Bypassing flow daemon in SRX

Under normal circumstances if you have a policy from trust zone to transit zone in a network like in the diagram and if you create traffic, packets have to be processed by flow daemon after which a session is created. What if you want to bypass this daemon and only use the packet mode for the traffic only between these nodes. Below is how I configure my SRX100 device for this. After configuring this way, I didn’t see any session created. Let’s configure;

1) First create the firewall filter for the traffic that we want to bypass

As you can see “packet-mode” does the work here.

2) Then apply the filter in both interfaces

Once you commit the changes, you will see that even though you have a policy in place, you won’t have any session created for the traffic between these nodes. In Junos documentation you can find this under the name “Selective Stateless Packet-Based Forwarding

Warning: Be careful in this type of configuration as it will bypass security checks because of which you may end up permitting traffic more than you want.

You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.