Security platforms running JunosOS handle incoming packets as follows:

  1. The software applies stateless policing filters and CoS classification to the packet at the ingress.
  2. If the packet does not drop, the software performs a session lookup to determine whether the packet belongs to an existing session. The Junos OS matches on six elements of traffic information for this determination—source IP address, destination IP address, source port number, destination port number, protocol number, and a session token.
  3. If the packet does not match an existing session, a new session is created. This process is referred to as the first-packet path.

The software takes the following steps during first-packet-path processing:

  1. Based on the protocol used and its session layer (TCP or UDP), the software starts a session timer. For TCP sessions, the default timeout is 30 minutes. For UDP sessions, the default timeout is 1 minute. These values are the defaults, and can be modified
  2. The software applies firewall SCREEN options.
  3. If destination NAT is used, the software performs address allocation.
  4. Next, the software performs the route lookup. If a route exists for the destination prefix, the software takes the next step. Otherwise, it drops the packet.
  5. The software determines the packet’s incoming zone by the interface through which it arrives. The software also determines the packet’s outgoing zone by the forwarding lookup.
  6. Based on incoming and outgoing zones, the corresponding security policy is determined and a security policy lookup takes place. The software checks the packet against defined policies to determine how to treat the packet.
  7. If source NAT is used, the software performs address allocation.
  8. The software sets up the ALG service vector.
  9. The software creates and installs the session. Furthermore, the software caches the decisions made for the first packet into a flow table, which subsequent packets of that flow use.
  10. The packet now enters the fast-path processing.

Subsequent packets of a flow are all subject to fast-path processing. The software takes the following steps during fast-path processing:

  1. The software applies firewall SCREEN options.
  2. The software performs TCP checks.
  3. The software applies NAT.
  4. The software applies an ALG.
  5. The software applies packet forwarding features, which include the following:
    • Stateless packet filters
    • Traffic shaping by packet
    • Packet encapsulation and transmission

[ # ]

request high-availability state suspend    !! passive firewall
Upgrade passive to 4.1.7

request high-availability state suspend   !! Current old version active firewall
request high-availability state functional   !! Newly upgraded firewall (Outage until this command completes)
Upgrade old active firewall to 4.1.7

request high-availability state functional - Newly upgraded firewall

Notes:

  • HA processes can take up to 5 minutes to start up after reboot

[ # ]

test url <url>

[ # ]

show system setting ssl-decrypt exclude-cache        !! View cache of urls to NOT decrypt
set ssl decrypt ssl-exclude <url>
delete ssl decrypt ssl-exclude <url>

Documentation

[ # ]

debug dataplane packet-diag set filter on
debug dataplane packet-diag set filter match source <ip> destination-port <port>
debug dataplane packet-diag set filter pre-parsematch yes                                !! Useful for capturing packets before being dropped due to routing
debug dataplane packet-diag set capture stage drop file <capture-drop.pcap>                !! Capture only dropped packets
debug dataplane packet-diag set capture stage receive file <capture-rx.pcap>            !! Capture packets received by the Palo Alto device
debug dataplane packet-diag set capture stage firewall file <capture-fw.pcap>            !! Capture packets passing through IPS, policies, etc.
debug dataplane packet-diag set capture stage transmit file <capture-tx.pcap>            !! Capture packets being transmitted out from the Palo Alto device
debug dataplane packet-diag set capture on
debug dataplane packet-diag show setting                                                !! View your configured capture
view-pcap follow yes filter-pcap <pcap-name>                                            !! tail -f capture file

debug dataplane packet-diag set capture off
debug dataplane packet-diag set filter off
debug dataplane packet-diag clear filter all
debug dataplane packet-diag clear capture all

scp export filter-pcap from <file name> to <username@host:path>                            !! Export capture using SCP

Notes:

  • A maximum number of 4 filters can be defined at one time

Documentation

[ # ]

test nat-policy-match source <source> destination <dest> protocol 6 destination-port <tcp port>
test security-policy-match source <source> destination <dest> protocol 6 destination-port <tcp port>

Documentation

[ # ]

show system state | match chassis.leds

[ # ]

show system info

[ # ]

request high-availability state suspend                     // Fail master to peer and set to ineligible
request high-availability state functional                    // Set device back as eligible
show high-availability state                        // View current HA state
show high-availability link                            // View current HA link state 
show high-availability all                             // View high-availability state information
show high-availability control-link                     // View the control link statistics
show high-availability state-synchronization         // View the synchronization state to the peer device

[ # ]

set cli pager off
set cli config-output-format set

Notes:

  • These commands may not output in order so cannot be relied on when implementing to a blank configuration

[ # ]