Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

advanced-connection-tracking

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 20.2R1

Description

The advanced-connection-tracking option under [edit security zones security-zone zone name] enable the action to generate connection track table using source IP, destination IP(optional), and destination port(optional) during session creation stage when traffic ingress given zone. This connection track mapping table also appears on backup node in HA(High Availability) pair.

Options

modeConfigure one of the following modes for the advanced connection tracking table.

Values:

  • allow-any-host—You can create the allow-any-host table, and set policies whose to-zone value is the same as currently configured zone-name to do a lookup. Use this option if you want to allow either host to initiate a session once the internal source ip has initiated traffic to one external destination. The destination does not matter as long as it is allowed as per the security policies..

  • allow-target-host—You can create allow-target-host table and set policies whose to-zone value is the same as currently configured zone-name to do a lookup. Use this option when you require an external host can to initiate a session with an internal host by sending the packet to the reflexive address if the internal host has previously sent a packet to the external host’s IP address.

  • allow-target-host-port—You can create allow-target-host-port table and set policies whose to-zone value is the same as currently configured zone-name to do a lookup. Use this option to allows an external host to initiate a session to the reflexive address and port number only if the internal host has previously sent a packet to the external host.

timeoutConfigure the timeout value in seconds for the advanced-connection-tracking table of the current zone.

Default: 1800 seconds.

track-all-policies-to-this-zoneConfigure this option to make all the policies configured with the to-zone to perform the connection track table lookup

Required Privilege Level

security