@srx650-2> show configuration interfaces reth0 
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 0 {
        family inet {
            filter {
                input-list [ ddos-block vlan131-bypass ];
            }
            address x.x.252.212/29;
        }
    }
    
    root@srx650-2> show configuration firewall 
    family inet {
        filter ddos-block {
            term 1 {
                from {
                    destination-address {
                        x.x.3.4/32;
                    }
                }
                then {
                    discard;
                }
            }
            term 2 {
                then accept;
            }
        }
        filter vlan131-bypass {
            term 1 {
                from {
                    destination-address {
                        x.x.251.100/32;
                    }
                }
                then {
                    packet-mode;
                    accept;
                }
            }
            term 2 {
                then accept;
            }
        }
    }

     

     

    reth0 is my incoming interface, so I applied the filter there. After commiting this, I checked with "show security flow session destination-prefix x.x.251.100" if there is any active session to this IP and it was empty. After accessing the destination-IP and checking again, I get this:

     

    root@srx650-2> show security flow session destination-prefix x.x.251.100    
    node0:
    --------------------------------------------------------------------------
    
    Session ID: 17871, Policy name: TK_intern-In/28, State: Backup, Timeout: 14400
      In: x.x.54.186/51772 --> x.x.251.100/443;tcp, If: reth0.0
      Out: x.x.251.100/443 --> x.x.54.186/51772;tcp, If: reth3.0
    
    1 sessions displayed
    
    node1:
    --------------------------------------------------------------------------
    
    Session ID: 78107, Policy name: TK_intern-In/28, State: Active, Timeout: 1796
      In: x.x.54.186/51772 --> x.x.251.100/443;tcp, If: reth0.0
      Out: x.x.251.100/443 --> x.x.54.186/51772;tcp, If: reth3.0
    
    1 sessions displayed

     

    As I understand, a session was created even when I have a firewall-filter that should force this traffic into packet-mode and therefore not create any session... as there is also a policy applied (TK_intern-In) it seems to me, as this packet was forwarded in flow-mode... what am I missing?

     



  • 4.  RE: Bypassing statefull firewall with firewall filters?

     
    Posted 03-30-2011 04:02
    Try to add a count to see if your term is hit.


  • 5.  RE: Bypassing statefull firewall with firewall filters?
    Best Answer

    Posted 03-30-2011 04:34

    Got it! the other filter had a term 2 with accept, therefore no traffic could hit the vlan131-bypass filter... second one was, that I had to create a second filter with my target-IP as source-address and put it on the internal interface to get the way back also bypassed... works now as I wanted it to have...