Part 2—Session-Based Processing

After forwarding processing, the JUNOS software performs session lookup and either first-packet processing or fast-path processing on the packet.

Session Lookup

If the packet has not already been dropped, JUNOS software performs session lookup to determine whether the packet belongs to an existing session. The system uses six match criteria to perform the session lookup:

• Session token
• Source and destination IP addresses
• Source and destination ports
• Protocol

If the packet does not match an existing session, the system creates a new session for it. This process is called the first-packet path. (See First-Packet Path Processing.)

If the packet matches a session, fast-path processing is performed. (See Fast-Path Processing.)

First-Packet Path Processing

If a packet does not match an existing session, JUNOS software creates a new session for it as follows:

1. For the first packet, the system creates a session based on the routing for the packet and the policy lookup so that the packet becomes the first packet of a flow.

   For policy details, see Security Policies Overview.

2. Depending on the protocol and whether the service is TCP or UDP, the session is programmed with a timeout value.
   • For TCP, the default timeout is 30 minutes.
   • For UDP, the default timeout is 1 minute.

   You can configure these timeouts to be more aggressive or less aggressive. If you have changed the session timeout value, it is applied here. See Controlling Session Termination, If no traffic uses the session during the service timeout period, the router ages out the session and releases its memory for reuse.

3. Firewall screens are applied.

   Session initialization screens are applied. For screen details, see Attack Detection and Prevention.

4. Route lookup is performed.
5. The destination zone is determined:
   1. The system determines a packet's incoming zone by the interface through which it arrives.
   2. The system determines a packet's outgoing zone by route lookup.

   Together they determine which policy is applied to the packet.

   For zone details, see Security Zones and Interfaces.

6. Policy lookup is performed.

   The system checks the packet against policies you have defined to determine how the packet is to be treated.

   For policy details, see Security Policies.

7. If NAT is used, the system performs address allocation.

   For NAT details, see Network Address Translation.

8. The system sets up the Application Layer Gateway (ALG) service vector.

   For ALG details, see the Application Layer Gateways (ALGs).

9. The system creates and installs the session.

   Decisions made for the first packet of a flow are cached in a flow table for use with following, related flows.

10. Fast path processing is applied to the packet.

Fast-Path Processing

If a packet matches a session, JUNOS software performs fast-path processing as follows:

1. Configured screens are applied.
2. TCP checks are performed.
3. NAT is applied.

   For NAT details, see Network Address Translation.

4. Forwarding features are applied. (See the following section Part 3—Forwarding Features.)

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.