Security platforms running JunosOS handle incoming packets as follows:
- The software applies stateless policing filters and CoS classification to the packet at the ingress.
- If the packet does not drop, the software performs a session lookup to determine whether the packet belongs to an existing session. The Junos OS matches on six elements of traffic information for this determination—source IP address, destination IP address, source port number, destination port number, protocol number, and a session token.
- If the packet does not match an existing session, a new session is created. This process is referred to as the first-packet path.
The software takes the following steps during first-packet-path processing:
- Based on the protocol used and its session layer (TCP or UDP), the software starts a session timer. For TCP sessions, the default timeout is 30 minutes. For UDP sessions, the default timeout is 1 minute. These values are the defaults, and can be modified
- The software applies firewall SCREEN options.
- If destination NAT is used, the software performs address allocation.
- Next, the software performs the route lookup. If a route exists for the destination prefix, the software takes the next step. Otherwise, it drops the packet.
- The software determines the packet’s incoming zone by the interface through which it arrives. The software also determines the packet’s outgoing zone by the forwarding lookup.
- Based on incoming and outgoing zones, the corresponding security policy is determined and a security policy lookup takes place. The software checks the packet against defined policies to determine how to treat the packet.
- If source NAT is used, the software performs address allocation.
- The software sets up the ALG service vector.
- The software creates and installs the session. Furthermore, the software caches the decisions made for the first packet into a flow table, which subsequent packets of that flow use.
- The packet now enters the fast-path processing.
Subsequent packets of a flow are all subject to fast-path processing. The software takes the following steps during fast-path processing:
- The software applies firewall SCREEN options.
- The software performs TCP checks.
- The software applies NAT.
- The software applies an ALG.
- The software applies packet forwarding features, which include the following:
- Stateless packet filters
- Traffic shaping by packet
- Packet encapsulation and transmission
request high-availability state suspend !! passive firewall Upgrade passive to 4.1.7 request high-availability state suspend !! Current old version active firewall request high-availability state functional !! Newly upgraded firewall (Outage until this command completes) Upgrade old active firewall to 4.1.7 request high-availability state functional - Newly upgraded firewall
- HA processes can take up to 5 minutes to start up after reboot
debug dataplane packet-diag set filter on debug dataplane packet-diag set filter match source <ip> destination-port <port> debug dataplane packet-diag set filter pre-parsematch yes !! Useful for capturing packets before being dropped due to routing debug dataplane packet-diag set capture stage drop file <capture-drop.pcap> !! Capture only dropped packets debug dataplane packet-diag set capture stage receive file <capture-rx.pcap> !! Capture packets received by the Palo Alto device debug dataplane packet-diag set capture stage firewall file <capture-fw.pcap> !! Capture packets passing through IPS, policies, etc. debug dataplane packet-diag set capture stage transmit file <capture-tx.pcap> !! Capture packets being transmitted out from the Palo Alto device debug dataplane packet-diag set capture on debug dataplane packet-diag show setting !! View your configured capture view-pcap follow yes filter-pcap <pcap-name> !! tail -f capture file debug dataplane packet-diag set capture off debug dataplane packet-diag set filter off debug dataplane packet-diag clear filter all debug dataplane packet-diag clear capture all scp export filter-pcap from <file name> to <username@host:path> !! Export capture using SCP
- A maximum number of 4 filters can be defined at one time
show system state | match chassis.leds
request high-availability state suspend // Fail master to peer and set to ineligible request high-availability state functional // Set device back as eligible show high-availability state // View current HA state show high-availability link // View current HA link state show high-availability all // View high-availability state information show high-availability control-link // View the control link statistics show high-availability state-synchronization // View the synchronization state to the peer device
set cli pager off set cli config-output-format set
- These commands may not output in order so cannot be relied on when implementing to a blank configuration