Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Stateful Firewall Traffic Flow in Single MX Series (TLB) and Scaled-Out SRX Series Firewalls

In this topic, you’ll see how stateful firewall traffic flows in a single MX Series with TLB-based load balancing with SRX Series Firewalls.

In this topology:

  • Configure a single MX Series with two interfaces logical interfaces (IFL) for TRUST and UNTRUST routing instances. MX Series TLB does health check on all the scaled-out SRX Series Firewalls and builds the next-hop for load balancing the traffic.
  • Connect all the scaled-out SRX Series Firewalls to the MX Series with BGP connections.

  • Configure the MX Series with TLB on the TRUST routing instance to perform the load balancing of data traffic coming from client-side gateway router towards the scaled-out SRX Series Firewalls. For the return traffic coming from the server-side on the MX Series UNTRUST routing instance, another TLB instances is configured on MX Series UNTRUST routing instance.

  • Configure unique IP addresses, such as loopback, for all the scaled-out SRX Series Firewalls connected to MX Series that is used by TLB to perform the health check and build up the selector table in the PFE. PFE uses this selector table to load balance the packet across the available next-hops. This health check is reachable through the BGP connection.

  • Filter-based forwarding based on source IP address match is used in MX Series router to push stateful firewall traffic to the TLB TRUST forwarding instance.

  • TLB forwarding instance has a default route with next-hop as list of SRX Series Firewalls. TLB installs this default route when its health check passes with at least one SRX Series Firewalls.

  • TLB does source-based hash load balancing across all the available SRX next-hop devices

  • Load balanced stateful firewall data sessions are anchored on any available SRX Series Firewalls and stateful firewall flow gets created. Then it is routed to reach the server through MX Series router over UNTRUST routing instance.

  • For the return traffic coming from server to client direction on the MX Series UNTRUST routing instance, another TLB instance is configured on MX Series UNTRUST routing instance to do the load balancing back to the same SRX Series Firewalls.

  • Filter-based forwarding of destination IP address match is used in MX Series router to push stateful firewall traffic to the TLB UNTRUST forwarding instance.

  • TLB forwarding instance has a default route with next-hop as list of SRX Series Firewalls. TLB installs this default route when its health check passes with at least one SRX Series Firewalls.

  • TLB does destination-based hash load balancing across all the available SRX Series Firewall next-hop devices.

  • Load balanced stateful firewall data sessions are load balanced to the same SRX Series Firewalls on the return direction and uses the same flow to reach the client through MX Series router over TRUST routing instance.

Figure 1 illustrates the step-by-step traffic flow.

Figure 1: Stateful Firewall Traffic Flow with Single MX Series (TLB) and SRX Series Firewalls Stateful Firewall Traffic Flow with Single MX Series (TLB) and SRX Series Firewalls

The MX Series is a single router configured with multiple logical interfaces towards scaled-out SRX Series Firewalls on the TRUST VR and UNTRUST VR direction.

  1. For the forward traffic coming from client-to-server, the MX Series router uses filter-based forwarding based on the source IP address match to push the stateful firewall traffic to the TLB TRUST forwarding instance. TLB forwarding instance includes a default route with next-hop as the list of SRX Series Firewalls. TLB installs this default route when the health check passes for at least one SRX Series Firewalls.

  2. TLB performs source-based hash load balancing across all the available SRX Series Firewall next-hop devices.

  3. Load balanced statfeul firewall data sessions are anchored on any available SRX Series Firewalls and stateful firewall flow is created.

  4. Then the traffic is routed to reach the server through the MX Series over UNTRUST routing instance.

  5. For the return traffic coming from the server-to-client on the MX Series UNTRUST routing instance, another TLB instances is configured on MX Series UNTRUST routing instance to perform the load balancing back to the same SRX Series Firewalls. The filter-based forwarding based on the destination IP address match is used in MX Series router to push NGFW traffic to the TLB UNTRUST forwarding instance. TLB forwarding instance includes a default route with next-hop as list of SRX Series Firewalls. TLB installs this default route when the health check passes for at least one SRX Series Firewalls.

  6. TLB performs destination-based hash load balancing across all the available SRX Series Firewall next-hop devices. Load balanced stateful firewall data sessions are anchored to the same SRX Series Firewalls.

  7. SRX Series Firewalls use the same flow to process the return traffic and forwards to MX.

  8. MX Series routes the packet back to the client.