Bypassing flow daemon in SRX

Under normal circumstances if you have a policy from trust zone to transit zone in a network like in the diagram and if you create traffic, packets have to be processed by flow daemon after which a session is created. What if you want to bypass this daemon and only use the packet mode for the traffic only between these nodes. Below is how I configure my SRX100 device for this. After configuring this way, I didn’t see any session created. Let’s configure;

1) First create the firewall filter for the traffic that we want to bypass

user@srx100-1# show firewall filter bypass-flowd
term outgoing {
    from {
        source-address {
            192.168.77.10/32;
        }
        destination-address {
            192.168.3.2/32;
        }
    }
    then packet-mode;
}
term return {
    from {
        source-address {
            192.168.3.2/32;
        }
        destination-address {
            192.168.77.10/32;
        }
    }
    then packet-mode;
}
term allow-the-rest {
    then accept;
}

As you can see “packet-mode” does the work here.

2) Then apply the filter in both interfaces

[edit]
user@srx100-1# show interfaces vlan.3
family inet {
    filter {
        input bypass-flowd;
    }
    address 192.168.3.1/24;
}

[edit]
user@srx100-1# show interfaces vlan.77
family inet {
    filter {
        input bypass-flowd;
    }
    address 192.168.77.1/24;
}

Once you commit the changes, you will see that even though you have a policy in place, you won’t have any session created for the traffic between these nodes. In Junos documentation you can find this under the name “Selective Stateless Packet-Based Forwarding”

Warning: Be careful in this type of configuration as it will bypass security checks because of which you may end up permitting traffic more than you want.