Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

forwarding-options (Security)

Syntax

Hierarchy Level

Description

Determine how the inet6, iso, and mpls protocol families manage security forwarding options.

Note:
  • Packet-based processing is not supported on the following SRX Series Firewalls: SRX5400, SRX5600, and SRX5800.

  • On SRX Series Firewalls, the default mode for processing traffic is flow mode. You can configure SRX Series Firewalls to operate in packet mode to process MPLS packets.

    To configure the packet mode on SRX Series Firewall, use the following command:

    user@host# set security forwarding-options family mpls mode packet-based

    Selective stateless packet-based services allows you to configure the device to provide only packet-based processing for selected traffic based on input filter terms.

Options

allow-dataplane-sleep

Enable sleep on dataplane.

family

Specify the protocol family to be used for packet forwarding.

  • inet6—Specify forwarding options for IPv6 traffic.

    • drop—Drop IPv6 packets. This is the default setting.

    • flow-based—Perform flow-based packet forwarding.

    • packet-based—Perform simple packet forwarding.

  • iso—Specify forwarding options for IS-IS traffic.

    • packet-based—Perform simple packet forwarding.

  • mpls—Specify forwarding options for MPLS traffic.

    • flow-based—Perform flow-based packet forwarding.

    • packet-based—Perform simple packet forwarding.

mirror-filter

Specify a mirror filter for filtering X2 packets to be mirrored and sent to a packet analyzer.

mode

Specify TAP or Sniffer mode.

  • tap—Specify TAP mode.

    • inspect-pass-through-tunnel—Specify TAP mode to inspect pass through IP-IP or GRE tunnel.

    • interface—Specify TAP mode interface name. You can configure up to eight TAP interfaces.

receive-side-scaling

Receive side scaling (RSS) enables the efficient distribution of network receive processing across multiple CPUs in multiprocessor systems.

  • nic-rss—The NIC distributes packets by applying a filter to each packet that assigns it to one of a small number of logical flows. Packets for each flow are steered to a separate receive queue, which in turn can be processed by separate CPUs. On reception, a NIC can send different packets to different queues to distribute processing among CPUs. NIC must have same number of receiving (RX) and transmitting (TX) queues as number of vSRX data plane CPU to support multi core vSRX flavors.

    • mode—Specify the mode of NIC RSS.

      • disable—Disable the NIC RSS mode.

  • software-rss—Software RSS (SWRSS) removes this limitation of NIC HW queues to run vSRX multi-core flavors by implementing software-based packet spraying across various FLT thread. Software RSS offloads the handling of individual flows to one of the multiple kernel, so the flow thread that takes the packets from the NIC can process more packets. SWRSS implements software model of packet distribution across FLTs after obtaining the packets from NIC receiving queues. By removing NIC HW queue limitation, SWRSS helps to scale vCPUs by supporting various vSRX instance types.

    • io-thread-number—Specify the software RSS IO thread number.

      • Range: 1 through 8

    • mode—Specify the mode of Software RSS.

      • automatic—Auto select the Software RSS mode. This is the default mode.

      • disable—Disable the Software RSS mode.

      • enable—Enable the Software RSS mode.

resource-manager

Display forward option status, the CPU, and memory allocated for the advance services to verify the vCPU allocation between routing engine and flow RT threads.

  • cpu—Specify CPU resources.

    • Default: 1

    • Range: 1 through 3

  • enhanced-logging—Specify a dedicated CPU resource for on-box logging.

secure-wire

Specify a name for the secure wire interface mapping.

security-service

Security service actions when memory resource is in shortage. The system resource management guarantees the resources are used according to priorities.

  • fail-open—Ignores Layer 7 services with resource requirements, creates a flow session without Layer 7 services, and forward the packet out.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5.

secure-wire option introduced in Junos OS Release 19.3R1.

resource-manager option introduced in Junos OS Release 19.4R1 for vSRX Virtual Firewall.

mode option introduced in Junos OS Release 20.1R1.

enhanced-logging option introduced in Junos OS Release 23.1R1 to assign a dedicated CPU resource for on-box logging.