Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


flow-detection-mode (DDoS Global Flow Detection)


Hierarchy Level


(MX Series routers with only MPCs, T4000 Core Routers with only FPC5s, or EX9200 switches) Configure the mode of operation for flow detection globally for almost all protocol groups and packet types. The operation mode is effective only when flow detection is enabled.


You cannot enable flow detection globally for the following groups and packet type because they do not have typical Ethernet, IP, or IPv6 headers:

  • Protocol groups: fab-probe, frame-relay, inline-ka, isis, jfm, mlp, pfe-alive, pos, and services.

  • Packet type: unclassified in the ip-options protocol group.

To override the global configuration for a protocol group or packet type, use the flow-detection-mode statement at the [edit system ddos-protection protocols protocol-group packet-type] hierarchy level.


The default global mode is automatic.



Detect flows only when the policer is being violated.


Disable flow detection.


Always monitor and detect flows, even when the policer is not being violated.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 17.1.