Hi, I was going through some SRX concepts and i read about STATELESS PACKET-MODE feature in SRX. In simple words it says, the packets configured with this feature would be routed and will not be screened against security policies / Restrictions.

Reference : http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/security-selective-stateless-packet-based-service-packet-based-to-flow-based-configuring.html Before i verify anything, here is how my Topology Looks like SRX_SELETIVE_PACKET_MODE 

Question Would be If I configure, Ge-0/0/0.0 to be in zone Untrust and also allow it for Packet-Based forwarding bypassing the security, which one will take preference ? 

Below diagram attempts for an explanation for this situation.

jsec_0801  

Now let us quickly see without any firewall filters, if we receive any communication from SRX to MX  

mx-ping

Sure Enough, It would'nt respond. Now, let us configure firewall to configure Filter based Selective packet-Based forwarding inorder to Bypass the security for the traffic of our interest. If we look at the firewall's configuration, The interface has been configured in Security Zone but also now there is a firewall filter associated with it and associated with the interface   srx-fw Now if we attempt to Ping the SRX directly connected interface from address 9.9.12.1 it would ping, while if i source it from my loopback it does not. This is how you can bypass the security and looking back again at the SRX PacketFlow and conditions Firewall filters at ingress will be processed first and then passed onto security Modules.

  mx-ping-verification

Thanks

Rakesh Madupu

Advertisements