Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring IPv6 Flow-Based Forwarding Mode

    An SRX Series device drops all IPv6 traffic by default. This topic describes how to log packets dropped by this default deny-all option.

    • Before you begin, log in with your root account to an SRX Series device running Junos OS Release 12.1X44-D15.

    Note: You can enter the configuration commands in any order and commit all the commands at once.

    To log packets dropped by the default deny-all option:

    1. Configure a network security policy in a global context and specify the security policy match criteria.
      [edit security policy]user@host# set global policy always-last-default-deny-and-log match source-address any destination-address any application any
    2. Specify the policy action to take when the packet matches the criteria.
      [edit security policy]user@host# set global policy always-last-default-deny-and-log then deny
    3. Configure the security policy to enable logs at the session initialization time.
      [edit security policy]user@host# set global policy always-last-default-deny-and-log then log session-init

    Note: This procedure might capture a very large amount of data until you have configured the other policies.

    To permit all IPv6 traffic into an SRX Series device, configure the device with flow-based forwarding mode. While the default policy in flow-based forwarding mode is still to drop all IPv6 traffic, you can now add rules to permit selected types of IPv6 traffic.

    user@host# set security forwarding-options family inet6 mode flow-based

    Published: 2013-12-10