Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

flow (Security Flow)

Syntax

Hierarchy Level

Description

Determine how the device manages packet flow. The device can regulate packet flow in the following ways:

Options

advanced-options

Flow configuration advanced options.

  • Values:

    • drop-matching-link-local-address—Drop matching link local address.

    • drop-matching-reserved-ip-address—Drop matching reserved source IP address.

    • reverse-route-packet-mode-vr—Allow reverse route lookup with packet mode vr.

allow-dns-reply

Allow unmatched incoming DNS reply packet.

allow-embedded-icmp

Allow embedded ICMP packets not matching a session to pass through.

allow-reverse-ecmp

Allow reverse ECMP route lookup.

enable-reroute-uniform-link-check

Enable reroute check with uniform link.

  • Values:

    • nat—Enable NAT check.

enhanced-routing-mode

Enable enhanced route scaling.

force-ip-reassembly

Force to reassemble IP fragments.

gre-performance-acceleration Accelerate the GRE traffic performance.
ipsec-performance-acceleration

Accelerate the IPSec traffic performance.

mcast-buffer-enhance

Allow to hold more packets during multicast session creation.

multicast-nh-resolve-retry

You can use this command configure the multicast route next-hop resolve attempts. When a multicast route next-hop resolve is unsuccessful, the SRX Series Firewall attempts to resolve the next-hop route based on the specified retry counts.

  • Default: 0

  • Range: 0 through 20

no-local-favor-ecmp Does not prefer local node in HA ECMP route lookup.
pending-sess-queue-length

Maximum queued length per pending session.

  • Values:

    • high—Maximum number of queued sessions.

    • moderate—Allow more queued sessions than normal.

    • normal—Normal number of sessions queued.

power-mode-ipsec

Enable power mode ipsec processing.

preserve-incoming-fragment-size

Preserve incoming fragment size for egress MTU.

route-change-timeout

Timeout value for route change to nonexistent route (seconds).

  • Default: 6

  • Range: 6 through 1800

strict-packet-order

You can use this command to maintain multicast traffic order and resolve packet drop issue.

syn-flood-protection-mode

TCP SYN flood protection mode.

  • Values:

    • syn-cookie—Enable SYN cookie protection.

    • syn-proxy—Enable SYN proxy protection.

sync-icmp-session

Allow icmp sessions to sync to peer node.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement modified in Junos OS Release 9.5. The power-mode-ipsec option added in Junos OS Release 18.3R1 for vSRX Virtual Firewall instances, in Junos OS Release 18.4R1 for SRX4100 and SRX4200 devices, and in Junos OS Release 18.2R2 for SRX5400, SRX5600, and SRX5800 devices. The multicast-nh-resolve-retry and the strict-packet-order options are added in Junos OS Release 20.2R2 for SRX345 and SRX1500 devices.The gre-performance-acceleration option added in Junos OS Release 21.1R1.