Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Enable and Configure Express Path in CSDS Solution

Read this topic to learn how to enable and configure Express Path in the CSDS solution.

To enable the Express Path feature in your Connected Security Distributed Services (CSDS) architecture, ensure you meet the following prerequisites:

  • Understand the CSDS deployment scenarios and topologies for your security services.

  • Refer to the topology illustration and configuration at Example: Single MX Series (CSDS Traffic Orchestrator) and Scaled-Out SRX Series Firewall (MNHA) for Stateful Firewall to configure CSDS solution for stateful firewall services. Use the same topology for Express Path configuration.

  • For vSRX Virtual Firewalls in the services layer:

    • Configure the firewall interfaces according to your CSDS topology. See Table 8 for interface details on the firewalls.

  • For MX Series router in the forwarding layer, the router must meet the following criteria:

    • Ensure your CSDS topology doesn't contain dual routers. Express Path doesn't work when you have dual routers.

    • The router supports inline service interface known as si- interface.

    • The router has two connections toward the firewall: one for forward flow and one for reverse flow.

    • You must configure both the inet and inet6 families for inside, outside, and control logical interfaces (IFLs) for Express Path, even if the traffic is based on IPv4 address family. Note that the same flow table contains flow entries for both the IPv4 and IPv6 session flows.

    • Configure the router interfaces as per your CSDS topology. See Table 7 for interface details on the router. Plan for si- interfaces configuration for Express Path. Refer to the following table for si- interface details:

      Table 1: The si- Interface Details on Router
      Interface Description Details

      Inside service interface for the forward flow

      si-0/0/0.1

      Outside service interface for the forward flow

      si-0/0/0.2

      Control service interface for the forward flow

      si-0/0/0.3

      Inside service interface for the reverse flow

      si-0/1/0.1

      Outside service interface for the reverse flow

      si-0/1/0.2

      Control service interface for the reverse flow

      si-0/1/0.3

    • Plan for additional firewall filters configuration for Express Path. Refer to the following table for additional firewall filters:

      Table 2: Additional Firewall Filters on the Router for Express Path
      Filter Description Details

      (Forward direction) Firewall filters to match IPv4 and IPv6 traffic and send the traffic to the session offload routing instance, OFFLOAD_INPUT_VR.

      MX_LB_TRUST and IPv6_MX_LB_TRUST

      (Reverse direction) Firewall filters to match IPv4 and IPv6 traffic and send the traffic to the session offload routing instance, OFFLOAD_OUTPUT_VR.

      MX_LB_UNTRUST and IPv6_MX_LB_UNTRUST

      (Forward direction) Firewall filters to match the post-session offloaded IPv4 and IPv6 traffic and send the traffic to the respective services based on the CSDS-TO load-balancing.

      MX_EXTRA_TRUST and IPv6_EXTRA_TRUST

      (Forward direction) Firewall filters to match the post-session offloaded IPv4 and IPv6 traffic and send the traffic to the respective services based on the CSDS-TO load-balancing.

      MX_EXTRA_UNTRUST and IPv6_EXTRA_UNTRUST

    • Plan for additional routing instances configuration for Express Path. The additional routing instance ensures that the traffic undergoes a lookup for session offloading. The router then processes services based on the CSDS-TO load-balancing to support multiple services such as stateful firewall (SFW) and Network Address Translation (NAT) together. Refer to the following table for additional routing instances:

      Table 3: Additional Routing Instances on the Router for Express Path
      Routing Instance Description Details

      (Forward direction) Routing instance for traffic processing through the si- interface.

      OFFLOAD_INPUT_VR

      (Reverse direction) Routing instance for traffic processing through the si- interface.

      OFFLOAD_INPUT_VR

      (Forward direction) Additional routing instance for traffic processing after the session offloading.

      EXTRA_TRUST

      (Reverse direction) Additional routing instance for traffic processing after the session offloading.

      EXTRA_UNTRUST
Use the following steps to configure Express Path for CSDS.

Configuration on MX1

For configuration on MX1, see steps 1, 2, 3, 4 and 5.

  1. On the router, enable Express Path at the chassis level by configuring one of the following two statements.

    Configures the feature on FPC 0 with the default flow table size.

    Configure the feature on FPC 0 with custom session flow table size set to 2 units. Each unit supports 256 K sessions. Therefore, two units support a total of 2x256x1024=524288 flow entries. See service-offload (CSDS) for more details.

    Restart the FPC from operational mode to apply the changes.

  2. On the router, configure Express Path as an inline service set feature.

    1. Define the service interfaces, si- interfaces.

      Configure each si- interface for inside and outside service domains. You must configure both inet and inet6 interfaces for Express Path in the CSDS solution.

    2. Configure the inline service set for the Express Path forward flow from the client to the server.

      Define a service set, service-offload-fwd, for the forward flow and associate the service set with a service offloading rule, offload_rule_fwd. Incoming packets from the client that match the service set use the inside service interface, si-0/0/0.1, for session lookup. Packets exit the outside service interface, si-0/0/0.2, for the same service set to reach the server. The control service interface, si-0/0/0.3, handles management and control traffic such as adding or deleting a forward flow based on the firewall's guidance.

    3. Configure the inline service set for the Express Path reverse flow from the server to the client.

      Define a service set, service-offload-rev, for the reverse flow and associate the service set with a service offloading rule, offload_rule_rev. Packets from the server that match the service set use the inside service interface, si-0/1/0.1, for session lookup. Packets exit the outside service interface, si-0/1/0.2, for the same service set to reach the client. The control service interface, si-0/1/0.3, handles management and control traffic such as adding or deleting a reverse flow based on the firewall's guidance.

  3. On the router, configure service offloading rule for Express Path.

    Apply the service offloading rule, offload_rule_fwd, on the trust side for the service offload VRF, EXTRA_TRUST, and the partial IP reassembly support. Apply the service offloading rule, offload_rule_rev, on the untrust side for the service offload VRF, EXTRA_UNTRUST, and enable partial IP reassembly support.

  4. On the router, associate the control interface to your CSDS-TO configuration.

    1. Associate the control interface with the trust CSDS-TO instance.

      The control interface, si-0/0/0.3, is the service offload interface in the srx_trust_group within the csds_sfw_trust load balancing instance. Service IDs 1 and 2 are the different services within the csds_sfw_trust load balancing instance for MNHA_SRX1 and MNHA_SRX2 in your services plane. You'll see similar configuration for IPv6 instances on the trust side. See Traffic Load Balancer to learn more.

    2. Associate the control interface with the untrust CSDS-TO instance.

      The control interface, si-0/1/0.3, is the service offload interface in the srx_untrust_group within the csds_sfw_untrust load balancing instance. Service IDs 11 and 12 are the different services within the csds_sfw_untrust load balancing instance for UNTRUST_vSRX1 and UNTRUST_vSRX2 in your services plane. You'll see similar configuration for IPv6 instances on the untrust side.

  5. On the router, configure firewall filters and routing instances to offload traffic.

    1. Configure firewall filter and routing instance on client-facing service interface.

      Configure the firewall filters and routing instances for the traffic passing through the si- interface for the forward direction.

    2. Configure firewall filter and routing instance on server-facing service interface.

      Configure the firewall filters and routing instances for the traffic passing through the si- interface for the reverse direction.

    3. Configure a routing instance for post-session offloaded traffic.

      Define a routing instance, EXTRA_TRUST, on the forward flow and associate an input filter MX_EXTRA_TRUST to proceed for session offloading. Create a similar configuration for inet and inet6 traffic for the reverse flow.

    4. Configure the firewall filter for post-session offloaded traffic.

      Define input filters, MX_EXTRA_TRUST and IPv6_EXTRA_TRUST, to match the post-session offloaded traffic in the forward flow. Route the traffic to the respective service CSDS-TO based load-balancing routing instance, srx_mnha_group_trust_fi. If you don't use Express Path for your CSDS solution, you must define CSDS-TO routing instance in the firewall filter, MX_LB_TRUST, on trust side for forward data traffic. See Example: Single MX Series (CSDS Traffic Orchestrator) and Scaled-Out SRX Series Firewall (MNHA) for Stateful Firewall for more details. Create a similar configuration for inet and inet6 traffic for the reverse flow.

Configuration on SRX1-A and SRX1-B

On the firewall, configure offload-specific configuration for CSDS Express Path. See steps 1 and 2.

  1. Configure virtual offload on SRX1-A. Use the same configuration on SRX1-B.

    The firewall enables session-offloading to the router when you configure the virtual-offload option at the [security forwarding-options services-offload] hierarchy. Use virtual-offload option to enable the firewall to offload sessions to the router in CSDS solution. Define the source-identity-profile option to include the local IP address and the service ID for the trust and untrust sides for control traffic processing. Configure the interfaces ae1.0 and ae1.1 to connect to the router's trust side for client traffic and untrust side for server traffic.

  2. Configure virtual offload on SRX2-A. Use the same configuration on SRX2-B.

    When you assign the profiles to the relevant interfaces, the firewall allows the control packets to be processed with predefined tuples. As the traffic flows in both directions between the client and server, create one profile for each of the two logical interfaces with both IPv4 and IPv6 support. The process ensures precise routing and communication between the devices in CSDS topology. See CSDS Components for Express Path for more information.

Express Path is set up in CSDS topology.

Verification

Use the following commands for verification on the router:

  • show services traffic-load-balance statistics

Use the following commands for verification on the firewall:

  • show security flow service-offload virtual-offload statistics all

  • show security flow service-offload virtual-offload statistics interface-name

See show security flow service-offload virtual-offload statistics (CSDS) and clear security flow service-offload virtual-offload statistics (CSDS) for more details about these commands.

Related Documentation