juniper srx 5800 free banner - Google Search - Google Chrome 2020-02-04 12_04_12 PM (2)
Eric U Ngabonziza

How packet flows into Juniper SRX Firewall

SRX Firewall series Services Gateways are high-performance network security solutions for enterprises and service providers. The SRX Firewall enforces security policy by processing the flow of packets through the device. It is very important to understand how a packet flows into SRX firewall because it makes the troubleshooting process very easy:
  • Once SRX firewall pulls the packet from the input interface queue., it will first go into an algorithm to check if there is an existing session. If yes; then the packet will bypass all the policies, and it will be NATed before sending outside. If not, then the packet will be transferred to the screen option to be checked;

  • In the Juniper SRX Firewall, the packet flow processing begins with a screen check. A screen is a built-in protection mechanism that performs a variety of security functions. Screens are used to detect prevent many kinds of malicious traffic, such as denial-of-service (DoS) attacks.

  • If a there is no existing session for the packet and the screen check is completed; it then performs destination or static destination NAT to substitute one set of packet header address information with another.

  • The software will perform the route lookup, and if the route exits for the destination prefix then it will be taken to the next step. If not, it will be dropped.

  • The software determines the packet’s incoming zone by the interface through which it arrives. In addition, the software determines the packet’s outgoing zone by the forwarding lookup.

  • Based on incoming and outgoing zones, the corresponding security policy is determined and a security takes place. The software checks the packet against defined policies to determine how to treat the packet.

  • The software creates and installs the session based on protocol used (TCP or UDP). It is very important to know the default values of session based on those protocols. The default time for TCP session is 30 minutes and UDP session is 1 minute.

  • The software then performs perform TCP header and flag checks. It performs route lookup and NAT translation, apply ALG services IDP, VPN, and other services. At this time the packet will be forwarded to outside.

AuthorEric Uwonkunda Ngabonziza

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email