flow (Security Flow)
语法
flow {
advanced-options {
drop-matching-link-local-address;
drop-matching-reserved-ip-address;
reverse-route-packet-mode-vr;
}
aging {
early-ageout seconds;
high-watermark percent;
low-watermark percent;
}
allow-dns-reply;
allow-embedded-icmp;
Configuring Access Lists for SNMP Access over Routing Instances;
enable-reroute-uniform-link-check {
nat;
}
enhanced-routing-mode;
ethernet-switching {
block-non-ip-all;
bpdu-vlan-flooding;
bypass-non-ip-unicast;
no-packet-flooding {
no-trace-route;
}
}
force-ip-reassembly;
gre-performance-acceleration;
ipsec-performance-acceleration (Security Flow);
load-distribution {
session-affinity {
ipsec;
}
}
mcast-buffer-enhance;
multicast-nh-resolve-retry multicast-nh-resolve-retry-value;
no-local-favor-ecmp;
packet-log (Security Flow) {
enable;
packet-filter name {
conn-tag conn-tag;
destination-port (afs | bgp | biff | bootpc | bootps | cmd | cvspserver | dhcp | domain | eklogin | ekshell | exec | finger | ftp | ftp-data | http | https | ident | imap | kerberos-sec | klogin | kpasswd | krb-prop | krbupdate | kshell | ldap | ldp | login | mobileip-agent | mobilip-mn | msdp | netbios-dgm | netbios-ns | netbios-ssn | nfsd | nntp | ntalk | ntp | pop3 | pptp | printer | radacct | radius | range | rip | rkinit | smtp | snmp | snmptrap | snpp | socks | ssh | sunrpc | syslog | tacacs | tacacs-ds | talk | telnet | tftp | timed | who | xdmcp | zephyr-clt | zephyr-hm | zephyr-srv);
destination-prefix destination-prefix;
interface interface;
logical-system logical-system;
protocol (ah | egp | esp | gre | icmp | icmp6 | igmp | ipip | number | ospf | pim | rsvp | sctp | tcp | udp);
source-port (afs | bgp | biff | bootpc | bootps | cmd | cvspserver | dhcp | domain | eklogin | ekshell | exec | finger | ftp | ftp-data | http | https | ident | imap | kerberos-sec | klogin | kpasswd | krb-prop | krbupdate | kshell | ldap | ldp | login | mobileip-agent | mobilip-mn | msdp | netbios-dgm | netbios-ns | netbios-ssn | nfsd | nntp | ntalk | ntp | pop3 | pptp | printer | radacct | radius | range | rip | rkinit | smtp | snmp | snmptrap | snpp | socks | ssh | sunrpc | syslog | tacacs | tacacs-ds | talk | telnet | tftp | timed | who | xdmcp | zephyr-clt | zephyr-hm | zephyr-srv);
source-prefix source-prefix;
}
throttle-interval milliseconds;
}
pending-sess-queue-length (high | moderate | normal);
power-mode-ipsec;
preserve-incoming-fragment-size;
route-change-timeout seconds;
strict-packet-order;
syn-flood-protection-mode (syn-cookie | syn-proxy);
sync-icmp-session;
tcp-mss (Security Flow) {
all-tcp {
mss mss;
}
gre-in {
mss mss;
}
gre-out {
mss mss;
}
ipsec-vpn (Security Flow) {
mss mss;
}
}
tcp-session {
fin-invalidate-session;
maximum-window (128K | 1M | 256K | 512K | 64K);
no-sequence-check;
no-syn-check;
no-syn-check-in-tunnel;
rst-invalidate-session;
rst-sequence-check;
strict-syn-check;
tcp-initial-timeout seconds;
time-wait-state {
(session-ageout | session-timeout seconds);
apply-to-half-close-state;
}
}
traceoptions (Security Flow) {
file <filename> <files files> <match match> <size size> <(world-readable | no-world-readable)>;
flag name;
no-remote-trace;
packet-filter name {
conn-tag conn-tag;
destination-port (afs | bgp | biff | bootpc | bootps | cmd | cvspserver | dhcp | domain | eklogin | ekshell | exec | finger | ftp | ftp-data | http | https | ident | imap | kerberos-sec | klogin | kpasswd | krb-prop | krbupdate | kshell | ldap | ldp | login | mobileip-agent | mobilip-mn | msdp | netbios-dgm | netbios-ns | netbios-ssn | nfsd | nntp | ntalk | ntp | pop3 | pptp | printer | radacct | radius | range | rip | rkinit | smtp | snmp | snmptrap | snpp | socks | ssh | sunrpc | syslog | tacacs | tacacs-ds | talk | telnet | tftp | timed | who | xdmcp | zephyr-clt | zephyr-hm | zephyr-srv);
destination-prefix destination-prefix;
interface interface;
logical-system logical-system;
protocol (ah | egp | esp | gre | icmp | icmp6 | igmp | ipip | number | ospf | pim | rsvp | sctp | tcp | udp);
source-port (afs | bgp | biff | bootpc | bootps | cmd | cvspserver | dhcp | domain | eklogin | ekshell | exec | finger | ftp | ftp-data | http | https | ident | imap | kerberos-sec | klogin | kpasswd | krb-prop | krbupdate | kshell | ldap | ldp | login | mobileip-agent | mobilip-mn | msdp | netbios-dgm | netbios-ns | netbios-ssn | nfsd | nntp | ntalk | ntp | pop3 | pptp | printer | radacct | radius | range | rip | rkinit | smtp | snmp | snmptrap | snpp | socks | ssh | sunrpc | syslog | tacacs | tacacs-ds | talk | telnet | tftp | timed | who | xdmcp | zephyr-clt | zephyr-hm | zephyr-srv);
source-prefix source-prefix;
}
rate-limit rate-limit;
trace-level {
(brief | detail | error);
}
}
}
层次结构级别
[edit security]
说明
确定设备如何管理数据包流。该设备可以通过以下方式调节数据包流:
选项
| advanced-options | 流配置高级选项。
|
| allow-dns-reply | 允许不匹配的传入 DNS 回复数据包。 |
| allow-embedded-icmp | 允许与会话不匹配的嵌入式 ICMP 数据包通过。 |
| allow-reverse-ecmp | 允许反向 ECMP 路由查找。 |
| enable-reroute-uniform-link-check | 使用统一链路启用重新路由检查。
|
| enhanced-routing-mode | 启用增强型路由扩展。 |
| force-ip-reassembly | 强制重组 IP 分片。 |
| gre-performance-acceleration | 提高 GRE 流量性能。 |
| ipsec-performance-acceleration | 提高 IPSec 流量性能。 |
| mcast-buffer-enhance | 允许在组播会话创建期间保留更多数据包。 |
| multicast-nh-resolve-retry | 您可以使用此命令配置组播路由下一跃点解析尝试。当组播路由下一跃点解析不成功时, SRX 系列防火墙 会尝试根据指定的重试计数解析下一跃点路由。
|
| no-local-favor-ecmp | 不希望在 HA ECMP 路由查找中选择本地节点。 |
| pending-sess-queue-length | 每个挂起会话的最大排队长度。
|
| power-mode-ipsec | 启用电源模式 IPsec 处理。 |
| preserve-incoming-fragment-size | 保留出口 MTU 的传入分片大小。 |
| route-change-timeout | 路由更改为不存在的路由(秒)的超时值。
|
| strict-packet-order | 您可以使用此命令维护组播流量顺序并解决数据包丢弃问题。 |
| syn-flood-protection-mode | TCP SYN 泛洪保护模式。
|
| sync-icmp-session | 允许 icmp 会话同步到对等节点。 |
必需的权限级别
安全性 — 可在配置中查看此语句。
安全控制 — 将此语句添加到配置中。
发布信息
在 Junos OS 9.5 版中修改的语句。在power-mode-ipsec适用于 vSRX 虚拟防火墙实例的 Junos OS 18.3R1 版、在适用于 SRX4100 和 SRX4200 设备的 Junos OS 18.4R1 版、在适用于 SRX5400、SRX5600 和 SRX5800 设备的 Junos OS 18.2R2 中添加选项。在 multicast-nh-resolve-retry 适用于 SRX345 和 strict-packet-order SRX1500 设备的 Junos OS 20.2R2 版中添加了选项和选项。在 gre-performance-acceleration Junos OS 21.1R1 版中添加的选项。