Packet mode enables a SRX firewall to act strictly as a router, forwarding packets from a source to a destination without tracking sessions. This is useful for an engineer in certain situations such as high throughput applications that do not need full firewall functionality, or asymmetric traffic flows. We can also enable this mode on interesting traffic which is called Selective Packet Services. More details on Selective Packet Services is available on the following PDF as well as the rest of this post.

Enabling packet mode does change some of the behaviors of the SRX. For starters, it will bypass practically everything under the security stanza of the SRX. This means that the following features are disabled:

  • NAT
  • VPN Termination
  • Firewall Policies under the security stanza
  • IPS
  • UTM
  • Screens

Furthermore, when enabling packet mode for all traffic you will need to use stateless firewall filters to manage traffic which is located under the firewall stanza in the config.

On to business, shall we?

How to turn on Packet Mode for all traffic:

set security forwarding-options family mpls mode packet-based
commit and-quit
request system reboot

How to turn on Packet Mode for selective traffic:

  1. Set up a firewall filter to accept interesting traffic with an action of packet-mode
  2. Apply filter to interface that traffic is ingresses the firewall
  3. Set up 2nd firewall filter to accept return traffic with an action of packet-mode
  4. Apply 2nd filter to interface that return traffic ingresses the firewall

Below is a slightly fancier version of Selective Packet Services as it includes forwarding the traffic out of a forwarding instance:

interfaces {
    gr-0/0/0 {
        unit 0 {
            tunnel {
                source 1.1.1.1;  
                destination 2.2.2.2;
            }
            family inet {
                filter {
                    input redirect-return;
                }
                address 172.25.0.1/30;
            }
        }
    ge-0/0/1 {
        description "Trust Zone";
        unit 0 {
            family inet {
                filter {
                    input redirect-packet;
                }
                address 192.168.0.1/24;
            }
        }
    }
}

routing-options {
    interface-routes {
        rib-group inet global-rib;
    }
    rib-groups {
        global-rib {
            import-rib [ r1.inet.0 inet.0 ];
        }
    }
}

firewall {
    filter redirect-packet {
        term packet {
            from {
                destination-port [ http https ];
            }
            then {
                packet-mode;
                routing-instance r1;
            }
        }
        term allow-everything-else {
            then accept;
        }
    }
    filter redirect-return {
        term packet {
            from {
                source-port [ http https ];
            }
            then {
                packet-mode;
            }
        }
        term allow-everything-else {
            then accept;
        }
    }
}

routing-instances {
    r1 {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop gr-0/0/0.0;
            }
        }
    }
}
Tags: , , , ,

Clay is a recovering server guy that has learned how networks and security worked and used it to his advantage. He is always eager to learn a new technology or technique as there are never enough tools in the toolbox for solving problems in modern networking and server environment. Clay is always striving to make the "more perfect" network available to peers and users. He currently an active Juniper Ambassador, and has contributed to multiple Juniper Day One guides to solve both old and new problems that engineers face in their networks. Clay is a talented individual that enjoys the new challenges that are facing next generation networks, both large and small.

Clay has achieved two of the highest certifications from Juniper Networks: the JNCIE-SEC (Certification Number #69) for his proficiency in Juniper Networks security platforms, and the JNCIE-ENT (Certification Number #492) for his proficiency in Juniper Networks enterprise routing and switching platforms. He is also certified as a Pulse Secure Certified Instructor and Palo Alto Networks Certified Network Security Instructor. Outside of the of the certifications above, Clay also has experience with securing cloud-provider networks while ensuring the highest levels of performance to serve its users.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.