Configure SRX Mode to Packet Mode from Flow Mode

54

Configure SRX Mode to Packet Mode from Flow Mode

First Method

To view the existing flow mode type, show security flow status command in operational mode as shown below. As you can see it is now flow based forwarding mode, Inet forwarding mode: flow based.

 

 

 

We can change to packet mode by typing, set security forwarding-options family mpls mode packet-based command in configuration mode as shown below. Don’t forget to delete the security settings.

[edit]
root@SRX240# delete security [Deletes all the security configuration.]
[edit]
root@SRX240# set security forwarding-options family mpls mode packet-based
[edit]
root@SRX240# commit
[edit]
root@SRX240# run request system reboot

After commit, you will get a warning saying, you must reboot the device for the change to take effect. After the reboot, issue show security flow status command.

root@SRX240> show security flow status
Flow forwarding mode:
Inet forwarding mode: packet based
Inet6 forwarding mode: drop
MPLS forwarding mode: packet based
ISO forwarding mode: drop
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based

As you can see above, the Inet forwarding mode is packet based. In this way you can configure SRX mode to packet mode from flow mode.

Second Method

Packet mode can also be enabled using firewall filter. Using this technique, you can use both packet mode and flow mode based on various match criteria.

[edit]
root@SRX240# set firewall filter PACKET-MODE term 1 from source-address X.X.X.X/32
[edit]
root@SRX240# set firewall filter PACKET-MODE term 1 then packet-mode
[edit]
root@SRX240# set firewall filter PACKET-MODE term 2 then accept

Now apply the filter PACKET-MODE in required interface in inbound or outbound direction. So traffic coming from particular source address of X.X.X.X/32 will only be processed as packet mode by SRX, rest will be processed as flow mode.