[Contents] [Prev] [Next] [Index] [Report an Error]

First-Packet Path Processing

If a packet does not match an existing session, JUNOS software creates a new session for it as follows:

  1. For the first packet, the system creates a session based on the routing for the packet and the policy lookup so that the packet becomes the first packet of a flow.

    For policy details, see Security Policies Overview.

  2. Depending on the protocol and whether the service is TCP or UDP, the session is programmed with a timeout value.

    You can configure these timeouts to be more aggressive or less aggressive. If you have changed the session timeout value, it is applied here. See Controlling Session Termination, If no traffic uses the session during the service timeout period, the router ages out the session and releases its memory for reuse.

  3. Firewall screens are applied.

    Session initialization screens are applied. For screen details, see Attack Detection and Prevention.

  4. Route lookup is performed.
  5. The destination zone is determined:
    1. The system determines a packet's incoming zone by the interface through which it arrives.
    2. The system determines a packet's outgoing zone by route lookup.

    Together they determine which policy is applied to the packet.

    For zone details, see Security Zones and Interfaces.

  6. Policy lookup is performed.

    The system checks the packet against policies you have defined to determine how the packet is to be treated.

    For policy details, see Security Policies.

  7. If NAT is used, the system performs address allocation.

    For NAT details, see Network Address Translation.

  8. The system sets up the Application Layer Gateway (ALG) service vector.

    For ALG details, see the Application Layer Gateways (ALGs).

  9. The system creates and installs the session.

    Decisions made for the first packet of a flow are cached in a flow table for use with following, related flows.

  10. Fast path processing is applied to the packet.
[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.