Configure SRX Mode to Packet Mode from Flow Mode

Share This Article: Share on Facebook0Share on Google+1Tweet about this on TwitterShare on LinkedIn4Pin on Pinterest0Email this to someone

Branch series Juniper SRX can operate at two different modes; packet mode and flow mode. In flow mode, SRX process all traffic by analyzing the state or session of traffic. In packet mode, SRX can process traffic as traditional router without analyzing the session of the traffic. By default, JunOS in SRX devices work at Flow mode. But if you want to operate it as a typical router then you can disable the security features like IPSec, NAT, UTM, etc. There are two ways to configure SRX mode to packet mode from flow mode in branch series SRX devices. First method shown in this post strictly converts to packet mode using set security forwarding-options command, whereas Second method allows the use of both packet and flow mode at the same time using firewall filters.

Configure SRX Mode to Packet Mode from Flow Mode

First Method

To view the existing flow mode type, show security flow status command in operational mode as shown below. As you can see it is now flow based forwarding mode, Inet forwarding mode: flow based.

Configure SRX Mode to Packet Mode from Flow Mode

We can change to packet mode by typing, set security forwarding-options family mpls mode packet-based command in configuration mode as shown below. Don’t forget to delete the security settings.

[edit]
root@SRX240# delete security [Deletes all the security configuration.]
[edit]
root@SRX240# set security forwarding-options family mpls mode packet-based
[edit]
root@SRX240# commit
[edit]
root@SRX240# run request system reboot

After commit, you will get a warning saying, you must reboot the device for the change to take effect. After the reboot, issue show security flow status command.

root@SRX240> show security flow status
Flow forwarding mode:
Inet forwarding mode: packet based
Inet6 forwarding mode: drop
MPLS forwarding mode: packet based
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based

As you can see above, the Inet forwarding mode is packet based. In this way you can configure SRX mode to packet mode from flow mode.

Second Method

Packet mode can also be enabled using firewall filter. Using this technique, you can use both packet mode and flow mode based on various match criteria.

[edit]
root@SRX240# set firewall filter PACKET-MODE term 1 from source-address X.X.X.X/32
[edit]
root@SRX240# set firewall filter PACKET-MODE term 1 then packet-mode
[edit]
root@SRX240# set firewall filter PACKET-MODE term 2 then accept

Now apply the filter PACKET-MODE in required interface in inbound or outbound direction. So traffic coming from particular source address of X.X.X.X/32 will only be processed as packet mode by SRX, rest will be processed as flow mode.

The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork . Follow Bipin Giri on Google+. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.