flow (Security Flow)
Syntax
flow {
advanced-options {
drop-matching-link-local-address;
drop-matching-reserved-ip-address;
reverse-route-packet-mode-vr;
}
aging {
early-ageout seconds;
high-watermark percent;
low-watermark percent;
}
allow-dns-reply;
allow-embedded-icmp;
Configuring Access Lists for SNMP Access over Routing Instances;
enable-reroute-uniform-link-check {
nat;
}
enhanced-routing-mode;
ethernet-switching {
block-non-ip-all;
bpdu-vlan-flooding;
bypass-non-ip-unicast;
no-packet-flooding {
no-trace-route;
}
}
force-ip-reassembly;
gre-performance-acceleration;
ipsec-performance-acceleration (Security Flow);
load-distribution {
session-affinity {
ipsec;
}
}
mcast-buffer-enhance;
multicast-nh-resolve-retry multicast-nh-resolve-retry-value;
no-local-favor-ecmp;
packet-log (Security Flow) {
enable;
packet-filter name {
conn-tag conn-tag;
destination-port (afs | bgp | biff | bootpc | bootps | cmd | cvspserver | dhcp | domain | eklogin | ekshell | exec | finger | ftp | ftp-data | http | https | ident | imap | kerberos-sec | klogin | kpasswd | krb-prop | krbupdate | kshell | ldap | ldp | login | mobileip-agent | mobilip-mn | msdp | netbios-dgm | netbios-ns | netbios-ssn | nfsd | nntp | ntalk | ntp | pop3 | pptp | printer | radacct | radius | range | rip | rkinit | smtp | snmp | snmptrap | snpp | socks | ssh | sunrpc | syslog | tacacs | tacacs-ds | talk | telnet | tftp | timed | who | xdmcp | zephyr-clt | zephyr-hm | zephyr-srv);
destination-prefix destination-prefix;
interface interface;
logical-system logical-system;
protocol (ah | egp | esp | gre | icmp | icmp6 | igmp | ipip | number | ospf | pim | rsvp | sctp | tcp | udp);
source-port (afs | bgp | biff | bootpc | bootps | cmd | cvspserver | dhcp | domain | eklogin | ekshell | exec | finger | ftp | ftp-data | http | https | ident | imap | kerberos-sec | klogin | kpasswd | krb-prop | krbupdate | kshell | ldap | ldp | login | mobileip-agent | mobilip-mn | msdp | netbios-dgm | netbios-ns | netbios-ssn | nfsd | nntp | ntalk | ntp | pop3 | pptp | printer | radacct | radius | range | rip | rkinit | smtp | snmp | snmptrap | snpp | socks | ssh | sunrpc | syslog | tacacs | tacacs-ds | talk | telnet | tftp | timed | who | xdmcp | zephyr-clt | zephyr-hm | zephyr-srv);
source-prefix source-prefix;
}
throttle-interval milliseconds;
}
pending-sess-queue-length (high | moderate | normal);
power-mode-ipsec;
preserve-incoming-fragment-size;
route-change-timeout seconds;
strict-packet-order;
syn-flood-protection-mode (syn-cookie | syn-proxy);
sync-icmp-session;
tcp-mss (Security Flow) {
all-tcp {
mss mss;
}
gre-in {
mss mss;
}
gre-out {
mss mss;
}
ipsec-vpn (Security Flow) {
mss mss;
}
}
tcp-session {
fin-invalidate-session;
maximum-window (128K | 1M | 256K | 512K | 64K);
no-sequence-check;
no-syn-check;
no-syn-check-in-tunnel;
rst-invalidate-session;
rst-sequence-check;
strict-syn-check;
tcp-initial-timeout seconds;
time-wait-state {
(session-ageout | session-timeout seconds);
apply-to-half-close-state;
}
}
traceoptions (Security Flow) {
file <filename> <files files> <match match> <size size> <(world-readable | no-world-readable)>;
flag name;
no-remote-trace;
packet-filter name {
conn-tag conn-tag;
destination-port (afs | bgp | biff | bootpc | bootps | cmd | cvspserver | dhcp | domain | eklogin | ekshell | exec | finger | ftp | ftp-data | http | https | ident | imap | kerberos-sec | klogin | kpasswd | krb-prop | krbupdate | kshell | ldap | ldp | login | mobileip-agent | mobilip-mn | msdp | netbios-dgm | netbios-ns | netbios-ssn | nfsd | nntp | ntalk | ntp | pop3 | pptp | printer | radacct | radius | range | rip | rkinit | smtp | snmp | snmptrap | snpp | socks | ssh | sunrpc | syslog | tacacs | tacacs-ds | talk | telnet | tftp | timed | who | xdmcp | zephyr-clt | zephyr-hm | zephyr-srv);
destination-prefix destination-prefix;
interface interface;
logical-system logical-system;
protocol (ah | egp | esp | gre | icmp | icmp6 | igmp | ipip | number | ospf | pim | rsvp | sctp | tcp | udp);
source-port (afs | bgp | biff | bootpc | bootps | cmd | cvspserver | dhcp | domain | eklogin | ekshell | exec | finger | ftp | ftp-data | http | https | ident | imap | kerberos-sec | klogin | kpasswd | krb-prop | krbupdate | kshell | ldap | ldp | login | mobileip-agent | mobilip-mn | msdp | netbios-dgm | netbios-ns | netbios-ssn | nfsd | nntp | ntalk | ntp | pop3 | pptp | printer | radacct | radius | range | rip | rkinit | smtp | snmp | snmptrap | snpp | socks | ssh | sunrpc | syslog | tacacs | tacacs-ds | talk | telnet | tftp | timed | who | xdmcp | zephyr-clt | zephyr-hm | zephyr-srv);
source-prefix source-prefix;
}
rate-limit rate-limit;
trace-level {
(brief | detail | error);
}
}
}
Hierarchy Level
[edit security]
Description
Enabling tracing can adversely impact scale and performance and may increase security risk. We strongly recommend using the trace, tracing, or traceoptions commands only under the guidance of a JTAC support engineer. After collecting the debug information, immediately disable tracing to minimize risk and restore normal system performance.
Determine how the device manages packet flow. The device can regulate packet flow in the following ways:
Options
| advanced-options | Flow configuration advanced options.
|
| allow-dns-reply | Allow unmatched incoming DNS reply packet. |
| allow-embedded-icmp | Allow embedded ICMP packets not matching a session to pass through. |
| allow-reverse-ecmp | Allow reverse ECMP route lookup. |
| enable-reroute-uniform-link-check | Enable reroute check with uniform link.
|
| enhanced-routing-mode | Enable enhanced route scaling. |
| force-ip-reassembly | Force to reassemble IP fragments. |
| gre-performance-acceleration | Accelerate the GRE traffic performance. |
| ipsec-performance-acceleration | Accelerate the IPSec traffic performance. |
| mcast-buffer-enhance | Allow to hold more packets during multicast session creation. |
| multicast-nh-resolve-retry | You can use this command configure the multicast route next-hop resolve attempts. When a multicast route next-hop resolve is unsuccessful, the SRX Series Firewall attempts to resolve the next-hop route based on the specified retry counts.
|
| no-local-favor-ecmp | Does not prefer local node in HA ECMP route lookup. |
| pending-sess-queue-length | Maximum queued length per pending session.
|
| power-mode-ipsec | Enable power mode ipsec processing. |
| preserve-incoming-fragment-size | Preserve incoming fragment size for egress MTU. |
| route-change-timeout | Timeout value for route change to nonexistent route (seconds).
|
| strict-packet-order | You can use this command to maintain multicast traffic order and resolve packet drop issue. |
| syn-flood-protection-mode | TCP SYN flood protection mode.
|
| sync-icmp-session | Allow icmp sessions to sync to peer node. |
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement modified in Junos OS Release 9.5. The power-mode-ipsec option added in
Junos OS Release 18.3R1 for vSRX Virtual Firewall instances, in Junos OS Release 18.4R1 for SRX4100
and SRX4200 devices, and in Junos OS Release 18.2R2 for SRX5400, SRX5600, and
SRX5800 devices. The multicast-nh-resolve-retry and the
strict-packet-order options are added in Junos OS Release
20.2R2 for SRX345 and SRX1500 devices.The
gre-performance-acceleration option added in Junos OS Release
21.1R1.