Bypassing flow daemon in SRX

Under normal circumstances if you have a policy from trust zone to transit zone in a network like in the diagram and if you create traffic, packets have to be processed by flow daemon after which a session is created. What if you want to bypass this daemon and only use the packet mode for the traffic only between these nodes. Below is how I configure my SRX100 device for this. After configuring this way, I didn’t see any session created. Let’s configure;

1) First create the firewall filter for the traffic that we want to bypass

user@srx100-1# show firewall filter bypass-flowd
term outgoing {
    from {
        source-address {
            192.168.77.10/32;
        }
        destination-address {
            192.168.3.2/32;
        }
    }
    then packet-mode;
}
term return {
    from {
        source-address {
            192.168.3.2/32;
        }
        destination-address {
            192.168.77.10/32;
        }
    }
    then packet-mode;
}
term allow-the-rest {
    then accept;
}

As you can see “packet-mode” does the work here.

2) Then apply the filter in both interfaces

[edit]
user@srx100-1# show interfaces vlan.3
family inet {
    filter {
        input bypass-flowd;
    }
    address 192.168.3.1/24;
}

[edit]
user@srx100-1# show interfaces vlan.77
family inet {
    filter {
        input bypass-flowd;
    }
    address 192.168.77.1/24;
}

Once you commit the changes, you will see that even though you have a policy in place, you won’t have any session created for the traffic between these nodes. In Junos documentation you can find this under the name “Selective Stateless Packet-Based Forwarding

Warning: Be careful in this type of configuration as it will bypass security checks because of which you may end up permitting traffic more than you want.

About: rtoodtoo

Genco has worked for more than 10 years as a Network/Support Engineer. He is also interested in Python, Linux, Security and SD-WAN, currently lives in the Netherlands and works as a Network Support Engineer at Tesla Inc. // JNCIE-SEC #223 / RHCE / PCNSE


You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.