Branch series Juniper SRX can operate at two different modes; packet mode and flow mode. In flow mode, SRX process all traffic by analyzing the state or session of traffic. In packet mode, SRX can process traffic as traditional router without analyzing the session of the traffic. By default, JunOS in SRX devices work at Flow mode. But if you want to operate it as a typical router then you can disable the security features like IPSec, NAT, UTM, etc. There are two ways to configure SRX mode to packet mode from flow mode in branch series SRX devices. First method shown in this post strictly converts to packet mode using set security forwarding-options command, whereas Second method allows the use of both packet and flow mode at the same time using firewall filters.
Configure SRX Mode to Packet Mode from Flow Mode
First Method
To view the existing flow mode type, show security flow status command in operational mode as shown below. As you can see it is now flow based forwarding mode, Inet forwarding mode: flow based.
We can change to packet mode by typing, set security forwarding-options family mpls mode packet-based command in configuration mode as shown below. Don’t forget to delete the security settings.
[edit]root@SRX240# delete security [Deletes all the security configuration.] [edit] root@SRX240# set security forwarding-options family mpls mode packet-based [edit] root@SRX240# commit [edit] root@SRX240# run request system reboot
After commit, you will get a warning saying, you must reboot the device for the change to take effect. After the reboot, issue show security flow status command.
As you can see above, the Inet forwarding mode is packet based. In this way you can configure SRX mode to packet mode from flow mode.
Second Method
Packet mode can also be enabled using firewall filter. Using this technique, you can use both packet mode and flow mode based on various match criteria.
[edit]root@SRX240# set firewall filter PACKET-MODE term 1 from source-address X.X.X.X/32
[edit]
root@SRX240# set firewall filter PACKET-MODE term 1 then packet-mode
[edit]
root@SRX240# set firewall filter PACKET-MODE term 2 then accept
Now apply the filter PACKET-MODE in required interface in inbound or outbound direction. So traffic coming from particular source address of X.X.X.X/32 will only be processed as packet mode by SRX, rest will be processed as flow mode.
Configure SRX Mode to Packet Mode from Flow Mode is a post from: MustBeGeek