Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  NAT-src PAT on a SRX

    Posted 07-19-2011 08:51

    I have a question concerning the length of time an IP-address/port combination remains after a flow ends? On a Cisco ASA it remains open for 30 seconds (un-configurable), and then it is closed. Is there something comparable on a Juniper SRX? Our network security team has found that in the Cisco environment it is difficult to track a PAT address back to its source when a DCMA violation is reported. The DCMA time-stamps are not as precise as the firewall logs, so sometimes they can't track down the user in question. We were asked if a Juniper environment would handle this situation differently? I can't find anything on-line to answer this question.

     

    David Baird

    t-9baird@uchicago.edu

     


    #pat
    #NAT-src


  • 2.  RE: NAT-src PAT on a SRX
    Best Answer

    Posted 07-20-2011 12:04

    Hello,

    Have a look at these SRX config options:

     

    user@srx# set security flow tcp-session ?
    Possible completions:
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these groups
      no-sequence-check    Disable sequence-number checking
      no-syn-check         Disable creation-time SYN-flag check
      no-syn-check-in-tunnel  Disable creation-time SYN-flag check for tunnel packets
      rst-invalidate-session  Immediately end session on receipt of reset (RST) segment
      rst-sequence-check   Check sequence number in reset (RST) segment
      strict-syn-check     Enable strict syn check
      tcp-initial-timeout  Timeout for TCP session when initialization fails
    > time-wait-state      Session timeout value in time-wait state, default 150 seconds <===!!!
    {primary:node0}[edit]
    user@srx# set security flow tcp-session time-wait-state ?
    Possible completions:
      <[Enter]>            Execute this command
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these groups
      session-ageout       Allow session to ageout using service based timeout values
      session-timeout      Configure session timeout value for time-wait state
      |                    Pipe through a command
    {primary:node0}[edit]
    user@srx# set security flow tcp-session time-wait-state session-timeout ?
    Possible completions:
      <session-timeout>    Configure session timeout value for time-wait state

    "session-timeout" is configurable from 2 to 600 secs.

    "session-ageout" is simply toggled on/off.

     

    These knobs are available in 10.2R4, 10.4 and above. 

     

    HTH

    Rgds

    Alex



  • 3.  RE: NAT-src PAT on a SRX

    Posted 07-20-2011 13:15

    Thanks for the info. That's exactly what I was looking for.